CAST Dashboards
Page tree
Skip to end of metadata
Go to start of metadata

Summary: This section describes how to configure data authorization in ≥ 2.x.

How are data authorizations managed in ≥ 2.x?

Data authorization is managed in a graphical user interface. This interface is available to users that have been assigned the ADMIN role and can be accessed by clicking the User Configuration option in the user menu:

The interface is then displayed. There are two tabs that are relevant for data authorizations: Profiles and Users: by default the Profiles tab is displayed:

Click to enlarge

Profiles tab:

Users tab:

  • The Profiles interface is used to manage profiles - data authorizations (and also User roles - 2.x and above) are assigned to profiles
  • The Users interface is used to assign profiles (managed in the Profiles tab) to Users/Groups
  • Any changes made in the interface to assigned data authorizations are effective immediately.


Options in Profile tab

Search and Add


Search option lets you to search a Profile from the list of available Profiles. Enter the Profile name and click   to view the selected Profile.

Add a profiles option lets you add a new Profile.
Edit and Delete 

This option allows you to edit the roles/authorizations assigned to the selected user/group. This is particularly useful if you need to modify multiple users/groups in one go.

This option will remove all the roles/authorizations granted to selected the user/group.
Profiles

Lists all profiles that are available, by name:

On first login, a profile called "admin_profile" will be created automatically. This profile has the role "Admin" assigned to it. The first user to login and become admin (see First login and become admin) will be automatically assigned this profile.
Roles

  • Lets you select the built-in Role to be assigned to the selected Profile.
  • Lists the roles that have been assigned to the corresponding Profile.
Assign applications by Names / Assign applications by Technologies / Assign applications by Tags

These columns list the data authorizations that have been assigned to the corresponding Profile, i.e., by:

  • application name
  • by technology
  • by tags

The Assign applications by tags column will NOT be visible:

You can directly modify them in this column:

Note about the All Applications option for Assign Applications by Name:

  • Users can assign "All Applications" to multiple profiles or a single profile without adding any role to the selected profile/s.
  • When using the "All Applications" authorization, any new Applications that are onboarded will automatically be included in the authorization.

Options in Users tab
Search

Lets you search a User or a Group from the list of available Users/Groups.

Users

This column lists all users/groups:

  • When local authentication is active:
    • all users that have been defined in the users.properties file will be listed here
    • it is not possible to create groups, therefore assigning roles or data authorizations to groups is also not possible
  • When LDAP or SAML authentication are active:
    • only users/groups that have specifically been assigned a profile will be listed
    • Groups are taken directly from the LDAP/SAML directory and must therefore be created there before they can be exploited by the CAST Dashboards
Profiles

This columns lists all profiles that have been created in the Profiles tab and allows you to assign them to your users/groups:

Edit

Lets you edit the selected Users/Groups, i.e. change the profile assigned to the User/Group:

Using a RESTRICTED legacy type license key for accessing the Dashboard schema

This section is not relevant for those using a current license key. Authorizations are always defined in the UI and the license.xml is ignored.

When using a legacy type RESTRICTED license key for accessing the Dashboard schema (Engineering/Security Dashboard) - see Dashboard Service license key configuration - you MUST define authorizations manually in the following file:

WAR ≥ 2.x
CATALINA_HOME\webapps\<dashboard>\WEB-INF\classes\license.xml
 
ZIP ≥ 2.x
<unpacked_zip>\configurations\license.xml

JAR ≥ 2.x
Windows: %PROGRAMDATA%\CAST\Dashboards\<dashboard>\license.xml
Linux: /root/ProgramData/CAST/Dashboards/<dashboard>/license.xml

In other words, if you are using:

  • standalone Engineering Dashboard AND a standalone Health Dashboard AND you are using a legacy type RESTRICTED license for the Engineering Dashboard
  • a combined WAR/ZIP file (containing both the Engineering and Health Dashboards) AND you are using a legacy type RESTRICTED license for the Engineering Dashboard

you should:

  • define authorizations in license.xml for the Engineering Dashboard
  • define authorizations in the user interface for the Health Dashboard

The authorizations do not need to be identical in the user interface and in license.xml if the user/group requires different authorizations in each dashboard.

Assign or remove authorizations

To assign or remove authorizations from a user or group, use the expandable column in either list. Changes are automatically saved and are taken into account immediately:

  

If you assign All Applications, then automatically All Technologies and All Tags are also assigned since it is not possible to prevent a user from accessing a specific technology/tag if the user can also access all Applications:

Click to enlarge

Delete all assigned authorizations

To delete all roles that have been assigned to a user or group, select the user/group and then use the delete icon. Changes are automatically saved but are only taken into account when the user logs out and logs back in again in a new session:

Click to enlarge

Using the delete option will remove both roles and data authorizations.

  • No labels