...

Role	Health Dashboard	Engineering / Security Dashboard	RESTAPI	Notes
ADMIN				The ADMIN role provides permission to execute the following actions: Health Dashboard reload the dashboard memory (see Reload the cache). create, update, delete new categories, and tags with the tags.html administration page (see Health Dashboard tag and category management). add or remove applications to/from tag assignments with the tags.html administration page (see Health Dashboard tag and category management). Ability to list all applications both for tag assignment or access to applications Engineering Dashboard reload the dashboard memory (see Reload the cache). Info A user with the role ADMIN cannot interact with the Action Plan / Exclusion list / Education list - this requires the QUALITY_MANAGER/EXCLUSION_MANAGER/QUALITY_AUTOMATION_MANAGER roles (see below). All dashboards In addition, a user with the ADMIN role: will automatically be granted authorization to access all Applications (allApplications authorization - see Data authorization) does not require a license key to access the data in the CAST Dashboard Service (not applicable to Health Dashboard) - see Dashboard Service license key configuration will gain admin specific options via the username button will get Check for update option in the user profile drop down. It performs a check to see whether the current Dashboard is up-to-date or if a new release is available. See: Engineering Dashboard - GUI Note You should use this role with caution!
QUALITY_MANAGER				The QUALITY_MANAGER role provides permission to add and remove objects from the Action Plan and to use the Engineering Dashboard - Action Plan Recommendation feature. A user granted this role ALSO requires additional authorization to access Applications data - they will not be permitted to login if an authroization is not configured - see Data authorization.
EXCLUSION_MANAGER				The EXCLUSION_MANAGER role provides permission to add and remove objects from the Exclusion list. A user granted this role ALSO requires additional authorization to access Applications data - they will not be permitted to login if an authroization is not configured - see Data authorization.
QUALITY_AUTOMATION_MANAGER				The QUALITY_AUTOMATION_MANAGER role provides permission to add and remove objects from the Education list. A user granted this role ALSO requires additional authorization to access Applications data - they will not be permitted to login if an authroization is not configured - see Data authorization.
CODE_RESTRICTED				The CODE_RESTRICTED role prevents users from viewing source code in the Engineering Dashboard. When enabled, a message is displayed in the dashboard as follows when an attempt is made to view the source code of a violation: Click to enlarge Info This role is available in ≥ 1.11.0. A user granted this role ALSO requires additional authorization to access Applications data - they will not be permitted to login if an authroization is not configured - see Data authorization.
NO_ROLE				The NO_ROLE role is a "read-only" role - it does not grant any permissions. A user granted this role ALSO requires additional authorization to access Applications data - they will not be permitted to login if an authorization is not configured - see Data authorization.

How are roles managed?

Roles are managed in the following file (which is common to all authentication modes):

WAR 1.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\roles.xml

WAR ≥ 2.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\classes\roles.xml

ZIP ≥ 2.x
<unpacked_zip>\configurations\roles.xml

Granting roles to users

To grant a role, enter a new line in the roles.xml file (one "role-assignment" line per user). In the following example, we have added the ADMIN role to the user JHU:

<root>
   <role-assignment user="Bill" role="ADMIN"/>
</root>

To grant the ADMIN role to multiple users, enter a new line in the roles.xml file (one "role-assignment" line per user):

<root>
   <role-assignment user="Bill" role="ADMIN"/>
   <role-assignment user="Fred" role="ADMIN"/>
</root>

It is possible to grant multiple roles to a single user if required. Place each role on one line. For example, to add the roles ADMIN, QUALITY_MANAGER, EXCLUSION_MANAGER and QUALITY_AUTOMATION_MANAGER roles to the user Bill:

<root>
	<role-assignment user="Bill" role="ADMIN"/>
	<role-assignment user="Bill" role="QUALITY_MANAGER"/>
	<role-assignment user="Bill" role="EXCLUSION_MANAGER"/>
	<role-assignment user="Bill" role="QUALITY_AUTOMATION_MANAGER"/>
</root>

Following any changes you make, save the roles.xml file and then restart your application server so that the changes are taken into account.

Granting roles to groups

To grant a role, enter a new line in the roles.xml file (one "role-assignment" line per group). In the following example, we have added the ADMIN role to the group corporate.admins:

<root>
	<role-assignment group="corporate.admins" role="ADMIN"/>
</root>

To grant the ADMIN role to multiple groups, enter a new line in the roles.xml file (one "role-assignment" line per group):

<root>
   <role-assignment group="corporate.admins" role="ADMIN"/>
   <role-assignment group="corporate.it" role="ADMIN"/>
</root>

It is possible to grant multiple roles to a single group if required. Place each role on one line. For example, to add the roles ADMIN, QUALITY_MANAGER, EXCLUSION_MANAGER and QUALITY_AUTOMATION_MANAGER roles to the group corporate.admins:

<root>
	<role-assignment group="corporate.admins" role="ADMIN"/>
	<role-assignment group="corporate.admins" role="QUALITY_MANAGER"/>
	<role-assignment group="corporate.admins" role="EXCLUSION_MANAGER"/>
	<role-assignment group="corporate.admins" role="QUALITY_AUTOMATION_MANAGER"/>
</root>

...

different ways depending on the Dashboard release you are using:

<root>
   <role-assignment user="Bill" role="ADMIN"/>
</root>