8. Managing Roles and Access Control
8.1. Security in JBoss ON
8.1.1. Access Control and Permissions
- Global permissions apply to JBoss ON server configuration. This covers administrative tasks, like creating users, editing roles, creating groups, importing resources into the inventory, or changing JBoss ON server properties.
- Resource-level permissions apply to actions that a user can perform on specific resources in the JBoss ON inventory. These cover actions like creating alerts, configuring monitoring, and changing resource configuration. Resource-level permissions are tied to the subsystem areas within JBoss ON.
Figure 35. Read Access Option
Table 10. JBoss ON Access Control Definitions
|Access Control Type||Description|
|Manage Security|| Equivalent to a superuser. Security permissions grant the user the rights to create and edit any entries in JBoss ON, including other users, roles, and resources, to change JBoss ON server settings, and to control inventory.
The Security access control level is extremely powerful, so be cautious about which users are assigned it. Limit the number of superusers to as few as necessary.
|Manage Inventory||Allows any operation to be performed on any JBoss ON resource, including importing new resources.|
|Manage Settings||Allows a user to add or modify any settings in the JBoss ON server configuration itself. This includes operations like deploying plug-ins or using LDAP authentication.|
|Manage Bundles||Allows a user to upload and manage bundles (packages) used for provisioning resources.|
|Manage Repositories||Allows a user to access any configured repository, including private repositories and repositories without specified owners. Users with this right can also associated content sources with repositories.|
|View Users||Allows a user to view the account details (excluding role assignments) for other users in JBoss ON.|
|Inventory||Allows a user to edit resource details and connection settings — meaning the information about the resource in the JBoss ON inventory. This does not grant rights to edit the resource configuration.|
|Manage Measurements||Allows the user to configure monitoring settings for the resource.|
|Manage Alerts||Allows the user to create alerts and notifications on a resource. Configuring new alert senders changes the server settings and is therefore a function of the global Settings permissions.|
|Control||Allows a user to run operations (which are also called control actions) on a resource.|
|Configure|| Allows users to change the configuration settings on the resource through JBoss ON.
This access area has two options:
The user still must have adequate permissions on the resource to allow the configuration changes to be made.
If one of these permissions is not granted to a role, then the users in the role are denied any access to the resource configuration.
|Manage Drift||Allows the user to create, modify, and delete resource and template drift definitions. It also allows the user to manage drift information, such as viewing and comparing snapshots.|
|Manage Content||Allows the user to manage content providers and repositories that are available to resources.|
|Create Child Resources||Allows the user to manually create a child resource for the specified resource type.|
|Delete Child Resources||Allows the user to delete or uninventory a child resource for the specified resource type.|
8.1.2. Access and Roles
- A superuser role provides complete access to everything in JBoss ON. This role cannot be modified or deleted. The user created when the JBoss ON server was first installed is automatically a member of this role.
- An all resources role exists that provides full permissions to every resource in JBoss ON (but not to JBoss ON administrative functions like creating users). This is a useful role for IT users, for example, who need to be able to change the configuration or set up alerts for resources managed by JBoss ON but who don't require access over JBoss ON server or agent settings.