How are data authorizations managed in ≥ 2.x?
Data authorization is managed in a graphical user interface. This interface is available to users that have been assigned the ADMIN role and can be accessed by clicking the User Configuration option in the user menu:
The interface is then displayed. There are two tabs that are relevant for data authorizations: Profiles and Users: by default the Profiles tab is displayed:
Click to enlarge
- The Profiles interface is used to manage profiles - data authorizations (and also User roles - 2.x and above) are assigned to profiles
- The Users interface is used to assign profiles (managed in the Profiles tab) to Users/Groups
- Any changes made in the interface to assigned data authorizations are effective immediately.
The Profiles panel is used to manage profiles. Roles (and also Data authorization - 2.x and above) are assigned to profiles:
Search and Add
|Edit and Delete
Lists all profiles that are available, by name:
On first login, a profile called "admin_profile" will be created automatically. This profile has the role "Admin" assigned to it. The first user to login and become admin (see First login and become admin) will be automatically assigned this profile.
Lists the available built-in Roles and allows you to assign them to the selected Profile. It also allows you to view the roles that have already been assigned to a specific Profile:
In CAST Dashboards ≥ 2.10, by default, when a new profile is created, the No Role role (see NO_ROLE) will automatically be assigned to it. In older releases, the profile does not have any roles assigned to it.
|Assign applications by Names / Assign applications by Technologies / Assign applications by Tags
These columns list the data authorizations that have been assigned to the corresponding Profile, i.e., by:
The Assign applications by tags column will NOT be visible:
You can directly modify them in this column:
Note about the All Applications option for Assign Applications by Name:
The Users/Groups panel is used to assign profiles (managed in the Profiles tab) to Users/Groups:
Lets you search a User or a Group from the list of available Users/Groups.
This column lists all users/groups:
You can search for users/groups that have already been granted a profile (i.e. that are present in the list) using the Search panel in the column header:
This columns lists all profiles that have been created in the Profiles tab and allows you to assign them to your users/groups:
Lets you edit the selected Users/Groups, i.e. change the profile assigned to the User/Group:
|Delete (available in ≥ 2.10)
The delete option is only available when either LDAP or SAML authentication mode is in use. It allows users or groups to be removed from the list - for example if you granted a role to a user/group and now want to revoke this permission:
A warning is displayed before the user/group is deleted. The User/Group is only deleted from the CAST Dashboard Administration panel, not the LDAP/SAML authentication directory:
Using a RESTRICTED legacy type license key for accessing the Dashboard schema
When using a legacy type RESTRICTED license key for accessing the Dashboard schema (Engineering/Security Dashboard) - see Dashboard Service license key configuration - you MUST define authorizations manually in the following file:
In other words, if you are using:
- a standalone Engineering Dashboard AND a standalone Health Dashboard AND you are using a legacy type RESTRICTED license for the Engineering Dashboard
- a combined WAR/ZIP file (containing both the Engineering and Health Dashboards) AND you are using a legacy type RESTRICTED license for the Engineering Dashboard
- define authorizations in license.xml for the Engineering Dashboard
- define authorizations in the user interface for the Health Dashboard
The authorizations do not need to be identical in the user interface and in license.xml if the user/group requires different authorizations in each dashboard.
Assign or remove authorizations
To assign or remove authorizations from a user or group, use the expandable column in either list. Changes are automatically saved and are taken into account immediately:
If you assign All Applications, then automatically All Technologies and All Tags are also assigned since it is not possible to prevent a user from accessing a specific technology/tag if the user can also access all Applications:
Click to enlarge
Delete all assigned authorizations
To delete all roles that have been assigned to a user or group, select the user/group and then use the delete icon. Changes are automatically saved but are only taken into account when the user logs out and logs back in again in a new session:
Click to enlarge
Using the delete option will remove both roles and data authorizations.