Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 4 TIBCO BusinessConnect User Management : TIBCO BusinessConnect Group Management

TIBCO BusinessConnect Group Management
Both TIBCO Administrator User Management and TIBCO BusinessConnect User Management have support for group access rights.
TIBCO Administrator User Management uses the term Role instead of group. User access rights can be easier to manage when roles or groups are used. The following sections describe using TIBCO Administrator roles and TIBCO BusinessConnect groups to assign access rights to a user.
TIBCO Administrator Roles
In TIBCO Administrator User Management, you can define roles that have particular access rights, and users can be assigned to one or more roles. The access rights of a user belonging to a role include the access rights specifically assigned to the user, plus the access rights of the role. There is no concept of being able to use a role to take away a user's access rights, so the complete set of access rights for the user consists of those access rights assigned to the individual user plus those access rights allowed for each of the roles a user belongs to.
For example, imagine you have a user named 'user' who has specific access rights for TIBCO BusinessConnect, and has membership in roleA and roleB, as shown in Table 5.
 
TIBCO BusinessConnect Groups
In TIBCO BusinessConnect User Management, you can define groups that have particular access rights and users can be assigned to one or more groups. TIBCO BusinessConnect groups are the equivalent of TIBCO Administrator roles and behave similarly but use the access rights which are specific to TIBCO BusinessConnect.
The access rights of a user belonging to a group include the access rights specifically assigned to the user plus the access rights of the group. There is no concept of being able to use a group to take away a user's access rights, so the complete set of access rights for the user consists of those access rights assigned to the individual user plus those access rights allowed for each of the groups a user belongs to.
Group Access Right Examples
For example, suppose that userA is defined in TIBCO Administrator User Management to have the total set of access rights as follows:
Log Viewer - Read, Write
Reporting - Read, Write
Dashboard - Read, Write
Participants - Read, Write
These permissions map to the following default access rights for userA in TIBCO BusinessConnect User Management which allow userA to have full access to all participants and all business agreements.
Suppose there is also a group defined in TIBCO BusinessConnect User Management to provide read and write access to a particular trading partner, tpA, and its associated Business Agreement as follows:
Participant Permission: All participants access rights cleared; tpA access rights set to Read, Update, Delete, Logs and Reports
Business Agreement Permission: All agreements access rights cleared; Business Agreement for tpA access rights set to Read, Update, Delete
If you wanted to restrict the access rights of userA so that userA would only have access rights for tpA instead of for all participants, you could try to assign userA to group 'tpA'. However that would not solve the problem as userA would still have access rights to all participants and business agreements because of the logical ORing of userA's default access rights and the access rights of group 'tpA'.
To configure userA so that it only had access rights to tpA, you would need to clear the access rights for userA under Participant Permission > ALL and under Business Agreements Permission > ALL and then add Group Membership to group 'tpA' for userA. This will result in userA only having access rights to tpA as defined by group 'tpA'.
As one last example of how TIBCO Administrator access rights work with TIBCO BusinessConnect access rights, suppose we have userA with TIBCO Administrator access rights for TIBCO BusinessConnect as follows:
Log Viewer - Read, Write
Reporting - Read, Write
Dashboard - Read, Write
If userA is configured with TIBCO BusinessConnect User Management so that the default access rights for Participants and Business Agreements are cleared and userA is configured to belong to group 'tpA', this would result in userA having Read permissions for participant tpA and the business agreement associated with tpA. The userA would not get Update or Delete permissions because userA was only granted Read access for Participants and Business Agreements in its TIBCO Administrator User Management settings.
In other words, the access rights given to a user using TIBCO BusinessConnect User Management are logically ORed with the access rights for any groups the user is assigned to. The total TIBCO BusinessConnect access rights for the user are then logically ANDed with the total Administrator access rights for the user to determine the overall access rights for the user.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved