6. Managing Roles and Access Control
6.1. About Security in JBoss ON: Roles and Access Control
- Global permissions apply to JBoss ON server configuration. This covers administrative tasks, like creating users, editing roles, creating groups, importing resources into the inventory, or changing JBoss ON server properties.
- Resource-level permissions apply to actions that a user can perform on resources in the JBoss ON inventory. These cover actions like creating alerts, configuring monitoring, and changing resource configuration. Resource-level permissions are tied to the subsystem areas within JBoss ON.
Figure 32. Read Access Option
Table 9. JBoss ON Access Control Definitions
|Access Control Type||Description|
|Global - Security|| Equivalent to a superuser. Security permissions grant the user the rights to create and edit any entries in JBoss ON, including other users, roles, and resources, to change JBoss ON server settings, and to control inventory.
The Security access control level is extremely powerful, so be cautious about which users are assigned it. Limit the number of superusers to as few as necessary.
|Global - Inventory||Allows any operation to be performed on any JBoss ON resource, including importing new resources.|
|Global - Settings||Allows a user to add or modify any settings in the JBoss ON server configuration itself. This includes operations like deploying plug-ins or using LDAP authentication.|
|Global - Bundles||Allows a user to upload and manage bundles (packages) used for provisioning resources.|
|Global - Repositories||Allows a user to access any configured repository, including private repositories and repositories without specified owners. Users with this right can also associated content sources with repositories.|
|Resource - Modify||Allows a user to change the resource definition entry in JBoss ON. This does not grant rights to edit the resource configuration.|
|Resource - Delete||Allows the user to delete the resource from the inventory.|
|Resource - Create Child||Allows the user to manually assign a child resource to another resource.|
|Resource - Alerts||Allows the user to create alerts and notifications on a resource. Configuring new alert senders changes the server settings and is therefore a function of the global Settings permissions.|
|Resource - Measurements||Allows the user to configure monitoring settings for the resource.|
|Resource - Content||Allows the user to manage content providers and repositories that are available to resources.|
|Resource - Control||Allows a user to run operations (which are also called control actions) on a resource.|
|Resource - Configure|| Allows users to change the configuration settings on the resource through JBoss ON.
This access area has two options:
The user still must have adequate permissions on the resource to allow the configuration changes to be made.
If one of these permissions is not granted to a role, then the users in the role are denied any access to the resource configuration.
- A superuser role provides complete access to everything in JBoss ON. This role cannot be modified or deleted. The user created when the JBoss ON server was first installed is automatically a member of this role.
- An all resources role exists that provides full permissions to every resource in JBoss ON (but not to JBoss ON administrative functions like creating users). This is a useful role for IT users, for example, who need to be able to change the configuration or set up alerts for resources managed by JBoss ON but who don't require access over JBoss ON server or agent settings.
6.2. Creating a New Role
- Create any resources groups which will be associated with the role. Creating groups is described in Section 4.3, “Creating Groups”.By default, JBoss ON uses only resource groups to associate with a role, and these are required. However, optional user groups from an LDAP directory can also be assigned to a role, so that the group members are automatically treated as role members. LDAP groups must be configured in the server settings, as described in Section 7.5, “Associating LDAP User Groups to Roles in JBoss ON”.
- In the top menu, click the Administration tab.
- In themenu table on the left, select the item.
- The list of current roles comes up in the main task window. Click thebutton at the bottom of the list.
- Give the role a descriptive name. This makes it easier to manage permissions across roles.
The specific access permissions are described in Table 9, “JBoss ON Access Control Definitions”.
- Global permissions grant permissions to areas of the JBoss ON server and configuration.
- Resource permissions grant permissions for managing resources.
- Move the required groups from the Available Resource Groups area on the left to the Assigned Resource Groups on the right as required.
- At the bottom, click thebutton.
- Select the Users tab to assign users to the role.Move the required user from the Available Users area on the left, to the Assigned Users on the right as required.
- Click the arrow in the upper right to close the create window.
6.3. Editing Roles
- In themenu table on the left, select the item, and click the name of the role to edit.
- Go through the role's tabs and change the configuration as desired.