Setup Role Based Acesss
Setup Role Base Access in OneCMDB Desktop
OneCMDB uses Spring and Acegi Security System to handle all authentication and authorization. A user is authenticated through authentication providers defined as spring beans. Examples of authentication providers provided out of the box are Memory, LDAP and OneCMDB accounts. Each account, independent of authentication provider can be assigned to roles. Each account is granted different authorities (roles) and these are defined by a name. If the account is authenticated through ldap/ad all groups that the user is member of can be used as authorities, therefor one needs to define the names of the roles that are applicable for OneCMDB.
This tutorial is split in two sections:
- Section 1 - Describes how step by step on how to create a test account and roles in OneCMDB. Note that the role names Guest/User are already configured.
- Section 2 - Configure roles for the desktop.
Section 1 – Create accounts / roles
- Login to OneCMDB as admin/123.
- Select Start->Admin->User Accouts.
- Select the CMDBAccount in the left panel. Then all accounts is listed in the right table. To be able to add/edit select the drop-down button “Read Only” and select “Edit Allowed”. The right table should now show add/undo/commit buttons.
- Press Add to add an account. Fill in username and password by clicking on those cells and edit, just like in excel. Enter test as user name and 123 as password. Note that the password in not visable, shows with ****.
- Now select the Role column and press on the right calender icon. In the popup-window press add and type Guest. Do add again and type User. It should look like this.
- Then press OK. Edit the “Default Role” to Guest. This role is used as default when the user login, used only when the account belongs to many roles.
- Then press Save. Now the account has been created. Now it's time to create the roles.
- Select the CMDBRole in the left panel.
- Press “Add”, and edit the Name to Guest, Press “Add” again and edit the Name to User. Then press “Save”. It should look like this.
- Now try to login as user test with password “123”. You should now see a the following start window.
- Note that the current role name is shown before the username. A new menu item in the right start menu also appears, “Roles”. Here one can switch between the roles that are affected to the account.
- Now open the “CMDB View” and press the “Read Only” menu button. The Guest has only read privileges.
- Now use the Start->Roles and switch to Role User and see that some more widget are now visible. Open the CMDB View again, and now you are allowed to edit. How to control this see section 2.
Section 2 – Configure the desktop for different roles
The desktop is composed of widget that are configurable from an XML-file. This file defines the start menu look and which widgets should be displayed as shortcuts on the desktop. All widgets can also be more or less configured. For instance the permissions can be set on each widget. Each role can have it's own unique desktop configuration file.
The desktop configure file is located in the repository, repository/OneCMDB_Desktop/*. The repository directory is found in the installation directory.
The directory structure looks like this:
The defaultView.xml file is the default desktop configuration, used when the user is not part of any role. When a user logins, the desktop tries to find OneCMDB_Desktop/roles/RoleName/desktopView.xml to use, if not found it uses the default defaultView.xml.
The layout of the file is like this:
- Widget Configuration
Each Menu item is showed in the Start menu. Each menu item can consists of either more menuitems (sub menus) or a widget. The widget is started when that menu item is clicked. To set up a new role name do as follows, say that we would like it to access all widget but should be read-only.
- Create directory OneCMDB_Desktop/roles/RoleName.
- Copy defaultView.xml to the new directory.
- Rename it to desktopView.xml
- Open the copied desktopView.xml file with an text editor.
- Edit the permission section so it looks like this:
<permissions> <readonly>true</readonly> <editable>false</editable> <deletable>false</deletable> <classify>false</classify> <default>readonly</default> </permissions>
This indicates that the user only have readonly permissions on all widgets.
- Try to login as the user and check that it's working.
- When this is working one can start removing widgets or re-arranging the start menu as one pleases.