JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

After installing the JOC Cockpit a user can log in with the default root user account and root password that are available from the JS7 - JOC Identity Service.

  • This The JOC Identity Service is active and is the only Identity Service available by default.
  • This The JOC Identity Service includes the default root user account. Users are encouraged to change the password of the root user account after initial installation of JOC Cockpit.

To manage user accounts, roles and permissions from any JOC Cockpit page use the user menu in the right upper corner and select Manage Identity Services:


The Manage Identity ServiceServices page holds the list of the available Identity Services. By default the list is populated from the JS7 - JOC Identity Service. Users can add new Identity Services. From this page users can select an Identity Service to manage the user accounts associated with the Identity Service. Assume that the JOC Identity Service is selected by clicking the name JOC.

Image RemovedImage Added


The JOC Identity Service page offers three sub-tabsviews: Roles, Accounts, Roles, Profiles

Image Removed

Explanation:

...

 Profiles. Selecting an Identity Service by default opens the Roles sub-view.

  • Roles: Permissions can freely be grouped to roles. This includes to specify permissions for scheduling objects in JOC Cockpit and in Controllers.Permissions: a sub-view offered to manage access to folders and permissions
  • Accounts: Management of user accounts that are stored with the JS7 - Database.
  • Profiles: Information about the date of last login by user accounts.

The Accounts sub-view

...

  • user accounts

...

Image Removed

The above screenshot shows the test user account that assigned the test-role role.

...

  • .

The

...

Roles

...

sub-view

...

The Roles sub-view

The Roles sub-view allows to assign permissions for access to scheduling objects with JOC Cockpit and Controllers.

...

A set of permissions is configured for each role. Each permission set can be inspected by clicking default from the list of roles. This will open the Permissions sub-view for the given role. The matrix of default roles and permissions along with descriptions per permission is provided with the JS7 - Permissions article.

The Accounts sub-view

The Accounts sub-view is available when a user selects the Identity Service from the Identity Management Services page. The sub-view lists the user accounts that are configured along with their roles.

Image Added


The above screenshot shows the test user account that assigned the test-role role.

The Add Account button can be used to open a popup window to add a new user account.

  • The additional options (ellipsis) symbol allows an Account to be edited (change the Account Name and/or Password, select/deselect Roles) and to be copied or deleted.
  • Clicking the Account Name navigates the user to the Roles sub-view that offers to assign the role permissions for JOC Cockpit and Controllers.

The Permissions sub-view

The Permissions sub-view allows to manage permissions for roles, optionally limited to specific folders.

...

  • Now expand the Role using the arrow button click on the default (blue link) to add Permissions and/or Folders in the Permissions sub-view. The procedures available for managing permissions and folders are explained with the Editing User Permissions and Folders sections below.
    • Note that roles that neither have permissions nor folders assigned are deleted automatically when a user leaves the Manage Identity Service page.

Add a User Account

...

  • Note that deselecting a role in this popup window 'uncouples' the role from the user account - it does not delete the role. 

Manage User Permissions

Permissions Structure

Permissions are organized in a hierarchical way:

  • A Role with the Permission sos:products:controller:view 'only' allows a User to view Controllers, while a user with the 'higher' sos:products:controller permission is able not only to view Controllers but is able to carry out additional operations - in this case, view, restart, terminate, and switch_over.
  • The JS7 - Permissions article contains a link to a full list of all Permissions that can be granted.

Editing Permissions

Consider any user have a role(demo-role) with the following permission:

sos:products:controller:view

...

    • .

...

sos:products:controller:restart
sos:products:controller:terminate

The following Permissions can be set to allow the demo-role Role to view, restart and terminate the Controller, but not Switch_over:

sos:products:controller:view
sos:products:controller:restart

Alternatively, it may make sense in some situations to grant the Role a higher level of Permission and then remove one or more specific Permissions. This approach is shown in the following combination:

sos:products:controller
-sos:products:controller:switch_over

where the ...sos:products:controller Permission is an overall 'Controller' Permission covering viewrestart and terminate, and the -sos:products:controller:switch_over Permission is removed from the demo-role Role.

Caution

Users should have Role with the following Permission - or higher - before they are able to log into the JOC Cockpit:

sos:products:joc:administration:controller:view

Editing Procedures

Three editing procedures are available for editing Permissions:

Adding Permissions:

...

  • This is done by ticking the Excluded checkbox, which is obscured in the above screenshot.

...

Modifying Existing Permissions:
  • The pencil symbol is shown alongside existing Permissions in the Permissions view (shown in the screenshot above) can be used to change the function of a Permission in a Role - to make an additive Permission subtractive and vice-versa. It cannot be used to edit a Permission.
  • The X symbol displayed alongside existing permissions in the Permissions sub-view is used to remove a permission from a role.
  • Note that a role must be configured to be assigned either a permission or a folder as otherwise the role is considered empty and will be deleted.
  • Note that if a user account is not assigned the following permission (or a permission from a higher level) then this user account will not be able to login to JOC Cockpit:
    • sos:products:joc:administration:controller:view
Graphical Permission Editing:

...

  • The Expand All button (shown in the above screenshot) can be used to open all the tree elements.
  • Navigation is carried out by dragging & dropping the tree view.

...

  • Select / Unselect a Permission - click on the body of an unselected / selected element
    • Selected Permission elements are shown in blue (see the view element in the screenshot)
    • Children of selected Permission elements are shown in light blue (as shown in the screenshot)
  • Deny a Permission - click on the plus sign at the left hand end of the element
  • Revoke a Permission Denial - click on a - sign at the left hand end of the element
  • Show / hide child elements - click on the + / - symbols at the right edge of an element

...

Manage Permissions specific for a Controller

...

In this configuration, the demo_role role does not yet have any permissions specific to the Controller ID controller2.2.0. At least one permission needs to be added before the controller2.2.0 - demo_role configuration will be stored persistently.

The interaction of default Controller permissions and Controller specific permissions within the same role is illustrated as follows.

  • default permissions:
    • sos:products:controller:view
  • Controller-specific permissions:
    • sos:products:controller:agents:view

The Dashboard view for all Controllers will display the status of the current Controller but the status of Agent Clusters will only be displayed for the specified Controller - in this case for Controller ID controller2.2.0

Manage Folder Permissions

Folders are used to restrict access to objects such as workflows and schedules. For example, user accounts can be limited to access objects for particular mandators / clients only.

By default permissions are granted for all folders. However, roles can limit access to specific folders.

This is achieved by adding a folder permission, i.e. a set of permissions to view the content of a specific folder only. With a folder permission being in place the permission to access other folders is automatically revoked. If folder permissions should be used for a number of folders then each folder permission has to be specified individually.

Granting Folder Permissions

Folder permissions are granted from the Permissions sub-view. Note that before folder permissions can be assigned a role, the role has to be specified for a user account. In the below example, a test user account and demo_role role have been configured and the demo folder has been created in the inventory.

To open the Permissions sub-view for a specific role, first open the Manage Identity Services page for the respective Identity Service, switch to the Roles sub-view and select the role that should be assigned folder permissions. For assignment click the name of the role in the list of roles.

...

Check the Recursive checkbox in the Add Folder popup window if recursive access to sub-folders is required and click the Submit button.

Any user account that is assigned the demo_role will be able to access scheduling objects in the demo folder only.

Note that the test user account will be able to log in to the JOC Cockpit without being assigned a role, however, no menu items and no functionality is offered from the GUI. A minimum permission is required e.g. by a role that grants the following permission:

  • sos:products:controller:view