An Authorization defines permission to access and "consume the data" in a specific Application in the CAST Application Engineering Dashboard. If permission is not granted then any information related to this Application will be not accessible: application properties such as name, technologies or grades and measures, etc.Therefore, an Authorization must be defined before a user/group of users can access a specific application.
- Data authorization can ONLY be configured once a snapshot has been generated in a Dashboard Service connected to the CAST Application Engineering Dashboard
- By default, no users are granted all Applications access
- A user with the ROLE_ADMIN role will automatically be granted authorization to access all Applications
- Users (whether static-list or Active Directory) are not automatically granted data authorization - an error will therefore be displayed when a user attempts to log in because the user is not authorised to access any data.
- Authorizations function for both static-list and Active Directory authentication mode
- If the username contains special characters (non US-ANSI characters) such as é,è,à,ç,ù etc., you must ensure that your text editor saves the authorization.xml file with utf-8 encoding.
- If a user is not authorized to access any data at all, upon login, a message will be displayed explaining that the user is not authorized to access any data and further use of the CAST Application Engineering Dashboard is prevented - this is described in CAST-AAD-AED - Modifying login error messages. under Logging in to the CAST Application Engineering Dashboard. It is also possible to modify the message that is displayed, see
- When a RESTRICTED license key for accessing the CAST Dashboard Service is in use, all authorizations defined in authorizations.xml are ignored. Please see CAST-AED-RESTAPI - Dashboard Service license key configuration for more information about this.
Authorizations are defined in the following file:
Each line of the authorizations.xml file defines a permission to access an application or a set of applications. These lines are cumulative, therefore several lines can be applied to one single user or group, in which case, this user or group will have access to the all specified applications. The syntax in use is as follows:
User scope, defined by the following attributes:
Content scope, defined by the following attributes:
- application, adgDatabase
- applicationPattern, adgDatabasePattern
Authorizations when using the combined CAST-AAD-AED.war file
When you are using the CAST Application Engineering Dashboard via the combined CAST-AAD-AED.war file (as described in ), please remember that data authorization is common to both Dashboards. Therefore if you authorize "UserA" to view Application "B" only via the authorizations.xml file, then this is true for both Dashboards.
Authorize a user to access an application
You can define authorization to a single application by specifying its name AND the name of the CAST Dashboard Service database/schema in which the snapshot results for the Application are stored. For example, this line grants the "guest" user access to the "Billing platforms" application stored in the "demo_800_central" database:
Please note that the adgDatabase attribute is case sensitive. Therefore you must ensure that the name of the CAST Dashboard Service database/schema exactly matches the name defined in your RDBMS (whether CSS or Oracle/Microsoft SQL Server).
Authorize a user to access applications matching a pattern
You can authorize a user to access certain Applications based on regular expression pattern matching. With the following definition, the user "guest" will be authorized to access applications where the host CAST Dashboard Service is equal to "demo_800_central" or "demo_801_central" or "demo_802_central" or "demo_803_central" :
- pattern matching can only be applied to Applications (applicationPattern) and CAST Dashboard Services (adgDatabasePattern) - the two MUST always be applied together to distinguish Applications.
- the adgDatabasePattern attribute is case sensitive. Therefore you must ensure that pattern of the CAST Dashboard Service database/schemas matches the case used in the database/schema names defined in your RDBMS (whether CSS or Oracle/Microsoft SQL Server).
Authorize a user to access all applications
A user can be authorized to consume all applications. This is the case for the default configuration of user "James".
Authorizations are additive, therefore this authorization discards all other authorizations.
Authorize access for a group of users
In each of the above use cases, we can specify a group name (whether in Static List or Active Directory mode) in place of a user name. If Active Directory mode is being used, the group name must be specified using the full Distinguished Name (DN) of the group. Some possible examples are given below:
Authorize access for all users
It is possible to authorize access to a single Application or to all Applications for all users (whether in Static List or Active Directory mode) - users means all authenticated users:
For example, the following statement will allow all users to access data from the "Financial" application located in the "demo_central" Dashboard Service:
For example, the following statement will allow all users to access results from all applications: