Role-Based Access Control
Security Roles can be added and edited in the GridServer Administration Tool on the Admin> User Admin > Role Admin page. Each role contains a set of permissions that you can enable or disable. Each permission corresponds to a GridServer page, action, or feature. For example, you might want to disable permissions in a role to prevent a subset of users from editing Engine Daemons or managing Brokers. You can also enable permissions in a role, like enabling Service-role users to view the current Manager log. You can also use the Role Admin page to view what features are accessible in a given role.
Editing a Security Role
Security roles are assigned to a User via the Admin > User Admin > User Admin page. Also, when using LDAP or Kerberos authentication, they can be auto-assigned via LDAP groups, and when using Windows authentication, via the Windows Domain groups.
Editing Security Roles
To edit a Security Role:
|
1.
|
Go to Admin > User Admin > Role Admin. |
|
2.
|
Select a role, click the Actions list, and select View/Edit. |
|
3.
|
Optionally, to create a new role, with no role selected, click the Actions list and select Create a new Security Role. |
The View/Edit Role page appears.
|
4.
|
Select or clear the check boxes next to the permissions you want enabled in this role. You can select another role from the Copy list, which selects that role’s enabled features into the current role. |
You can also edit the following role attributes:
|
—
|
The name and description of the role. |
|
—
|
A list of Managers on which this user can log in, or * for all Managers. If a user with this role attempts to log in to a Manager not listed, the login fails. |
|
—
|
A corresponding LDAP group for the role. When an LDAP user from that group logs into GridServer, they receive this role. |
|
—
|
The maximum priority a user with this role can assign to a Service. |
|
5.
|
When you are done editing the role, click Save to save changes, or Cancel to discard them. |
The following actions are also available for each role:
|
•
|
You can make a copy of a role with Copy. |
|
•
|
The Delete action completely removes a role. Note that you cannot delete a role if it is currently assigned to any user. |
Security Role Notes
Service Session Admin methods or actions require the user to have Service Username Access to the Service in question. For example, the Service Session Admin page only shows a user’s Services, and that user can only cancel their own Services.
Security Roles also affect the ability to use GridServer Web Services to interact with GridServer. For a list of GridServer Web Service objects and methods enabled by role, see the GridServer Developer’s Guide.
Security Roles do not filter Services that are submitted before changing the associated Security Roles in an account. For example, a long-running Service is active and you change a user’s account’s Security Role association from Configure to View. In such a scenario, the user still has Configure-role access to that Service.
The Root Account Role
When a Manager is first installed, an initial account is created. This account, the root account, has the Root role assigned to it. The root account contains all permissions, similar to the Configure role. It is internal to the Manager, regardless of authentication mode. For example, when LDAP authentication is enabled and the LDAP server is unavailable, the root account is still available.
There are a number of restrictions related to the Root user role:
|
•
|
The root account cannot be deleted. |
|
•
|
The root account’s role cannot be changed. All other information in the root account (name, email, password, and so on) can be changed. |
|
•
|
You cannot add the Root role to any other account. |
