Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 46

changes.mady.by.user Alan Amos

Saved on

compared with

New Version Current

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 'Main Section Tab' added

Table of Contents

Introduction

Excerpt

The JOC Cockpit comes with an a configuration editor for Managing Authentication and Authorization - the Manage Accounts view. It can be used to manage all aspects of authentication and authorization when Shiro authentication is used and can be used to manage authorization and some aspects of Authentication when LDAP Authentication is used.

Display feature availability
StartingFromRelease1.11.2

Permissions Hierarchy

Permissions are configured hierarchically:

  • User Account
    • Role(s)
      • Permission(s) for Operations
      • Permission(s) for Folders

In addition:

  • Permissions can be restricted to specific JobScheduler Master IDs and
  • Roles can be restricted to specific Folders within a JobScheduler's live folder.

Using the Manage Accounts view

Getting Started

After installing the JOC Cockpit, log in with the default root:root user name and password.

The Manage Accounts section of the JOC Cockpit is then accessed via the Profile Menu as shown in the screenshot below.

The Account Manager Manage Accounts view has three main Viewssections that are accessed via tabs:

  • Accounts: for the configuration of User Accounts. Accounts configured here use shiro name / password Authentication.
    • Note that while Shiro authentication is not as secure as, for example, LDAP, it provides a convenient basis for configuring authorization in a test environment.
    • See the JOC Cockpit - Authentication and Authorization article for more information about Shiro and other methods of authentication that can be used with the JOC Cockpit.
  • Masters: for configuring Roles and the JobScheduler Masters that can be accessed by a Role.
    • Permissions: a sub-view for configuring access to Folders and
    the
    • Role Permissions
    for a Role
    • .
  • Main Section: for configuring LDAP, Clustering and Session parameters

These tabs These views will be described in the following sections.

The Accounts Tab

The Accounts tab is opened first when a user selects the Manage Accounts view and lists all the User Accounts that have been configured along with the Roles they have been assigned.

...

  • The Create Account button is used to open a window to add a new User Account with name, password and Roles
  • The additional options (ellipsis) symbol allows an Account to be edited (change the Account Name and/or Password, select/unselect deselect Roles) and to be copied or deleted.
  • Clicking on the Account Name brings the user to the Masters tab (described below) where the Masters and Role(s) allocated for the User Account can be edited.

The Masters Tab

The main purpose of the Masters tab is to allow JobScheduler Roles and any Masters and which these Roles will be restricted to be configured. 

When the tab is first opened after installation of the JOC Cockpit it will appear as shown in the next screenshot:

...

The above screen shows seven default Roles that are provided with the JOC Cockpit. These Roles are intended to help system administrators get a realistic authorization configuration working as quickly as possible and can be modified as required. Roles shown in this tab under the heading default are valid for all JobScheduler Master instances in the environment. By default Roles

Note that the default heading in the screenshot denotes that the roles listed under this heading are active for all Masters - the default setting.

If the Masters tab is opened by clicking on an Account Name in the Accounts tab (mentioned abovedescribed in the previous section), the Masters Tab will show those Roles that have been assigned to that Account. The Account that is active is shown in the Account button, which can also be used to select and deselect the AccountAccounts.

Positioning the mouse over a role name blends in two links as shown in the screenshot above:

...

A set of Permissions is configured for each Roleof these default Roles. Each Permissions set can be inspected by clicking on the Role name in the Masters view list, which will open the Permissions tab for the Role in question. An example Permissions set is described in the next section. A matrix showing the default Roles and their Permissions along with a description of the Permission is provided in the Authentication and Authorization - Permissions for the JOC Cockpit Web Service article.

The Permissions

...

Sub-View

The main purpose of the Permissions view is to allow Folders and Permissions and Folders to be configured for each Role.

Folder Selection

Folders are added using the Add Folder button shown in the background of the screenshot below, at the top right.

...

Folders themselves are selected from a simple tree view of the folders in the JobScheduler Master's live Folder. The This tree view is opened by clocking clicking on the folder symbol shown in the screenshot.

Permissions Configuration

Two editors are available for the configuration of the Permissions granted for a Role:

  • A graphical editor as shown in the next screenshot:
    • Changes to the Permissions tree are saved to the shiro.ini file in near real-time.
    • The Undo button stores allows the last 10 changes made to be undone stepwise.
      • The states saved in the Undo button will deleted when the Permissions tab is left.
    • The Reset button button stores button changes the Permissions tree back to the initial state when the Permissions Tab is was opened.
      • The
      states saved
      • state stored in the
      Undo and Reset buttons are
      • Reset button will be deleted when the Permissions tab is left.
    • Clicking on the middle of a Permission icon will grant the Permission for the current Role.
      • Granted Permissions have a blue background and are by default recursive.
    • The "+" and "-" symbols at the right of each Permission icon open and close child branches.
    • The "+-" and "-+" symbols at the left of each Permission icon are used to revoke a higher Permission and are by default recursive.
      • Permission icons affected by revoked Permissions are shown with a gray background 
        Status
        subtletrue
        colourGreen
        titleFeature available with Version 1.11.4


  • A list editor as shown in the next screenshot, which shows the default permissions for the administrator Role:


  • Individual Permissions can be modified and removed from the Role using the pencil and X symbols that are blended in when the user's mouse is moved over a Permission:
  • The Edit function allows the the Permission to be made subtractive - i.e. for a permission granted at a higher level to be removed.
  • The Folder part of the view is for restricting the Role to accessing particular Folders - and thereby particular Jobs, Job Chains, etc - within a JobScheduler Master's live folder and will be described laterbelow.
  • Editing Permissions is  described below .

The Main Section Tab

The Main Section Tab is for configuring LDAP, Clustering and Session parameters and is briefly described as part of the LDAP Configuration article.

Initial Configuration

Creating User Accounts for Default Roles

The JOC Cockpit comes with seven default Roles and Permission Sets, which are described in detail in the Authentication and Authorization - Permissions for the JOC Cockpit Web Service article. In addition, a User Account with default name and password root and root is active. This User Account is assigned to the Role all and can be used to activate the other default Roles and Permission sets by configuring User Accounts for each default Role and to create new Roles and Permission Sets.

...

Once a User Account has been created for each of the default Roles, the Accounts view will look like:

Account Use

The root User can now be logged out via the Profile Menu and the other User Accounts used.

...

Note that as the default administrator Role is granted a limited Permissions set, the Main Menu Bar in the JOC Cockpit will only contain a link to the Dashboard view as can be seen in the screenshot below. In contrast, the root User Account (shown in the screenshots above) has links for a further seven views (shown in the screenshots above)seven views.

By default the administrator Role is granted Permissions for the Manage Accounts view and therefore the configuration of the User Accounts will continue using this Account rather than root.

...

In addition, the same article contains a link to a full list of all Permissions that can be granted.

Creating and Configuring User Accounts and Roles

System administrators will likely want to create and configure their own User Accounts and Roles, for example, to conform with an LDAP authentication system or to limit access to resources such as JobScheduler objects and logs.

It is often easier to create a new Roles, assign Permissions or Folders to these Roles and then create new User Accounts and assign Roles to them.

Creating a new Role

  • New Roles are created in the Masters tab using the Create Role button:


  • Once a new Role has been created it will be automatically added to the list of Roles shown in the background of the screenshot above.

Configure Permissions and/or Folders for the Role

  • Now click on the Role name in the Roles List (blue link) to add Permissions and/or Folders in the Permissions tab. The Procedures available for adding and editing Permissions and Folders are described in the Editing User Permissions and Folders sections below.
    • Note that Roles that neither have Permissions or Folders assigned to them are deleted automatically when the Manage Accounts view is left.

Create a new User Account

  • After Permissions / Folders have been configured select the Accounts tab to create a new User Account and allocate one or more Roles to this Account.
  • The Edit Account function is accessed by clicking the relevant Action symbol (ellipsis) in the  Actions column of the User Accounts list (visible in the background of the above screenshot). This can be used to change the Password, the Account name and add or remove Roles. 
    • Note that deselecting a Role in this modal window 'uncouples' the Role from the User Account - it does not delete the Role. 

Anchor
editing-permissions
editing-permissions
Editing User Permissions

Permissions Structure

Permissions are strictly hierarchical:

  • A Role with the Permission sos:products:joc_cockpit:jobscheduler_master:view 'only' allows a User to view JobScheduler Masters, while a User with the 'higher' sos:products:joc_cockpit:jobscheduler_master Permission is able not only to view JobScheduler Masters but able to carry out all other operations - in this case view, execute and administrate.
  • The Authentication and Authorization - Permissions for the JOC Cockpit Web Service article contains a link to a full list of all Permissions that can be granted as well as a matrix describing and listing the Permissions that are granted by default for the default Roles.

Editing Permissions

Consider the default business_user Role, which has the following permission:

...

This permission does not allow the business_user Role to access JobScheduler Master log files or parameters which would . These Permissions could be granted individually with the following Permissions:

  • sos:products:joc_cockpit:jobscheduler_master:view:mainlog
  • sos:products:joc_cockpit:jobscheduler_master:view:parameters

The following Permissions can be set to allow the business_user Role to view JobScheduler Master statuses and log files but not parameters:

  • sos:products:joc_cockpit:jobscheduler_master:view:status
  • sos:products:joc_cockpit:jobscheduler_master:view:mainlog

Alternatively, it may make sense in some situations to grant the Role a higher level Permission and then remove one or more specific Permissions. This approach is shown in the following combination:

...

where the ...jobscheduler_master:view Permission is an overall 'view' Permission Permission covering status, parameters and mainlog, and the -sos:...jobscheduler_master:view:parameters Permission is removed from the business_user Role.

Caution

Users have to have a Role with the following Permission - or higher - before they are able to log into the JOC Cockpit:

  • sos:products:joc_cockpit:jobscheduler_master:view:status

Editing Procedures

Three editing procedures are available for editing Permissions:

  • Adding Permissions:
    • The Add Permission button in the Permissions View allows a Permission to be selected from a list of all available Permissions as shown in the screenshot below.
      • Note that the Permissions listed are all individual Permissions. They can be edited to make them higher level / less specific.
        • For example, the screenshot below shows that the ...jobscheduler_master:execute:restart:terminate permission in the process being selected.
        • Once selected the Permission can be edited before the Submit button is clicked. This allows, for example, the Permission to be modified to ...jobscheduler_master:execute:restart, allowing the Role to carry out all operations covered by this Permission. These are:
          • sos:products:joccockpit:jobscheduler_master:execute:restart:terminate
          • sos:products:joccockpit:jobscheduler_master:execute:restart:abort
        • The following screenshot shows the edited version alongside the original:
        • A selected permission can also be made subtractive - i.e. to remove a specific part of a higher level Permission.
          • This is done by ticking the Excluded checkbox, which is obscured in the above screenshot.
  • Modifying Existing Permissions:
    • The pencil symbol shown alongside existing Permissions in the Permissions view (shown in the screenshot above) can be used to change the function of a Permission in a Role - to make an additive Permission subtractive and vice-versa. It cannot be used to edit a Permission.
    • The X symbol shown alongside existing Permissions in the Permissions view can be used to remove an existing Permission from a Role.
    • Note that a Role must be configured to have either a Permission or a Folder or it will be deleted.
    • Note that by if a user does not have the following permission or higher they will not be able to log into the JOC Cockpit interface:
      • sos:products:joc_cockpit:jobscheduler_master:view:status 
  • Graphical Permissions Editing:
    • The Graphical Permissions Editor is activated by selecting the 'Tree' symbol at the top right of the Permissions section.


    • The editor opens with a partially collapsed permissions tree as shown in the next screenshot:


      • The Expand tree button (shown in the above screenshot) can be used to open all the tree elements.

      • Navigation is carried out by dragging & dropping the tree view.

    • The functions available for the tree elements are (with reference to the screenshot below):

      • Select / Unselect a Permission - click on the body of an unselected / selected element
        • Selected Permission elements are shown in blue (see the view element in the screenshot)
        • Children of selected Permission elements are shown in light blue (as shown in the screenshot)
      • Negate a Permission - click on the plus sign at the left hand end of the element
      • Remove a Permission Negation - click on a - sign at the left hand end of the element
      • Show / hide child elements - click on the + / - symbols at the right hand end of an element

    • In the following screenshot the view element has been selected, automatically selecting the view:status, view:parameter and view:mainlog child permissions.
      In addition, the view:mainlog child permission has been negated, meaning that only the view:status and view:parameter child permissions are active.

 

 

JobScheduler-Specific Permissions

By default User Accounts are granted Permissions for all the JobScheduler Masters and JobScheduler Master Clusters in a scheduling environment - the default Master in the Managing Accounts view. However, Permissions that are only applicable to a particular JobScheduler Master or JobScheduler Master Cluster can be specified for a Role. This is done in the Masters tab of the Manage Accounts view as shown in the next screenshot.

...

The dashboard view for all JobScheduler Masters in the environment will show the status of the current JobScheduler Master Cluster but the status of Agent Clusters will only be shown for the specified Master - in this case jobscheduler_1.11

Anchor
folders
folders
Folders

Folders are used to restrict User access to JobScheduler objects such as Jobs, Orders and Schedules. This means that, for example, Users can be restricted to accessing only objects for particular mandators / clients.

...

This is done by granting a Folder Permission, i.e. Permissions to view the content of a folder. When this is done, the Permissions to view all other folders are automatically revoked.

Granting Folder Permissions

Folder Permissions are granted in the Permissions View. Note that before Folder Permissions can be saved for a Role, the Role has to be specified for a User. In the example below, a demo_user and demo_role have already been configured and the demo folder created ono the file system.

...

Roles with Folder Permissions are often configured for Users in combination with default Roles. For example, if the demo_user described here was allocated the it_operator Role in addition to the demo_role, they would be able to carry out the tasks allowed by the default IT Operator Permissions but only for JobScheduler Objects in the demo folder and, if configured, its child Folders. See the Use Case below for an example configuration.

Use Cases

Mandator-Specific User Accounts

Consider the case where an Application Manager works for a mandator (client), in an environment where a JobScheduler Master is used for two mandators, A & B.

  • Each mandator's JobScheduler objects (Jobs, Orders, Schedules, etc.) are stored in a sub-folder of the JobScheduler Master's live folder.
  • Mandator A's Application Manager has the standard permissions allocated for this Role but can only see their mandator's Jobs, Orders, Schedules and log files.

File Structure

The JobScheduler Master live folder will have the following structure:

  • live
    • mandator_a
    • mandator_b
    • sos (housekeeping jobs, etc)

User Accounts, Roles and Permissions

A User Account for mandator A's Application Manager (mandator_a_am_user) will be configured, in addition to the default User Accounts provided with the JOC Cockpit (root, administrator, application_manager, incident_manager, etc.). The mandator A Application Manager account will be allocated two roles - the default application_manager Role and a specially created mandator_a_role. The mandator_a_role will then be restricted to accessing only the mandator_a folder.

Configuration Steps

See the sections above for more detailed instructions about configuring Account Roles, etc..

...

Note also that a download archive containing the relevant files to implement both use cases described in this article is available in the last section of this article.

Modifying User Account Permissions for a Specific Mandator

Consider the case where a Business User account is to be configured for a mandator B where the account user can start and monitor their own Jobs and Orders.

  • The user should only see their own JobScheduler objects.
    • This is configured by setting Folder Permissions for a mandator-specific Role as described in the previous use case.
  • The user should be able to see general status information (Master and Agent Cluster status) but not take any action:
    • This is part of the default business_user Permission set and is configured by allocating the default business_user Role to the User Account - again, as described in the previous use case.
  • The user should be able to start and stop their own Jobs and Orders and set Run-times.

    • These operations require additional Permissions that are not provided as part of the default business_user Permission set, which is shown in the following listing:

      Code Block
      languagetext
      titleThe Default business_user Permissions Set
      sos:products:joc_cockpit:jobscheduler_master:view:status
sos:products:joc_cockpit:jobscheduler_master_cluster:view:status
sos:products:joc_cockpit:jobscheduler_universal_agent:view:status
sos:products:joc_cockpit:daily_plan:view:status
sos:products:joc_cockpit:history:view
sos:products:joc_cockpit:order:view:status
sos:products:joc_cockpit:order:view:order_log
sos:products:joc_cockpit:job_chain:view:status
sos:products:joc_cockpit:job_chain:view:history
sos:products:joc_cockpit:job:view:status
sos:products:joc_cockpit:job:view:history
sos:products:joc_cockpit:job:view:task_log
sos:products:joc_cockpit:process_class:view:status
sos:products:joc_cockpit:schedule:view:status
sos:products:joc_cockpit:lock:view:status
sos:products:joc_cockpit:holiday_calendar:view:status
sos:products:joc_cockpit:maintenance_window:view:status
sos:products:joc_cockpit:audit_log:view:status
sos:products:joc_cockpit:customization:share:view

Configuration Steps

The following configuration steps are carried out in the same manner as described in the previous example:

...

Anchor
example-files
example-files

Example Files

Download the Example

Configuration foles to create working examples of the above use cases can be downloaded from this link:

Install the Example

When the archive is unpacked three elements will shown:

...

Restart the Jetty server to implement the changes in the shiro.ini configuration.

Example Description

Each of the mandator folders contains a hello_world sub-folder with job chains and orders that are scheduled to run once an hour.

...