Chapter 9. Managing Roles and Access Control
9.1. Security in JBoss ON
9.1.1. Access Control and Permissions
- Global permissions apply to JBoss ON server configuration. This covers administrative tasks, like creating users, editing roles, creating groups, importing resources into the inventory, or changing JBoss ON server properties.
- Resource-level permissions apply to actions that a user can perform on specific resources in the JBoss ON inventory. These cover actions like creating alerts, configuring monitoring, and changing resource configuration. Resource-level permissions are tied to the subsystem areas within JBoss ON.
Figure 9.1. Read Access Option
Table 9.1. JBoss ON Access Control Definitions
|Access Control Type||Description|
|Manage Security|| |
Equivalent to a superuser. Security permissions grant the user the rights to create and edit any entries in JBoss ON, including other users, roles, and resources, to change JBoss ON server settings, and to control inventory.
The Security access control level is extremely powerful, so be cautious about which users are assigned it. Limit the number of superusers to as few as necessary.
|Manage Inventory||Allows any operation to be performed on any JBoss ON resource, including importing new resources.|
|Manage Settings||Allows a user to add or modify any settings in the JBoss ON server configuration itself. This includes operations like deploying plug-ins or using LDAP authentication.|
|Manage Bundle Groups|| |
Allows a user to add and remove members of a bundle group; implicitly, it includes the permission to view bundles. This is analogous to the Manage Inventory permission for resources.
This permission is required for all bundle-level create, deploy, and delete permissions.
|Deploy Bundles to Groups||Allows a user to deploy a bundle to any resource group to which the user has access.|
|View Bundles||Allows a user to view all bundles, regardless of the bundle group assignment.|
|Create Bundles||Allows a user to create and update bundle versions. When a bundle is created, it must be assigned to bundle group, unless the user has the View Bundles permission; in that case, a user can create a bundle and leave it unassigned.|
|Delete Bundles||Allows a user to delete any bundle which he has permission to view.|
|Manage Bundles (Deprecated)|| |
Allows a user to upload and manage bundles (packages) used for provisioning resources.
This permission has been deprecated. It is included for backward-compatibility with older bundle configuration and user roles. However, this permission offered no ability to limit access to certain bundles, groups, or resources (for deployment); without this fine-grained control, this permission could only be applied to high-level administrators to maintain security.
|Manage Repositories||Allows a user to access any configured repository, including private repositories and repositories without specified owners. Users with this right can also associated content sources with repositories.|
|View Users||Allows a user to view the account details (excluding role assignments) for other users in JBoss ON.|
|Inventory||Allows a user to edit resource details and connection settings — meaning the information about the resource in the JBoss ON inventory. This does not grant rights to edit the resource configuration.|
|Manage Measurements||Allows the user to configure monitoring settings for the resource.|
|Manage Alerts||Allows the user to create alerts and notifications on a resource. Configuring new alert senders changes the server settings and is therefore a function of the global Settings permissions.|
|Control||Allows a user to run operations (which are also called control actions) on a resource.|
Allows users to change the configuration settings on the resource through JBoss ON.
The user still must have adequate permissions on the resource to allow the configuration changes to be made.
This access area has two options:
If one of these permissions is not granted to a role, then the users in the role are denied any access to the resource configuration.
|Manage Drift||Allows the user to create, modify, and delete resource and template drift definitions. It also allows the user to manage drift information, such as viewing and comparing snapshots.|
|Manage Content||Allows the user to manage content providers and repositories that are available to resources.|
|Create Child Resources||Allows the user to manually create a child resource for the specified resource type.|
|Delete Child Resources||Allows the user to delete or uninventory a child resource for the specified resource type.|
|Assign Bundles to Group||Allows a user to add bundles to a group. For explicit bundle groups, this is the only permission required. To add bundles to the unassigned group (which essentially removes it from all group membership), this also requires the global View Bundles permission.|
|Unassign Bundles from Group||Allows a user to remove bundles from a group.|
|View Bundles in Group||Allows a user to view any bundle within a group to which the user has permissions.|
|Create Bundles in Group||Allows a user to create a new bundle within a bundle group to which he has permission. This also allows a user to update the version of an existing bundle within the bundle group.|
|Delete Bundles from Group||Allows a user to delete both bundle versions and entire bundles from the server, so long as they belong to a group to which the user has permissions.|
|Deploy Bundles to Group||Allows a user to deploy any bundle which he can view (regardless of create and delete permissions) to any resource within a resource group to which he has permissions.|
9.1.2. Access and Roles
- A superuser role provides complete access to everything in JBoss ON. This role cannot be modified or deleted. The user created when the JBoss ON server was first installed is automatically a member of this role.
- An all resources role exists that provides full permissions to every resource in JBoss ON (but not to JBoss ON administrative functions like creating users). This is a useful role for IT users, for example, who need to be able to change the configuration or set up alerts for resources managed by JBoss ON but who don't require access over JBoss ON server or agent settings.
9.1.3. Access and Groups
Two Roles to Define Access for a Single User to Resources and Bundles
Bundle Group A Resource Group A | | V V Role 1 <--- User A ---> Role 2 ^ ^ | | Permissions Permissions - view bundles in group - deploy bundles to group - create bundles