Page History
Table of Contents |
---|
Introduction
Role based access management is offered from JS7 - Identity Services within the scope of JS7 - Identity and Access Management.
- The Identity Service Type determines if roles are managed from JOC Cockpit or from the Identity Provider, for example from an LDAP Server.
- The JS7 - JOC Identity Service offers to manage roles.
- The JS7 - HashiCorp® Vault Identity Service offers to manage roles if the
VAULT
Identity Service Type is used.
- Permissions are managed from JOC Cockpit independently from the Identity Service in use.
Permissions
Scope and Structure
The Permissions sub-view allows to manage permissions for roles, optionally limited to specific folders.
- Scope
- JOC Cockpit Permissions are assigned for operations in JOC Cockpit, for example to manage calendars and the daily plan etc.
- Controller Permissions are assigned for operations on scheduling objects per Controller, for example to deploy workflows, to add orders etc.
- If more than one Controller is connected to JOC Cockpit then a user account can be assigned a role that for example allows deployment to one Controller but not to other Controllers.
- Controller permissions can be specified as a default for any Controllers and they can be specified on a per Controller basis.
- Permission Tree
- Permissions are organized from a tree that offers a hierarchy of branches.
- Granting or denying permissions at a higher level inherits the permission recursively to deeper levels of the tree.
- States
- Permissions can take one of three states, being unassigned, granted or denied.
- An unassigned permission does not take any assumption if the permission is granted or denied.
- A granted permission is active within limits as is can be overruled by denied permissions.
- A denied permission is active without limits and cannot be overruled by granted permissions.
- Merge
- Permissions are assigned to roles. A user account can accumulate a number of roles, therefore the permissions are merged by the following rules.
- JOC Cockpit Permissions
- Unassigned permissions are ignored.
- Granted permissions work across any roles unless merged with a denied permission from a role.
- Denied permissions work across any roles and cannot be overruled by granted permissions from any role.
- Controller Permissions
- Default Controller
- Unassigned permissions are ignored.
- Granted permissions overrule unassigned permissions from any roles and Controllers.
- Granted permission can be overruled from any roles, they can be
- denied by a permission of the Default Controller specified by some other role,
- denied by a permission for a Specific Controller.
- Denied permissions
- Specific Controller
- Unassigned permissions are ignored, instead the permissions of the Default Controller are applied.
- Granted permissions work across any roles unless denied by a permission from a role for the given Controller.
- Denied permissions work without limits across any roles for the given Controller.
- Default Controller
- JOC Cockpit Permissions
- Permissions are assigned to roles. A user account can accumulate a number of roles, therefore the permissions are merged by the following rules.
Operations
...
A graphical and a textual view are available to manage permissions.
Graphical View
The view allows graphical navigation and selection of permissions and is the default view.
- Explanation:
- Navigation
- The Expand All and Collapse All buttons open and close any child branches.
- The Expand Active and Collapse Active buttons open and close child branches with granted or denied permissions.
- The
+
and-
icons at the right edge of each permission icon open and close child branches.
- States and Colors
- Permissions show the following background colors to indicate their state:
- White: Permission is not assigned, i.e. is not granted and is not denied.
- Dark Blue: Permission is granted and the grant is inherited to child permissions recursively.
- Light Blue: Permission is inherited from a granted parent permission.
- Dark Grey: Permission is denied and the denial is inherited to child permissions recursively..
- Light Grey: Permission is inherited from a denied parent permission.
- Granting Permissions
- Clicking the middle of an unassigned (white) permission grants the permission (dark blue).
- Clicking the middle of a granted permission revokes the grant and puts the permission to the unassigned state (white).
- Denying Permissions
- The
+
icon inside a permission icon denies the permission (dark grey) recursively for child permissions that are located deeper in the permissions tree (light grey). - A denied permission shows the
-
icon, clicking this icon revokes the denial and puts the permission to the unassigned state.
- The
- Permissions show the following background colors to indicate their state:
- Undo/Redo
- Changes to the permissions tree are stored to the JS7 database.
- The Undo button allows the last 10 changes to be undone stepwise.
- Any changes held in the Undo button will be deleted when the user leaves the Permissions sub-view.
- The Redo button changes the permissions tree back to its initial state when the Permissions sub-view is displayed.
- The state held with the Redo button is deleted when a user leaves the Permissions sub-view.
- Navigation
Textual View
The view displays permissions from a lists of textual entries. The right upper corner of the Permissions sub-view offers to toggle between graphical view and textual view.
- Explanation:
- Individual permissions can be modified and can be removed from a role using the pencil and X icons that are faded in when the user's mouse is moved over a permission.
- The Edit function allows the permission to be made subtractive, i.e. for permission granted at a higher level to be removed.
- The folder part of the view is used to restrict the role to access particular folders only - this includes that any scheduling objects such as workflows are visible from the assigned folder only.
Permission Hierarchy
Manage Permissions
...
Permissions are organized in a hierarchical way:
- A Role role with the Permission permission
sos:products:controller:view
'only' allows a User allows a user to view ControllersControllers only, while a user with the 'higher'sos:products:controller
permission is able not only to view Controllers but is able to carry out additional operations - in this case,any operations such as to view, to restart, to terminate, and to switch_-over between Controller instances. - The JS7 - Permissions article contains a link to a full explains the list of all Permissions that can be granted.
...
- permissions.
Permission Assignment Strategies
Assign specific Permissions
Consider any a user have account being assigned a role(demo-role
) with holding the following permission:
sos:products:controller:view
This permission does not allow the demo-role
to perform the operation any modifying operations on the Controllers. These Permissions could be granted individually with the followingInstead, such permissions are granted individually by using:
sos:products:controller:restart
sos:products:controller:terminate
Assign and Deny specific Permissions
The following Permissions can be set to permissions allow the demo-role
Role to view, restart and terminate the and to restart a Controller, but not Switch_overnot to terminate a Controller and to switch-over between Controller instances:
sos:products:controller:view
sos:products:controller:restart
Alternatively, it may make sense in some situations users might prefer to grant the Role role a higher level of Permission permissions and then to remove one or more specific Permissionspermissions. This approach is shown in used with the following combinationpermission set:
sos:products:controller
-sos:products:controller:switch_over
where when the ...sos:products:controller
Permission permission is an overall 'Controller' Permission covering Controller permission covering operations to view, to restart and to terminate the Controller, and the -sos:products:controller:switch_over
Permission permission is removed from the demo-role Role.
...
sos:products:joc:administration:controller:view
Folder Permissions
Folder Selection
Folders are added using the Add Folder button visible in the background of the below screenshot in the upper right corner:
Folders are selected from a tree view that is opened by clicking the folder icon, see screenshot.
Editing Procedures
Three editing procedures are available for editing Permissions:
...