Permissions

Key terms

User

Users are entities that need access to the system. Each user might need a different level of access to the system. Users can be assigned to multiple Roles. TIBCO Enterprise Administrator does not manage users by itself. Users from external systems are mapped into TIBCO Enterprise Administrator to allow access to the system.

Group

Groups are logical groupings of the users within an organization. A user can belong to multiple groups and a group can contain multiple users. Groups provide an easier way to control access to users. Instead of specifying the access permissions for each user, it is easier and practical to specify access permissions to the groups to which they belong to. Groups can contain sub-groups.

Realm

A security realm comprises mechanisms for protecting TIBCO Enterprise Administrator resources. It contains users, groups, and their security credentials. The realm provides information about users and the groups they belong to. TIBCO Enterprise Administrator supports two kinds of realms : File and LDAP. In a File realm, the user and group information is stored in a file. In an LDAP realm, the user or group information exists on an LDAP server and is accessed from the server.

Permission

A string on the basis of which access control is enforced. It is upto the agent to decide the granularity of the permissions that it provides. For example, a permission could be as fine-grained as 'UpdateConfig' which is applicable to only one operation, or it could be as coarse-grained as 'Full Control' which applies to the entire system.

Caution: If you upgrade an agent, you can only have additional permissions on the same agent. You cannot delete or change the existing permission definitions.

Privilege

Privilege is a collection of permissions that are applicable to an object or a collection of objects.

Role

Role is a mechanism to grant or revoke access to users. A Role is a collection of privileges and are assigned to users and groups. All the privileges in a role get associated to the user or group to which it is assigned.

Custom Permission

You can assign custom permissions by using the TeaPermission and TeaPermissions annotation.

For example, Lifecycle and Update permission are grouped using the TeaPermissions annotation.

@TeaObjectType(name = TomcatAgentUtil.TOMCAT, concept = TeaConcept.TOP_LEVEL, 
         description = "Tomcat TIBCO Enterprise Administrator SDK Agent")
        @TeaPermissions({
        @TeaPermission(name = TomcatAgent.LIFECYCLE_PERMISSION, 
         desc = "Permission to create/start/stop server, webapp"),
        @TeaPermission(name = TomcatAgent.UPDATE_PERMISSION, 
         desc = "Permission to update configurations of server, webapp") })

        public class TomcatAgent {
        // code
        }

An agent can define the permissions needed to execute each of the operations that it provides. If a method does not have any TeaRequires annotation on it, then that method can be executed by anyone.

Effective Permissions

The collection of privileges that are applicable to a user are obtained as follows:

• Gather the privileges from all the roles assigned to this user directly.
• Gather the privileges from the roles assigned to all the groups to which the user belongs.