Page History
...
- A graphical editor as shown in the next screenshot:
- Changes to the Permissions tree are saved in the database.
- The Undo button allows the last 10 changes made to be undone stepwise.
- The states saved in the Undo button will be deleted when the Permissions tab is left.
- The Redo button changes the Permissions tree back to the initial state when the Permissions Tab was opened.
- The state stored in the Redo button will be deleted when the Permissions tab is left.
- Clicking on the middle of a Permission icon will grant the Permission for the current Role.
- Granted Permissions have a blue background and are by default recursive.
- The "+" and "-" symbols at the right of each Permission icon open and close child branches.
- The "-" and "+" symbols at the left of each Permission icon are used to revoke a higher Permission and are by default recursive.
- Permission icons affected by revoked Permissions are shown with a gray background
- Permission icons affected by revoked Permissions are shown with a gray background
- A list editor as shown in the next screenshot:
- Individual Permissions can be modified and removed from the Role using the pencil and X symbols that are blended in when the user's mouse is moved over a Permission:
- The Edit function allows the Permission to be made subtractive - i.e. for permission granted at a higher level to be removed.
- The Folder part of the view is for restricting the Role to accessing particular Folders - and thereby particular workflow.
Initial Configuration
Creating and Configuring User Accounts and Roles
System administrators will likely want to create and configure their own User Accounts and Roles, for example, limiting access to resources such as JobScheduler objects and logs.
It is often easier to create Manage new Roles, assign Permissions or Folders to these Roles and then create new User Accounts and assign Roles to them.
Creating a new Role
- New Roles are created in the Manage roles tab using the Add Role button:
- Once a new Role has been created it will be automatically added to the list of Roles shown in the background of the screenshot above.
Configure Permissions and/or Folders for the Role
- Now expand the Role using the arrow button click on the default (blue link) to add Permissions and/or Folders in the Permissions tab. The Procedures available for adding and editing Permissions and Folders are described in the Editing User Permissions and Folders sections below.
- Note that Roles that neither have Permissions or Folders assigned to them are deleted automatically when the Manage Identity Service view is left.
Create a new User Account
- After Permissions / Folders have been configured select the Accounts tab to create a new User Account and allocate one or more Roles to this Account.
- The Edit Account function is accessed by clicking the relevant Action symbol (ellipsis) in the Actions column of the User Accounts list (visible in the background of the above screenshot). This can be used to change the Password, the Account name and add or remove Roles.
- Note that deselecting a Role in this modal window 'uncouples' the Role from the User Account - it does not delete the Role.
Editing User Permissions
Permissions Structure
Permissions are strictly hierarchical:
- A Role with the Permission
sos:products:controller:view
'only' allows a User to view Controllers, while a User with the 'higher'sos:products:controller
Permission is able not only to view Controllers but able to carry out other operations - in this case, view, restart, terminate, and switch_over. - The JS7 - Permissions article contains a link to a full list of all Permissions that can be granted.
Editing Permissions
Caution
...
Consider any user have a role(demo-role
) with the following permission:
sos:products:controller:view
This permission does not allow the demo-role
to perform the operation on the Controllers. These Permissions could be granted individually with the following:
sos:products:controller:restart
sos:products:controller:terminate
The following Permissions can be set to allow the demo-role
Role to view, restart and terminate the Controller, but not Switch_over:
sos:products:controller:view
sos:products:controller:restart
Alternatively, it may make sense in some situations to grant the Role a higher level of Permission and then remove one or more specific Permissions. This approach is shown in the following combination:
sos:products:controller
-sos:products:controller:switch_over
where the ...sos:products:controller
Permission is an overall 'Controller' Permission covering view, restart and terminate, and the -
Permission is removed from the demo-role Role.sos:products:controller:switch_over
Caution
Users should have Role with the following Permission - or higher - before they are able to log into the JOC Cockpit:
sos:products:joc
...
:administration:controller:view
...
Shiro Identity Service Settings
...