COSmanager/User Guide/COSmanager Users and Access Controls
From Documentation
| Revision as of 06:28, 18 April 2006 Daniels (Talk | contribs) ← Previous diff |
Revision as of 01:33, 26 April 2006 Daniels (Talk | contribs) Next diff → |
||
| Line 1: | Line 1: | ||
| - | COSmanager has security controls to regulate access by COSmanager users to | + | COSmanager has security controls to regulate access by COSmanager users to menus and functions in COSmanager applications. |
| - | menus and functions in COSmanager applications. | + | |
| - | COSmanager users are UNIX users who have the ability to configure COSmanager | + | COSmanager users are UNIX users who have the ability to configure COSmanage ror run one or more COSmanager applications. |
| - | or run one or more COSmanager applications. | + | |
| - | COSmanager is installed with a set of default roles and capabilities, which you can | + | COSmanager is installed with a set of default roles and capabilities, which you can customize to suit your security policy and organization structure. |
| - | customize to suit your security policy and organization structure. | + | |
| This chapter explains how to: | This chapter explains how to: | ||
| - | • add COSmanager users | + | *add COSmanager users |
| - | • manage COSmanager roles and capabilities | + | *manage COSmanager roles and capabilities |
| - | 92 COSmanager Users and Access Controls | + | |
| - | COSmanager User Access Controls | + | == COSmanager User Access Controls == |
| - | To access COSmanager, a user must first have a UNIX account on the same host as | + | To access COSmanager, a user must first have a UNIX account on the same host as COSmanager and be registered as a COSmanager user. The user must also have access rights to some or all COSmanager menus and options. |
| - | COSmanager and be registered as a COSmanager user. The user must also have | + | |
| - | access rights to some or all COSmanager menus and options. | + | COSmanager access is controlled by assigning to selected users one or more roles. Roles equate to responsibilities shared by some staff. Each role translates to a set of capabilities that determine users’ access to menus and functions in individual COSmanager |
| - | COSmanager access is controlled by assigning to selected users one or more roles. | + | |
| - | Roles equate to responsibilities shared by some staff. Each role translates to a set of | + | |
| - | capabilities that determine users’ access to menus and functions in individual COSmanager | + | |
| applications. | applications. | ||
| - | COSmanager includes a set of global access roles that are automatically available to | + | |
| - | all applications. For example, if a user is assigned the global role Manager, they | + | COSmanager includes a set of global access roles that are automatically available to all applications. For example, if a user is assigned the global role Manager, they implicitly are assigned all the capabilities belonging to the Manager role in each application you have installed. If instead you want that user to have Manager access in COS/Admin and COS/Report only, you would assign those roles explicitly: ADM:Manager and RPT:Manager. |
| - | implicitly are assigned all the capabilities belonging to the Manager role in each | + | |
| - | application you have installed. If instead you want that user to have Manager access | + | |
| - | in COS/Admin and COS/Report only, you would assign those roles explicitly: | + | |
| - | ADM:Manager and RPT:Manager. | + | |
| You can also define new roles that are local to an application. | You can also define new roles that are local to an application. | ||
| - | Here, user john has two roles: Config and Admin. | + | |
| - | Figure 31 — Roles assigned to a COSmanager user | + | COSmanager applications ‘interpret’ each one of a user’s roles, to determine what capabilities are granted to the user in that application. |
| - | COSmanager applications ‘interpret’ each one of a user’s roles, to determine what | + | |
| - | capabilities are granted to the user in that application. | + | Note By convention, role names are capitalized (Admin, BKP:SeniorOp) and capabilities are not capitalized (rptdistn). |
| - | COSmanager Users and Access Controls 93 | + | |
| - | For example, in Figure 32, the Operator role grants the rptdistn capability in | + | Roles can be nested. In duty3g, the Admin role is assigned all the capabilities belonging to the SeniorOp role, plus dutyadmin and runall. In COS/Report, the Admin role is assigned all the capabilities belonging to the SeniorOp role, plus maintain. |
| - | COS/Report. rptdistn allows the user to distribute reports and view distribution | + | |
| - | lists. In duty3g, The Operator role grants a different set of abilities. | + | Therefore, in COS/Report, the Admin role would give john the capabilities maintain, rptgen, and rptdistn (see Table 1). |
| - | Note By convention, role names are capitalized (Admin, BKP:SeniorOp) | + | Roles defined in the COSmanager framework are global; they are available in all COSmanager applications. Roles defined within an application are local to that application. Roles that are mainly used in only one application should be defined in the role table for that application. |
| - | and capabilities are not capitalized (rptdistn). | + | |
| - | Figure 32 — Roles and capabilities | + | Once a local role is defined, you must assign it to one of the global roles before it can be accessible to a user. In Figure 32 the local role Backupduty is assigned to the global role Operator, therefore users who have the Operator role can view and perform |
| - | Roles can be nested. In duty3g, the Admin role is assigned all the capabilities | + | |
| - | belonging to the SeniorOp role, plus dutyadmin and runall. In COS/Report, the | + | |
| - | Admin role is assigned all the capabilities belonging to the SeniorOp role, plus maintain. | + | |
| - | Table 1 — Example of hierarchical roles | + | |
| - | Product Role Capabilities | + | |
| - | COS/Report Admin SeniorOp maintain | + | |
| - | SeniorOp Operator rptgen | + | |
| - | Operator rptdistn | + | |
| - | Admin | + | |
| - | Operator | + | |
| - | SeniorOp | + | |
| - | Config | + | |
| - | Manager | + | |
| - | duty3g | + | |
| - | Roles/Capabilities | + | |
| - | Admin—SeniorOp dutyadmin runall | + | |
| - | Operator—Backupduty | + | |
| - | Manager—Admin dutysuper | + | |
| - | COSmanager Roles | + | |
| - | Backupduty | + | |
| - | … | + | |
| - | COS/Report | + | |
| - | Roles/Capabilities | + | |
| - | Admin—SeniorOp maintain | + | |
| - | Operator—rptdistn | + | |
| - | SeniorOp—Operator rptgen | + | |
| - | … | + | |
| - | 94 COSmanager Users and Access Controls | + | |
| - | Therefore, in COS/Report, the Admin role would give john the capabilities maintain, | + | |
| - | rptgen, and rptdistn (see Table 1). | + | |
| - | Roles defined in the COSmanager framework are global; they are available in all | + | |
| - | COSmanager applications. Roles defined within an application are local to that application. | + | |
| - | In Figure 32, the Backupduty role is local to duty3g and would typically be | + | |
| - | used only in duty3g. Roles that are likely to be used in more than one application | + | |
| - | should be defined in the role table under COSmanager configuration. Roles | + | |
| - | that are mainly used in only one application should be defined in the role table for | + | |
| - | that application. | + | |
| - | Once a local role is defined, you must assign it to one of the global roles before it | + | |
| - | can be accessible to a user. In Figure 32 the local role Backupduty is assigned to the | + | |
| - | global role Operator, therefore users who have the Operator role can view and perform | + | |
| in duty3g any duties assigned to Backupduty. | in duty3g any duties assigned to Backupduty. | ||
| - | The access capabilities defined under COSmanager configuration > | + | |
| - | Users and privileges are used to control access to the COSmanager configuration | + | The access capabilities defined under COSmanager configuration > Users and privileges are used to control access to the COSmanager configuration menus. Application-specific capabilities can be customized under that application’s own configuration menus—for example, capabilities belonging to COS/Sentinel can be maintained under the COS/Sentinel configuration menu. |
| - | menus. Application-specific capabilities can be customized under that application’s | + | |
| - | own configuration menus—for example, capabilities belonging to | + | === How it works === |
| - | COS/Sentinel can be maintained under the COS/Sentinel configuration | + | When a user starts a COSmanager application, shell variables are created for each of their roles and capabilities (see [[COSMOS Startup Procedure]]). Access to many functions is controlled by testing for these variables in scripts and menus. |
| - | menu. | + | |
| - | How it works | + | For example, in COS/Report the Admin role has the capability rptgen but the Operator role does not. When a user with the Admin role enters COS/Report, a shell variable is created named SEC_RPT_rptgen. In the Report menu on the List of Reports window, COSmanager only displays and lets a user select the option Generate after checking that SEC_RPT_rptgen is set in that user’s environment. |
| - | When a user starts a COSmanager application, shell variables are created for each of | + | |
| - | their roles and capabilities (see COSMOS Startup Procedure on page 20). Access to | + | Roles group users with similar access requirements and responsibilities. The advantages of this are: |
| - | many functions is controlled by testing for these variables in scripts and menus. | + | *convenience – it’s easier to assign roles to users to it than it is to individually assign capabilities. |
| - | For example, in COS/Report the Admin role has the capability rptgen but the | + | *control – access rights are granted according to job functions and responsibilities and not to individual users, making it easier to control security when staff move between jobs or are temporarily unavailable. |
| - | Operator role does not. When a user with the Admin role enters COS/Report, a | + | |
| - | shell variable is created named SEC_RPT_rptgen. In the Report menu on the | + | == How To Control Access to COSmanager == |
| - | List of Reports window, COSmanager only displays and lets a user select the option | + | |
| - | COSmanager Users and Access Controls 95 | + | |
| - | Generate after checking that SEC_RPT_rptgen is set in that user’s environment. | + | |
| - | Table 2 — Roles used to control menu access | + | |
| - | Roles group users with similar access requirements and responsibilities. The advantages | + | |
| - | of this are: | + | |
| - | • convenience – it’s easier to assign roles to users to it than it is to individually | + | |
| - | assign capabilities. | + | |
| - | • control – access rights are granted according to job functions and responsibilities | + | |
| - | and not to individual users, making it easier to control security when | + | |
| - | staff move between jobs or are temporarily unavailable. | + | |
| - | Report menu option Checks for variable Seen by roles | + | |
| - | Display Admin, Operator | + | |
| - | Print Admin, Operator | + | |
| - | Print sections Admin, Operator | + | |
| - | Send Admin, Operator | + | |
| - | Generate SEC_RPT_rptgen Admin | + | |
| - | 96 COSmanager Users and Access Controls | + | |
| - | How To Control Access to COSmanager | + | |
| You can grant COSmanager access to a UNIX user in one of the following ways: | You can grant COSmanager access to a UNIX user in one of the following ways: | ||
| - | • by adding the person to the list of COSmanager users, and assigning to | + | *by adding the person to the list of COSmanager users, and assigning to them one or more roles |
| - | them one or more roles | + | *by adding a group from /etc/group to the list of COSmanager users and assigning to it one or more roles. A UNIX user who belongs to that group and who isn’t already a COSmanager user inherits the roles assigned to that group |
| - | • by adding a group from /etc/group to the list of COSmanager users and | + | *by assigning roles to a special COSmanager user called DEFAULT. Any UNIX user who is not defined in the COSmanager user table, either in their own right or through their group, receives the roles of the default COSmanager user. |
| - | assigning to it one or more roles. A UNIX user who belongs to that group | + | |
| - | and who isn’t already a COSmanager user inherits the roles assigned to that | + | Roles are described in [[COSMOS User Access Controls]] |
| - | group | + | |
| - | • by assigning roles to a special COSmanager user called DEFAULT. Any | + | |
| - | UNIX user who is not defined in the COSmanager user table, either in their | + | |
| - | own right or through their group, receives the roles of the default COSmanager | + | |
| - | user. | + | |
| - | Roles are described in COSMOS User Access Controls on page 92 | + | |
| To add a COSmanager user or group | To add a COSmanager user or group | ||
| - | 1. Select COSmanager configuration > Users and privileges | + | *Select COSmanager configuration > Users and privileges > COSmanager users. |
| - | > COSmanager users. | + | *Select Maintain > Add. |
| - | 2. Select Maintain > Add. | + | *Press Choose to list groups and user accounts that are not already COSmanager users. Select a user or group. |
| - | Figure 33 — Add COSmanager users/groups | + | |
| - | 3. Press Choose to list groups and user accounts that are not already COSmanager | + | Note COSmanager only lists whose user ID is between minUID and maxUID—that is, non-system accounts. |
| - | users. Select a user or group. | + | |
| - | COSmanager Users and Access Controls 97 | + | *Press Choose to list roles. Select one or more roles. |
| - | Note COSmanager only lists whose user ID is between minUID and | + | *You have the option of entering a descriptive comment. When all the fields on the form are correct, press Accept. |
| - | maxUID—that is, non-system accounts. | + | |
| - | 4. Press Choose to list roles. Select one or more roles. | + | === Adding a User Access Role === |
| - | 5. You have the option of entering a descriptive comment. When all the fields | + | COSmanager roles should be defined in terms of functions or responsibilities rather than individuals. For example, the Admin function (whether it is done by one person or several) needs access to most or all of the menus; Operators and Auditors need only a few specialist submenus. |
| - | on the form are correct, press Accept. | + | |
| - | Adding a User Access Role | + | You should only add to the COSmanager role table global roles—that is, roles that will be used in more than one COSmanager application. If a role is only useful to a single application it should be added as a local role within that application. |
| - | COSmanager roles should be defined in terms of functions or responsibilities rather | + | |
| - | than individuals. For example, the Admin function (whether it is done by one person | + | ==== To add a role ==== |
| - | or several) needs access to most or all of the menus; Operators and Auditors | + | #Select COSmanager configuration > Users and privileges > Global access roles. |
| - | need only a few specialist submenus. | + | #Select Maintain > Add. |
| - | You should only add to the COSmanager role table global roles—that is, roles that | + | #Enter a name for the role, relating to the responsibility of the users who will be assigned to it—e.g. ShiftSuper, Training, etc. |
| - | will be used in more than one COSmanager application. If a role is only useful to a | + | #Enter a description |
| - | single application it should be added as a local role within that application. | + | #Choose from the list of other global roles and application-specific roles. |
| - | To add a role | + | |
| - | 1. Select COSmanager configuration > Users and privileges | + | |
| - | > Global access roles. | + | |
| - | 2. Select Maintain > Add. | + | |
| - | Figure 34 — Add global access role | + | |
| - | 98 COSmanager Users and Access Controls | + | |
| - | 3. Enter a name for the role, relating to the responsibility of the users who will | + | |
| - | be assigned to it—e.g. ShiftSuper, Training, etc. | + | |
| - | 4. Enter a description | + | |
| - | 5. Choose from the list of other global roles and application-specific roles. | + | |
| Press Accept to save this role and exit. | Press Accept to save this role and exit. | ||
| - | Adding a Capability to the COSmanager Framework | + | |
| - | Roles that you define here in the COSmanager framework are global. This means | + | === Adding a Capability to the COSmanager Framework === |
| - | that they are available to be interpreted by any COSmanager application. | + | Roles that you define here in the COSmanager framework are global. This means that they are available to be interpreted by any COSmanager application. Capabilities in the COSmanager framework are local—they are only used to control access within the COSmanager configuration menus. In effect the framework is treated like an application. |
| - | Capabilities in the COSmanager framework are local—they are only used to control | + | |
| - | access within the COSmanager configuration menus. In effect the framework is | + | In the COSmanager framework, capabilities are used to control which users may run COSmanager applications or use the application administration menus. You can change the capabilities assigned to an existing role, or assign capabilities to a new role you have just defined. |
| - | treated like an application. | + | |
| - | In the COSmanager framework, capabilities are used to control which users may | + | ==== To assign capabilities to a role ==== |
| - | run COSmanager applications or use the application administration menus. You can | + | #Select COSmanager configuration > Users and privileges > COSmanager access capabilities. |
| - | change the capabilities assigned to an existing role, or assign capabilities to a new | + | #Select Maintain > Add. |
| - | role you have just defined. | + | #Press Choose to list roles. Select a role that has not already been assigned capabilities. |
| - | To assign capabilities to a role | + | #Press Choose to list the roles and capabilities defined within the COSmanager framework. Select one or more capabilities. |
| - | 1. Select COSmanager configuration > Users and privileges | + | |
| - | > COSmanager access capabilities. | + | |
| - | 2. Select Maintain > Add. | + | |
| - | COSmanager Users and Access Controls 99 | + | |
| - | Figure 35 — Add COSmanager access capability | + | |
| - | 3. Press Choose to list roles. Select a role that has not already been assigned | + | |
| - | capabilities. | + | |
| - | 4. Press Choose to list the roles and capabilities defined within the COSmanager | + | |
| - | framework. Select one or more capabilities. | + | |
| Press Accept to save this role and exit. | Press Accept to save this role and exit. | ||
Revision as of 01:33, 26 April 2006
COSmanager has security controls to regulate access by COSmanager users to menus and functions in COSmanager applications.
COSmanager users are UNIX users who have the ability to configure COSmanage ror run one or more COSmanager applications.
COSmanager is installed with a set of default roles and capabilities, which you can customize to suit your security policy and organization structure.
This chapter explains how to:
- add COSmanager users
- manage COSmanager roles and capabilities
Contents |
COSmanager User Access Controls
To access COSmanager, a user must first have a UNIX account on the same host as COSmanager and be registered as a COSmanager user. The user must also have access rights to some or all COSmanager menus and options.
COSmanager access is controlled by assigning to selected users one or more roles. Roles equate to responsibilities shared by some staff. Each role translates to a set of capabilities that determine users’ access to menus and functions in individual COSmanager applications.
COSmanager includes a set of global access roles that are automatically available to all applications. For example, if a user is assigned the global role Manager, they implicitly are assigned all the capabilities belonging to the Manager role in each application you have installed. If instead you want that user to have Manager access in COS/Admin and COS/Report only, you would assign those roles explicitly: ADM:Manager and RPT:Manager.
You can also define new roles that are local to an application.
COSmanager applications ‘interpret’ each one of a user’s roles, to determine what capabilities are granted to the user in that application.
Note By convention, role names are capitalized (Admin, BKP:SeniorOp) and capabilities are not capitalized (rptdistn).
Roles can be nested. In duty3g, the Admin role is assigned all the capabilities belonging to the SeniorOp role, plus dutyadmin and runall. In COS/Report, the Admin role is assigned all the capabilities belonging to the SeniorOp role, plus maintain.
Therefore, in COS/Report, the Admin role would give john the capabilities maintain, rptgen, and rptdistn (see Table 1). Roles defined in the COSmanager framework are global; they are available in all COSmanager applications. Roles defined within an application are local to that application. Roles that are mainly used in only one application should be defined in the role table for that application.
Once a local role is defined, you must assign it to one of the global roles before it can be accessible to a user. In Figure 32 the local role Backupduty is assigned to the global role Operator, therefore users who have the Operator role can view and perform in duty3g any duties assigned to Backupduty.
The access capabilities defined under COSmanager configuration > Users and privileges are used to control access to the COSmanager configuration menus. Application-specific capabilities can be customized under that application’s own configuration menus—for example, capabilities belonging to COS/Sentinel can be maintained under the COS/Sentinel configuration menu.
How it works
When a user starts a COSmanager application, shell variables are created for each of their roles and capabilities (see COSMOS Startup Procedure). Access to many functions is controlled by testing for these variables in scripts and menus.
For example, in COS/Report the Admin role has the capability rptgen but the Operator role does not. When a user with the Admin role enters COS/Report, a shell variable is created named SEC_RPT_rptgen. In the Report menu on the List of Reports window, COSmanager only displays and lets a user select the option Generate after checking that SEC_RPT_rptgen is set in that user’s environment.
Roles group users with similar access requirements and responsibilities. The advantages of this are:
- convenience – it’s easier to assign roles to users to it than it is to individually assign capabilities.
- control – access rights are granted according to job functions and responsibilities and not to individual users, making it easier to control security when staff move between jobs or are temporarily unavailable.
How To Control Access to COSmanager
You can grant COSmanager access to a UNIX user in one of the following ways:
- by adding the person to the list of COSmanager users, and assigning to them one or more roles
- by adding a group from /etc/group to the list of COSmanager users and assigning to it one or more roles. A UNIX user who belongs to that group and who isn’t already a COSmanager user inherits the roles assigned to that group
- by assigning roles to a special COSmanager user called DEFAULT. Any UNIX user who is not defined in the COSmanager user table, either in their own right or through their group, receives the roles of the default COSmanager user.
Roles are described in COSMOS User Access Controls To add a COSmanager user or group
- Select COSmanager configuration > Users and privileges > COSmanager users.
- Select Maintain > Add.
- Press Choose to list groups and user accounts that are not already COSmanager users. Select a user or group.
Note COSmanager only lists whose user ID is between minUID and maxUID—that is, non-system accounts.
- Press Choose to list roles. Select one or more roles.
- You have the option of entering a descriptive comment. When all the fields on the form are correct, press Accept.
Adding a User Access Role
COSmanager roles should be defined in terms of functions or responsibilities rather than individuals. For example, the Admin function (whether it is done by one person or several) needs access to most or all of the menus; Operators and Auditors need only a few specialist submenus.
You should only add to the COSmanager role table global roles—that is, roles that will be used in more than one COSmanager application. If a role is only useful to a single application it should be added as a local role within that application.
To add a role
- Select COSmanager configuration > Users and privileges > Global access roles.
- Select Maintain > Add.
- Enter a name for the role, relating to the responsibility of the users who will be assigned to it—e.g. ShiftSuper, Training, etc.
- Enter a description
- Choose from the list of other global roles and application-specific roles.
Press Accept to save this role and exit.
Adding a Capability to the COSmanager Framework
Roles that you define here in the COSmanager framework are global. This means that they are available to be interpreted by any COSmanager application. Capabilities in the COSmanager framework are local—they are only used to control access within the COSmanager configuration menus. In effect the framework is treated like an application.
In the COSmanager framework, capabilities are used to control which users may run COSmanager applications or use the application administration menus. You can change the capabilities assigned to an existing role, or assign capabilities to a new role you have just defined.
To assign capabilities to a role
- Select COSmanager configuration > Users and privileges > COSmanager access capabilities.
- Select Maintain > Add.
- Press Choose to list roles. Select a role that has not already been assigned capabilities.
- Press Choose to list the roles and capabilities defined within the COSmanager framework. Select one or more capabilities.
Press Accept to save this role and exit.