Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
Summary: this page describes how to manage roles and access permissions for grant/revoke existing roles to your users and groups using the Admin Center.


Note

A user with the ADMIN role or SUPER ADMIN role is required.

Introduction

The Users panel ( panel 5) enables you to manage users/groups and the roles and permissions granted to them. Click panel 3 to access the listgrant/revoke existing roles to your users and groups:

Image Modified

The list is displayed when panel 3 is clicked:

Image Removed

...

When clicked, a list of existing users/groups and their assigned roles is displayed:

Image Added

Info
  • The current logged in user is never displayed in this list - to manage roles for the current user you will need to log in with another user that has the ADMIN or SUPERADMIN role.
  • When local authentication mode is active:
    • it is not possible to create groups, therefore assigning roles or Applications data access permissions to groups is also not possible.
    • all users that have been created in the application-security-local.xml will be listed.
  • When LDAP, Active Directory or SAML authentication modes are active:
    • Only users/groups that have specifically been assigned a role will be listed (note that groups are not supported when SAML authentication mode is active).
    • Groups are taken directly from the back-end LDAP/Active Directory system and must therefore be created there before they can be exploited in CAST Imaging
    .In local authentication mode, it is not possible to create groups, therefore assigning roles or Applications data access permissions to groups is also not possible
    • .
  • in CAST Imaging ≤ 2.1.0, when using SAML authentication mode:
    • all users automatically have the ADMIN role
    • roles are not supported.
    • This situation has been resolved in CAST Imaging ≥ 2.2.0.

Access permissions

There are two sets of access permissions that can be granted via the Admin Center to a User or a Group:

...

The ability to execute actions in the Admin Center is granted via a "role" mechanism. The following roles are available:

...

The ADMIN role provides permission to execute the following actions in the Admin Center:

Note

You should use this role with caution!

...

The USER role should be granted to "standard" users/groups - i.e. those that do not need to execute advanced actions in the Admin Center. All users MUST be granted a role (either directly to the user or to a group the user is a member of) before the user will be able to access Application data.

In addition, a user/group with the USER role can manage some (not all) preferences - see Configuring display preferences.

...

Access to Application data is granted on a per user/group basis. By default, users/groups (except those with the ADMIN role) have no access to any Application data, therefore before a user/group can view an Application, access must be specifically granted.

Info
  • All users MUST be granted a role (either directly to the user or to a group the user is a member of) before the user will be able to access Application data.
  • Users and members of groups with the ADMIN role can access all Application data.

...

Group data access permissions

  • Groups can be assigned access permissions in Active Directory or LDAP/S authentication mode (groups are not supported in local authentication mode). If a user is not specifically granted access to a given Application, but a group the user belongs to has been granted permission to the Application, the user will be able to access the Application data.
  • If an LDAP/Active Directory group is granted the ADMIN role, all members of the group will have access to all applications, as well as to the Admin Centre.
  • If a user is a member of multiple groups, and if one of those groups has been granted the ADMIN role, then the user will be granted the ADMIN role (i.e. most permissive role will take priority). If none of the groups have been granted the ADMIN role, the user will be presented with the list of applications that can be accessed by all of his/her groups ONLY, and no access will be available to the Admin Center.

Role clean up when switching to a new authentication mode

Whenever you switch to a new authentication mode, i.e. from local to Active Directory, or vice-versa, you must run the following batch file to clean up any roles that have been assigned to users/groups in the previous authentication mode. The batch file is located here:

Code Block
languagetext
%PROGRAMFILES%\CAST\ImagingSystem\imagingservice\switchSecurityMode.bat

Become Admin

The BECOME ADMIN message will be displayed when CAST Imaging detects that there are no users that have been granted the ADMIN role (essential for executing actions in the Action Center). This message will normally be displayed for the first user that logs in after switching to a different authentication mode. Clicking the BECOME ADMIN button will grant the ADMIN role to the currently logged in user and then the User/Group Management table will be displayed listing any other users that have permissions or have been defined (local authentication only).

Click to enlarge

Image Removed

User/Group management table

Image Removed

The User/Group Management table lists all users/groups as follows:

  • All users/groups that have been declared when Local Authentication is active (in other authentication modes, users/groups without a role/permission are never displayed)
  • All users/groups that have already been granted a role/permission
Info
  • the current user is never listed
  • when LDAP/Active Directory/SAML authentication is active, users/groups are not automatically displayed in this table unless they have already been granted a permission.

In the following example, one user (with the USER role) and two groups (one with the USER role and one with the Admin role) can be seen:

Image Removed

...

Allows you to select the user/group and then make changes.

...

Granting permissions to users/groups

To grant a permission to a user/group, first locate the user/group in the User Management table and select it:

...

Assign a role or roles

Chose the role or roles you require using the drop down list (you can create new roles in the Roles panel). When assigning multiple roles, the role with the most permissive behaviour will override other roles.

Image Added

Info

If an authentication mode other than "local" is active and the user/group has never been granted a permission, the user/group will not be visible in the list. Therefore, to find the user/group:

Using LDAP

You will need to search for the user/group because it will not be displayed in the table:

Image Modified

Using Active Directory/SAML

In these modes, the search mechanism is not available, instead, you will need to specifically use the Add user/group icon to add a user or group with an identical name to the user or group you want to grant the role or permission to:

Grant a role

Chose the role you require using the drop down list:

Image Removed

Click Save to apply the change:

Image Removed

...

Choose the Application(s) you want the user/group to be able to access using the drop down list:

Image Removed

You can choose Select all, or just tick those you require:

Image Removed

And then click Save to ensure the changes are taken into account:

Image Removed

...

Anchor
tutcypher
tutcypher
Grant the Tutorial

...

permission to

...

users/groups

To allow non-ADMIN users/groups to use the Tutorial or Cypher Search features feature, you will need to grant the permission on a user or group basis. Select the user/group you want to grant these permissions to (1), and then click the icon highlighted in the top right (2):

Image Modified

Then enable the required permissions permission and click Update:

Image Modified

The changes will be saved automatically.

Editing/deleting existing roles

...

assignments

Edit existing role assignments

If you need to edit existing roles /permissions for a user/group, you can : use the dropdown list to change the role that has been assigned

...

Info
If you "demote" a user/group from Admin to User, then the user/group will retain the same "all Application" permissions that it was granted via the Admin role. You will need to manually change the Application permissions if the user/group should no longer have access to all Applications.

Delete

Info
This functionality is only available when local or LDAP authentication is active.

:

Image Added

Delete role assignments

To delete all roles/permissions that have been granted to a user or group already, use the delete icon on the selected users/groups:

Image Modified

You will be prompted to confirm the choice:

...