JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The Identity Service Type determines if roles are managed from JOC Cockpit or from the Identity Provider, for example from an LDAP Server.
  • Permissions are managed from JOC Cockpit independently from the Identity Service in use.

Roles and Permissions

Role based Access Management

User accounts are assigned a number of roles.

  • Each role is assigned a number of permissions.
  • Permissions

...

Scope and Structure

  • are available in the following flavors: 
    • Additive Permissions are granted to a user account and add to the permission set of a user account.
    • Subtractive Permissions deny use of a permission and restrict the user account's permission set as they beat Additive Permissions across roles.
  • Users are free to create any roles and to assign permissions. Frequently roles are determined from an organizational point of view, for example:
    • administrator
    • application manager
    • business user
  • JS7 ships with a number of defaults for roles and permissions, see JS7 - Default Roles and Permissions

Scope and Structure of Permissions

Permissions can be specified in scope and hierarchy:The Permissions sub-view allows to manage permissions for roles, optionally limited to specific folders.

  • Scope
    • JOC Cockpit Permissions are assigned for operations in JOC Cockpit, for example to manage calendars and the daily plan etc.
    • Controller Permissions are assigned for operations on scheduling objects per Controller, for example to deploy workflows, to add orders etc.
      • If more than one Controller is connected to JOC Cockpit then a user account can be assigned a role that for example allows deployment to one Controller but not to other Controllers.
      • Controller permissions can be specified as a default for any Controllers and they can be specified on a per Controller basis.
  • Permission Tree
    • Permissions are organized from can be considered a tree that offers a hierarchy of branches.
    • Granting or denying permissions at a higher level inherits the permission assignment recursively to deeper levels of the tree.
  • Permission States States
    • Permissions can take one of three states, being unassigned, granted or denied.
    • An unassigned permission does not take Unassigned permissions do not suggest any assumption if the permission is granted or denied.
    • A granted permission is active Granted permissions are considered additive within limits as is they can be overruled by denied permissions.
    • A denied permission is active Denied permissions are considered subtractive without limits and as they cannot be overruled by granted permissions.
  • Permission SetsMerge
    • Permissions Roles are assigned to rolespermissions. A user account can accumulate a number of roles, therefore the permissions are merged to a permission set by the following rules.
      • JOC Cockpit Permissions
        • Unassigned permissions are ignored.
        • Granted permissions work across any roles unless merged with a denied permission from a role.
        • Denied permissions work across any roles and cannot be overruled by granted permissions from any role.
      • Controller Permissions
        • Default Controller
          • Unassigned permissions are ignored.
          • Granted permissions overrule unassigned permissions from any roles and Controllers.
          • Granted permission can be overruled from any roles, they can be
            • denied by a permission of the Default Controller specified by some other role,
            • denied by a permission for a Specific Controller.
          • Denied permissions 
        • Specific Controller
          • Unassigned permissions are ignored, instead the permissions of the Default Controller are applied.
          • Granted permissions work across any roles unless denied by a permission from a role for the given Controller.
          • Denied permissions work without limits across any roles for the given Controller.

Operations

A graphical and a textual view are available to manage permissions.

Views

Views are available for roles and and permissions. Graphical and Textual Permission views are available.

Roles View

From the list of Identity Services user can click the name of an Identity Service:

Image Added


Having selected an Identity Service the Roles view is displayed like this:

Image Added


For each role a default link is available to navigate to the Graphical Permissions View. 

Additional links can be added by use of the Add Controller button. Such links are used to manage permissions that are specific for a Controller.

Graphical Permissions

...

View

The view allows graphical navigation and selection of permissions and is the default view .for permissions of a given role:



  • Explanation:
    •  Navigation
      • The Expand All and Collapse All buttons open and close any child branches.
      • The Expand Active and Collapse Active buttons open and close child branches with granted or denied permissions.
      • The + and - icons at the right edge of each permission icon open and close child branches.
    • States and Colors
      • Permissions show the following background colors to indicate their state:
        • White: Permission is not assigned, i.e. is not granted and is not denied.
        • Dark Blue: Permission is granted and the grant is inherited to child permissions recursively.
        • Light Blue: Permission is inherited from a granted parent permission.
        • Dark Grey: Permission is denied and the denial is inherited to child permissions recursively..
        • Light Grey: Permission is inherited from a denied parent permission.
      • Granting Permissions
        • Clicking the middle of an unassigned (white) permission grants the permission (dark blue).
        • Clicking the middle of a granted permission revokes the grant and puts the permission to the unassigned state (white).
      • Denying Permissions
        • The + icon inside a permission icon denies the permission (dark grey) recursively for child permissions that are located deeper in the permissions tree (light grey).
        • A denied permission shows the - icon, clicking this icon revokes the denial and puts the permission to the unassigned state.
    • Undo/Redo
      • Changes to the permissions tree are stored to the JS7 database.
      • The Undo button allows the last 10 changes to be undone stepwise.
        • Any changes held in the Undo button will be deleted when the user leaves the Permissions sub-view.
      • The Redo button changes the permissions tree back to its initial state when the Permissions sub-view is displayed.
        • The state held with the Redo button is deleted when a user leaves the Permissions sub-view.

Textual Permissions View

The view acts as an alternative to the Graphical Permissions View and displays permissions from a lists list of textual entries.

The right upper corner of the Permissions sub-view offers to toggle between graphical view and textual view.



  • Explanation:
    • Individual permissions can be modified and can be removed from a role using the pencil and X icons that are faded in when the user's mouse is moved over a permission.
    • The Edit function allows the permission to be made subtractive, i.e. for permission granted at a higher level to be removed.
    • The folder part of the view is used to restrict the role to access particular folders only - this includes that any scheduling objects such as workflows are visible from the assigned folder only.

Assignment Strategies

Permission Hierarchy

Permissions are organized in a hierarchical way:

  • A role with the permission sos:products:controller:view allows a user to view Controllers only, while a user with the sos:products:controller permission is able to carry out any operations such as to view, to restart, to terminate, and to switch-over between Controller instances.
  • The JS7 - Permissions article explains the list of permissions.

Permission Assignment

...

Assign specific Permissions only

Consider a user account being assigned a demo-role holding the following permission:

...

  • sos:products:controller:restart
  • sos:products:controller:terminate

Assign

...

global Permissions, Deny specific Permissions

The following permissions allow the demo-role to view and to restart Controller, but not to terminate a Controller and to switch-over between Controller instances:

...

  • sos:products:controller
  • -sos:products:controller:switch_over

when the ...The sos:products:controller permission is an overall Controller permission covering operations including permissions to view, to restart and to terminate the Controller, and the a Controller. The -sos:products:controller:switch_over permission is removed from the demo-role Role.

Caution

Minimum Permission Assignment

User accounts have to be assigned a role with the following minimum permission in order to be able to login to Users should have Role with the following Permission - or higher - before they are able to log into the JOC Cockpit:

sos:products:joc:administration:controller:view

Folder Permissions

Folder Selection

...

Assignment Operations

Add Permissions

Image Removed

Folders are selected from a tree view that is opened by clicking the folder icon, see screenshot.

Editing Procedures

Three editing procedures are available for editing Permissions:

  • Adding Permissions:

    The Add Permission button in the Permissions

    View

     sub-view allows

    a Permission

    to

    be selected

    select permissions from a list

    of all available Permissions as shown in the screenshot

    as explained below.

  • Note that the Permissions listed are all individual Permissions. They can be edited to make them higher level / less specificspecific permissions are used from a list. Users can modify permissions to a more global or to a more specific scope.
    • For example, with the below screenshot below shows that the ...administration:controller:view permission in the process is selected.:

      Image Modified

    • Selected permission can also be made subtractive - Additive Permissions: by default selected permissions are granted, i.e. they add to the permission set of a role.
    • Subtractive Permissions: selected permissions can be denied to remove a specific part of a higher level Permission.more global permission. This is done achieved by ticking use of the Excluded checkbox, which is obscured in the above screenshot.
    Modifying Existing

Modify Permissions

...

    • The pencil symbol is
    • shown alongside existing Permissions
    • displayed for any permissions in the Permissions view
    • (shown in the screenshot above)
    • can be used to change the function of a Permission in a Role - to make an additive Permission subtractive and vice-versa. It cannot be used to edit a Permission.
    • The X symbol displayed alongside existing permissions in the Permissions sub-view is used to remove a permission from a role.
    • Note that a role must be configured to be assigned either a permission or a folder as otherwise the role is considered empty and will be deleted.
    • Note that if a user account is not assigned the following permission (or a permission from a higher level) then this user account will not be able to login to JOC Cockpit:
      • sos:products:joc:administration:controller:view
  • Graphical Permission Editing:
    • The graphical view is activated by selecting the 'tree' symbol at the top right corner of the Permissions sub-view:



    • The editor opens with a partially collapsed permissions tree as shown in the next screenshot:



      • The Expand All button (shown in the above screenshot) can be used to open all the tree elements.
      • Navigation is carried out by dragging & dropping the tree view.
    • The functions available for the tree elements are (with reference to the screenshot below):
      • Select / Unselect a Permission - click on the body of an unselected / selected element
        • Selected Permission elements are shown in blue (see the view element in the screenshot)
        • Children of selected Permission elements are shown in light blue (as shown in the screenshot)
    • Deny a Permission - click on the plus sign at the left hand end of the element
    • Revoke a Permission Denial - click on a - sign at the left hand end of the element
    • Show / hide child elements - click on the + / - symbols at the right edge of an element
  • In the following screenshot the administration element has been selected, automatically selecting the administration:accountsadministration:certificates, administration:controllers, administration:customization, administration:settings
  • In addition, the controllers:manage child permission has been denied, resulting in the fact that the controllers:view is active only.



...

The Dashboard view for all Controllers will display the status of the current Controller but the status of Agent Clusters will only be displayed for the specified Controller - in this case for Controller ID controller2.2.0

Folder Permissions

Folder Selection

Folders are added using the Add Folder button visible in the background of the below screenshot in the upper right corner:

Image Added


Explanation:

  • x

Folders are selected from a tree view that is opened by clicking the folder icon, see screenshot.



Manage Folder Permissions

...