Introduction

Operations

Manage Permissions

Permissions Structure

Permissions are organized in a hierarchical way:

• A Role with the Permission sos:products:controller:view 'only' allows a User to view Controllers, while a user with the 'higher' sos:products:controller permission is able not only to view Controllers but is able to carry out additional operations - in this case, view, restart, terminate, and switch_over.
• The JS7 - Permissions article contains a link to a full list of all Permissions that can be granted.

Editing Permissions

Consider any user have a role(demo-role) with the following permission:

sos:products:controller:view

This permission does not allow the demo-role to perform the operation on the Controllers. These Permissions could be granted individually with the following:

sos:products:controller:restart
sos:products:controller:terminate

The following Permissions can be set to allow the demo-role Role to view, restart and terminate the Controller, but not Switch_over:

sos:products:controller:view
sos:products:controller:restart

Alternatively, it may make sense in some situations to grant the Role a higher level of Permission and then remove one or more specific Permissions. This approach is shown in the following combination:

sos:products:controller
-sos:products:controller:switch_over

where the ...sos:products:controller Permission is an overall 'Controller' Permission covering view, restart and terminate, and the -sos:products:controller:switch_over Permission is removed from the demo-role Role.

Caution

Users should have Role with the following Permission - or higher - before they are able to log into the JOC Cockpit:

sos:products:joc:administration:controller:view

Editing Procedures

Three editing procedures are available for editing Permissions:

• Adding Permissions:

  • The Add Permission button in the Permissions View allows a Permission to be selected from a list of all available Permissions as shown in the screenshot below.
    • Note that the Permissions listed are all individual Permissions. They can be edited to make them higher level / less specific.
      
      • For example, the screenshot below shows that the ...administration:controller:view permission in the process is selected.
        
        Image Added
        
        
      • Selected permission can also be made subtractive - i.e. to remove a specific part of a higher level Permission.
        • This is done by ticking the Excluded checkbox, which is obscured in the above screenshot.

• Modifying Existing Permissions:

  • The pencil symbol is shown alongside existing Permissions in the Permissions view (shown in the screenshot above) can be used to change the function of a Permission in a Role - to make an additive Permission subtractive and vice-versa. It cannot be used to edit a Permission.
  • The X symbol displayed alongside existing permissions in the Permissions sub-view is used to remove a permission from a role.
  • Note that a role must be configured to be assigned either a permission or a folder as otherwise the role is considered empty and will be deleted.
  • Note that if a user account is not assigned the following permission (or a permission from a higher level) then this user account will not be able to login to JOC Cockpit:
    • sos:products:joc:administration:controller:view

• Graphical Permission Editing:

  • The graphical view is activated by selecting the 'tree' symbol at the top right corner of the Permissions sub-view:
    
    Image Added
    
    
  • The editor opens with a partially collapsed permissions tree as shown in the next screenshot:
    
    Image Added
    
    
    • The Expand All button (shown in the above screenshot) can be used to open all the tree elements.
    • Navigation is carried out by dragging & dropping the tree view.
  • The functions available for the tree elements are (with reference to the screenshot below):
    • Select / Unselect a Permission - click on the body of an unselected / selected element
      • Selected Permission elements are shown in blue (see the view element in the screenshot)
      • Children of selected Permission elements are shown in light blue (as shown in the screenshot)
• Deny a Permission - click on the plus sign at the left hand end of the element
• Revoke a Permission Denial - click on a - sign at the left hand end of the element
• Show / hide child elements - click on the + / - symbols at the right edge of an element
• In the following screenshot the administration element has been selected, automatically selecting the administration:accounts, administration:certificates, administration:controllers, administration:customization, administration:settings
• In addition, the controllers:manage child permission has been denied, resulting in the fact that the controllers:view is active only.
  
  Image Added
  
  

Manage Permissions specific for a Controller

By default User Accounts are granted permissions for all Controllers in a scheduling environment. Permissions that are applicable to a particular Controller only can be added to a role. This can be achieved in the Manage Roles sub-view of the Identity Management Service.

...

This is achieved by adding a folder permission, i.e. a set of permissions to view the content of a specific folder only. With a folder permission being in place the permission to access other folders is automatically revoked. If folder permissions should be used for a number of folders then each folder permission has to be specified individually.

...

Add Folder Permissions

Folder permissions are granted from the Permissions sub-view. Note that before folder permissions can be assigned a role, the role has to be specified for a user account. In the below example, a test user account and demo_role role have been configured and the demo folder has been created in the inventory.

...