I have some queries regarding user and role management in Centrasite enterprise edition (3.1.7)
How do we set-up security access for customized roles. Something that Centrasite provides for pre-defined roles by default (e.g a user linked with CentrasiteReader role cannot update). Or is it that we can only limit the access of customized roles at object level?
in Centrasite, Currently we can see the users assigned to each role.
But, how do we see all the roles for a user? (e.g. a user may have a predefined role of CentrasiteUser as well as a customized role of Architect)
with customized roles, you can do all the definitions you can do with predefined ones. In particular, to define type-level security, select a type, right click, select Details, select tab “Type Security” and define teh access rights for the role.
You can use one of teh reports shipped with CentraSite to determine the roles of a user. Import the report
C:\Program Files\CentraSite\CentraSite 3.1\demos\DemoReports\user_rights_report.rptdesign
(modify path depending on your specific installation)
and link this to the tpye user. The execute linked report for user in queston by right clicking the user in teh list of users obtains when clicking teh type “User” on “My CentraSite”
The “Unauthenticated user” is assign to an activity that access CentraSite through webDAV without providing authentication information
I assign a user to a customized ‘Test Analyst’ role in Centrasite. I then restrict the ‘Test Analyst’ role to not allow ‘write’ on service ObjectType.
Now, if this user is assigned to ‘CentraUser’ role (This would mean that this user can read and write objects in the registry, including ‘write’ on service ObjectType). What access should this user has on service ObjectType.
How does the ‘precedence’ work?
I’ve imported the pre-defined report as suggested by you. It seems to bring-out the user access based on selective objecttype. We dont have ‘Roles’ as an objecttype in Centrasite. If we had, probably we could have seen the user association with multiple roles in ‘Association’ tab in user details window.
Also, running the report for any objecttype displays user role: Centrasite in the upper left corner of the report. Not sure, what role is this.
if a user belongs to any role that has write access, he has write access. There is no “deny” funcitonality on type level, so no procedence
Not sure I understand the second entry: the information you need from this report is the set of roles reported as you have seen, so you do not need a “role” type to use this report. The role CentraSite is an internal one, you can ignore this.
The execution of a linked report can be restricted by restricting teh “read” permisson of the report template. You cannot restrict a report fo rone object while allowing it for another one
Regarding second entry, i was hoping that we could somehow see the roles in the ‘Association’ tab in the user details window (without the need for executing this report). However, this is not the case as report is not an ObjectType in Centrasite.
sure, I understood what you were looking for, and the report is just a work around the non-existing feature. In the next version of CentraSite, you will be able to directly access the roles associated to a user, from the user object
why not? If a company decides to use theri own roles, why should the unused CentraSite* roles be retained?
For help on the LDAP, please consult the documentation, or open a support request if this does not work
Concerning user account: this is a bit tricky: the user account is automatically created the first time the user logs in. Starting from this time, you should also see the user occur in the role
for point 1, i believe it’s ok for a company to delete the predefined roles, but then it’s not consistent with the overall Centrasite behavior. e.g. We are not allowed to delete the predefined base types.
for point2, I dont see the OS users being registered automatically in Centrasite upon login. Also, when a role is assigned to this user, it’s not visible next time. However, when i try to assign that same role again to this user, i get a message that this mapping already exists. Probably i can raise this with the support team.