User and Role Management in Centrasite

RG1 · October 31, 2008, 3:18pm

Hi,

I have some queries regarding user and role management in Centrasite enterprise edition (3.1.7)

How do we set-up security access for customized roles. Something that Centrasite provides for pre-defined roles by default (e.g a user linked with CentrasiteReader role cannot update). Or is it that we can only limit the access of customized roles at object level?
in Centrasite, Currently we can see the users assigned to each role.

But, how do we see all the roles for a user? (e.g. a user may have a predefined role of CentrasiteUser as well as a customized role of Architect)

What’s an unauthenticated user?

Thanks

Dr_Harald_Schoening · October 31, 2008, 4:15pm

Hi,

with customized roles, you can do all the definitions you can do with predefined ones. In particular, to define type-level security, select a type, right click, select Details, select tab “Type Security” and define teh access rights for the role.
You can use one of teh reports shipped with CentraSite to determine the roles of a user. Import the report
C:\Program Files\CentraSite\CentraSite 3.1\demos\DemoReports\user_rights_report.rptdesign
(modify path depending on your specific installation)
and link this to the tpye user. The execute linked report for user in queston by right clicking the user in teh list of users obtains when clicking teh type “User” on “My CentraSite”
The “Unauthenticated user” is assign to an activity that access CentraSite through webDAV without providing authentication information

Hope this helps

regards

harald

RG1 · October 31, 2008, 4:59pm

Hi Harald

Thanks for your response.

I assign a user to a customized ‘Test Analyst’ role in Centrasite. I then restrict the ‘Test Analyst’ role to not allow ‘write’ on service ObjectType.

Now, if this user is assigned to ‘CentraUser’ role (This would mean that this user can read and write objects in the registry, including ‘write’ on service ObjectType). What access should this user has on service ObjectType.

How does the ‘precedence’ work?

I’ve imported the pre-defined report as suggested by you. It seems to bring-out the user access based on selective objecttype. We dont have ‘Roles’ as an objecttype in Centrasite. If we had, probably we could have seen the user association with multiple roles in ‘Association’ tab in user details window.

Also, running the report for any objecttype displays user role: Centrasite in the upper left corner of the report. Not sure, what role is this.

Thanks

RG1 · October 31, 2008, 5:18pm

Another related query is, how to restrict the execution of linked report to specific users/roles only?

Thanks

Dr_Harald_Schoening · October 31, 2008, 5:27pm

HI,

if a user belongs to any role that has write access, he has write access. There is no “deny” funcitonality on type level, so no procedence

Not sure I understand the second entry: the information you need from this report is the set of roles reported as you have seen, so you do not need a “role” type to use this report. The role CentraSite is an internal one, you can ignore this.

The execution of a linked report can be restricted by restricting teh “read” permisson of the report template. You cannot restrict a report fo rone object while allowing it for another one

Regards

Harald

RG1 · October 31, 2008, 5:40pm

Thanks Harald,

Regarding second entry, i was hoping that we could somehow see the roles in the ‘Association’ tab in the user details window (without the need for executing this report). However, this is not the case as report is not an ObjectType in Centrasite.

It was very useful help.

Regards
RG

Dr_Harald_Schoening · October 31, 2008, 7:18pm

Hi RG,

sure, I understood what you were looking for, and the report is just a work around the non-existing feature. In the next version of CentraSite, you will be able to directly access the roles associated to a user, from the user object

Regards

Harald

RG1 · October 31, 2008, 7:47pm

Hi Harald,

Looking forward to the next version of Centrasite, i believe ActiveSOA would be much more powerful in terms of providing governance features.

Another related query on user and role management,

It seems that the predefined (Centrasite*) roles can be deleted, why is it so?
I’m having problems setting up LDAP authentication, so in the meantime we are using OS based users accessing Centrasite.

Is it required to create a new user instance in Centrasite for each OS user?

I’m assigning an OS user with a specific role and next time, when i check that role, there is no display of OS user against that role?

Thanks for your continued help
RG

Dr_Harald_Schoening · October 31, 2008, 9:12pm

Hi RG,

why not? If a company decides to use theri own roles, why should the unused CentraSite* roles be retained?
For help on the LDAP, please consult the documentation, or open a support request if this does not work
Concerning user account: this is a bit tricky: the user account is automatically created the first time the user logs in. Starting from this time, you should also see the user occur in the role

Regards

Harald

RG1 · October 31, 2008, 9:39pm

Hi Harald,

for point 1, i believe it’s ok for a company to delete the predefined roles, but then it’s not consistent with the overall Centrasite behavior. e.g. We are not allowed to delete the predefined base types.

for point2, I dont see the OS users being registered automatically in Centrasite upon login. Also, when a role is assigned to this user, it’s not visible next time. However, when i try to assign that same role again to this user, i get a message that this mapping already exists. Probably i can raise this with the support team.

Thanks
RG