...
Once a User Account has been created for each of the default RolesoleRoles, the Accounts view would look like:
...
Note that as the default administrator Role is granted a limited Permissions set, the Main Menu Bar in the JOC Cockpit only contains a link to the Dashboard view as can be seen in the screenshot below. In contrast, the root User Account has links for a further seven views (see views as shown in the screenshots above).
By default the administrator Role is granted Permissions for the Manage Accounts view and therefore the configuration of the User Accounts will continue using this Account rather than root.
The screenshot below shows the Permissions granted to the Account administrator that has been assigned the administrator role with the default Permissions set:
A matrix describing and listing the Permissions that are granted by default for the default Roles is available in the Authentication and Authorization - Permissions for the JOC Cockpit Web Service article.
...
Three editing procedures are available for editing Permissions:
Adding Permissions:
- The Add Permission button in the Permissions View allows a Permission to be selected from a list of all available Permissions as shown in the screenshot below.
- Note that the Permissions listed are all individual Permissions. They can be edited to make them higher level / less specific.
- For example, the screenshot below shows that the
...jobscheduler_master:execute:restart:terminatepermission in the process being selected.
- Once selected the Permission can be edited before the Submit button is clicked. This allows, for example, the Permission to be modified to
..., allowing the Role to carry out all operations covered by this Permission. These are:jobscheduler_master:execute:restartsos:products:joccockpit:jobscheduler_master:execute:restart:terminatesos:products:joccockpit:jobscheduler_master:execute:restart:abort
- The following screenshot shows the edited version alongside the original:
- A selected permission can also be made subtractive - i.e. to remove a specific part of a higher level Permission.
- This is done by ticking the Excluded checkbox.
- For example, the screenshot below shows that the
- Note that the Permissions listed are all individual Permissions. They can be edited to make them higher level / less specific.
- The Add Permission button in the Permissions View allows a Permission to be selected from a list of all available Permissions as shown in the screenshot below.
Modifying Existing Permissions:
- The pencil symbol shown alongside existing Permissions in the Permissions view (shown in the screenshot above) can be used to change the function of a Permission in a Role - to make an additive Permission subtractive and vice-versa. It cannot be used to edit a Permission.
- The X symbol shown alongside existing Permissions in the Permissions view can be used to remove an existing Permission from a Role.
Graphical Permissions Editing:
- The Graphical Permissions Editor is activated by selecting the 'Tree' symbol at the top right of the Permissions section.
- The editor opens with a partially collapsed permissions tree as shown in the next screenshot:
- The Expand tree button (shown in the above screenshot) can be used to open all the tree elements.
Navigation is carried out by dragging & dropping the tree view.
The functions available for the tree elements are (with reference to the screenshot below):
- Select / Unselect a Permission - click on the body of an unselected / selected element
- Selected Permission elements are shown in blue (see the view element in the screenshot)
- Children of selected Permission elements are shown in light blue (as shown in the screenshot)
- Negate a Permission - click on the plus sign at the left hand end of the element
- Remove a Permission Negation - click on a - sign at the left hand end of the element
- Show / hide child elements - click on the + / - symbols at the right hand end of an element
- Select / Unselect a Permission - click on the body of an unselected / selected element
In the following screenshot the view element has been selected, automatically selecting the view:status, view:parameter and view:mainlog child permissions.
In addition, the view:mainlog child permission has been negated, meaning that only the view:status, and view:parameter and view:mainlog child permissions are active.
JobScheduler-Specific Permissions
By default User Accounts are granted Permissions for all the JobScheduler Masters and JobScheduler Master Clusters in a scheduling environment. However, Roles can be created that are only able to access one or more specific JobScheduler Masters or JobScheduler Master Clusters in the environment. This is done in the Masters section of the Manage Accounts view as shown in the next screenshot.
Note that if one of the default Roles is configured to apply for a specific JobScheduler Master then it will no longer apply for the other Masters in the environment.
- The Graphical Permissions Editor is activated by selecting the 'Tree' symbol at the top right of the Permissions section.
...