How are data authorizations managed in ≥ 2.x?
Data authorization is managed in a graphical user interface. This interface is available to users that have been assigned the ADMIN role and can be accessed by clicking the User Configuration option in the user menu:
The interface is then displayed. There are two tabs that are relevant for data authorizations: Profiles and Users: by default the Profiles tab is displayed:
Click to enlarge
Profiles tab:
Users tab:
- The Profiles interface is used to manage profiles - data authorizations (and also User roles - 2.x and above) are assigned to profiles
- The Users interface is used to assign profiles (managed in the Profiles tab) to Users/Groups
- Any changes made in the interface to assigned data authorizations are effective immediately.
Search and Add Search option lets you to search a Profile from the list of available Profiles. Enter the Profile name and click This option allows you to edit the roles/authorizations assigned to the selected user/group. This is particularly useful if you need to modify multiple users/groups in one go. Lists all profiles that are available, by name: These columns list the data authorizations that have been assigned to the corresponding Profile, i.e., by: The Assign applications by tags column will NOT be visible: You can directly modify them in this column: Note about the All Applications option for Assign Applications by Name: Lets you search a User or a Group from the list of available Users/Groups. This column lists all users/groups: This columns lists all profiles that have been created in the Profiles tab and allows you to assign them to your users/groups: Lets you edit the selected Users/Groups, i.e. change the profile assigned to the User/Group:Options in Profile tab Add a profiles option lets you add a new Profile. Edit and Delete This option will remove all the roles/authorizations granted to selected the user/group. Profiles Roles Assign applications by Names / Assign applications by Technologies / Assign applications by Tags Options in Users tab Search Users Profiles Edit
Using a RESTRICTED legacy type license key for accessing the Dashboard schema
When using a legacy type RESTRICTED license key for accessing the Dashboard schema (Engineering/Security Dashboard) - see Dashboard Service license key configuration - you MUST define authorizations manually in the following file:
WAR ≥ 2.x CATALINA_HOME\webapps\<dashboard>\WEB-INF\classes\license.xml ZIP ≥ 2.x <unpacked_zip>\configurations\license.xml JAR ≥ 2.x Windows: %PROGRAMDATA%\CAST\Dashboards\<dashboard>\license.xml Linux: /root/ProgramData/CAST/Dashboards/<dashboard>/license.xml
In other words, if you are using:
- a standalone Engineering Dashboard AND a standalone Health Dashboard AND you are using a legacy type RESTRICTED license for the Engineering Dashboard
- a combined WAR/ZIP file (containing both the Engineering and Health Dashboards) AND you are using a legacy type RESTRICTED license for the Engineering Dashboard
you should:
- define authorizations in license.xml for the Engineering Dashboard
- define authorizations in the user interface for the Health Dashboard
The authorizations do not need to be identical in the user interface and in license.xml if the user/group requires different authorizations in each dashboard.
Assign or remove authorizations
To assign or remove authorizations from a user or group, use the expandable column in either list. Changes are automatically saved and are taken into account immediately:
If you assign All Applications, then automatically All Technologies and All Tags are also assigned since it is not possible to prevent a user from accessing a specific technology/tag if the user can also access all Applications:
Click to enlarge
Delete all assigned authorizations
To delete all roles that have been assigned to a user or group, select the user/group and then use the delete icon. Changes are automatically saved but are only taken into account when the user logs out and logs back in again in a new session:
Click to enlarge
Using the delete option will remove both roles and data authorizations.