...
- which application manages user accounts/passwords:
- a specific application of the Identity Service,
- JOC Cockpit that propagates user accounts/passwords to the Identity Service but does not store such credentials with its database.
- where assignments of roles to user accounts are stored
- with the Identity Service
- with the JS7 database
Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration |
---|
Service |
---|
IDType | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Assignment Roles->User Accounts
|
---|
stored managed with | Roles Mapping |
---|
JOC | yes | Database | JOC Cockpit | JS7 Database |
Database-JOCLDAP | Database | Database | n/a | LDAP | yesLDAP | JS7 Database | LDAP Server | Mapping of LDAP Security Groups to JOC Cockpit Roles |
VaultnoVault VaultDatabase | n/a | Vault-JOC-ACTIVEJOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
Vault | no | Vault Server | Vault |
, JOCDatabase | n/a | VaultVault Server | Mapping of Vault Policies to JOC Cockpit Roles |
Vault-JOC | no | Vault Server | Vault Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
Vault-JOC-ACTIVE | no | Vault Server | Vault Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of |
Vault Policies to user accounts and roles with JOC Cockpit |
Roles-JOCVaultKeycloak Server | JS7 Database |
Database | n/aKeycloak Server | Mapping of Keycloak Policies to JOC Cockpit Roles |
Keycloak-JOC |
-ACTIVE | no | Keycloak Server | Keycloak |
, JOCDatabase | n/a | KeycloakJOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
Keycloak-JOC-ACTIVE | no | Keycloak Server | Keycloak Server / JOC Cockpit | JS7 Database |
Keycloak Server Keycloak Policies to user accounts and roles with JOC Cockpit |
Roles |
Shiro (deprecated) | yes | shiro.ini | shiro.ini | shiro.ini | shiro.ini | n/a |
Manage Identity Services
The operation to manage Identity Services is available from the user menu in the right upper corner of any JOC Cockpit page:
...
By default User Accounts are granted Permissions for all the Controller and Controller Clusters in a scheduling environment. Permissions that are only applicable to a particular Controller or Controller Cluster can be added in a role. This is done in the Manage Roles tab of the Identity Management Service for JOC.
In the screenshot, the demo_role Role has been assigned for the controller with the ID controller2.2.0. and will appear in the list of the role as shown.
In this configuration, the demo_role will not yet have any Permissions that are specific to the controller2.2.0. At least one Permission needs to be added before the controller2.2.0 - demo_role configuration will be permanently saved.
The interaction of default and controllers-specific Permissions within the same Role can be illustrated as follows.
- default Permissions:
sos:products:controller:view
- Master-specific Permissions:
sos:products:controller:agents:view
The dashboard view for all controllers in the environment will show the status of the current controller but the status of Agent Clusters will only be shown for the specified controller - in this case controller2.2.0.
Folders
Folders are used to restrict User access to the objects such as workflows and Schedules. This means that, for example, Users can be restricted to accessing only objects for particular mandators / clients.
By default, Permissions are granted for all the folders. However, Roles can be restricted to accessing specific folders.
This is done by granting a Folder Permission, i.e. Permissions to view the content of a folder. When this is done, the Permissions to view all other folders are automatically revoked.
Granting Folder Permissions
Folder Permissions are granted in the Permissions View. Note that before Folder Permissions can be saved for a Role, the Role has to be specified for a User. In the example below, a test user and demo_role have already been configured and the demo folder created on the file system.
To open the Permissions view for a particular Role, first open the Identity Management Service for JOC view, switch to Manage Roles and select the Role that is to be granted Folder Permissions. To do this, click on the Role name in the Roles list.
Now click on the Add Folders button and in the Add Folders modal window, select the subfolder or the parent folder demo/
or /demo/
*.
Image Modified
Check the Recursive box in the Add Folders modal window if required and then click on Submit.
Any User that is allocated this demo_role will now only be able to see JobScheduler objects in the demo folder.
Note that the test user will only be able to log in to the JOC Cockpit if they have at least one Role granting them the following Permission:
sos:products:controller:view
Roles with Folder Permissions are often configured for Users in combination with default Roles.
Shiro Identity Service Settings
...