Resource Rights
Rights are security features that give groups and users the ability to perform TDV actions by letting them use associated tools and options. By default, no rights are given to any user except the administrator, who has rights to view and change everything in the TDV system.
This section covers the following topics:
Overview of Rights-Based Security
Rights-based security architecture creates a division of labor and TDV access management by functional group responsibilities, as described in
Group and User Rights. Users by default have no rights, because they access TDV through client connection rather than connecting directly to the server. For a description of these rights and the default groups to which they are assigned, see
Summary of TDV Rights.
The rights available on the TDV system are:
• ACCESS_TOOLS
• MODIFY_ALL_CONFIG
• MODIFY_ALL_RESOURCES
• MODIFY_ALL_STATUS
• MODIFY_ALL_USERS
• READ_ALL_CONFIG
• READ_ALL_RESOURCES
• READ_ALL_STATUS
• READ_ALL_USERS
• UNLOCK_RESOURCE
Group and User Rights
In the TDV system, rights determine which parts of TDV each user can access and use.
Rights are best specified at the group level. Because users automatically inherit all rights assigned to the groups to which they belong, we recommend that you manage enterprise rights at the group level. Role-based management can be more efficient than assigning rights individually.
Assign the Access Tools right to those user groups who should have access to Studio or other TDV components.
TDV does not introspect new LDAP domains to obtain lists of potential users. When you set up LDAP for TDV, use LDAP tools to choose the specific users and groups who are to have access to TDV.
Installed Users and Groups and Their Rights
The following default users and groups are created in TDV during installation. These users and groups cannot be removed from TDV.
• The "composite/admin" group is precreated with all rights. The "composite/admin" user is pre-created as a member of this group and cannot be removed from this group.
• The "composite/nobody" and "composite/system" users are pre-created with no rights and cannot be given rights or placed into groups.
• The "composite/all" and "dynamic/all" groups and the "composite/anonymous" user are pre-created with no rights. They can be granted rights, but we strongly recommend against doing so.
User and Group | Description |
nobody user | Nobody is a special user who cannot be assigned rights or made a member of groups. |
system user | System is a special user who cannot be assigned rights or made a member of groups. |
composite/anonymous user | The anonymous user is not a member of the all group, and does not inherit rights or privileges from that group. However, you can add rights and privileges for the anonymous user explicitly. The default TDV configuration setting does not allow anonymous users to sign in (TDV Server > Configuration > Security > Enable Anonymous sign-in: false). |
composite/all group dynamic/all group | The composite/all and dynamic/all groups are created during TDV installation. They have no rights, and it is strongly recommended that no rights be given them, because this would give rights to all users without appropriate differentiation. All users that authenticate using a composite or LDAP domain and log into Studio are automatically members of the composite/all group. |