Roles

User Roles

Group Roles

Dynamic Roles

Authorization Wizard

Improvements in Roles feature in COGNITUM 7.8.00

The access to resources, services and operations, views and forms, and Web services in COGNITUM is ruled by roles. A role is a group of users to which is associated a set of rights on resources, services and operations, views and forms, and Web services. Three types of roles are managed in COGNITUM:

  • A user role includes only one user.
  • A group role matches a static group defined in the directory.
  • A dynamic role is defined by a request on the data source

The access control layer allows to restrict the actions launched on a resource, the accesses to services and operations, and views and forms, and the number of users authorized to launch a Web service.

Administering roles includes two steps:

  • Assigning roles to users
  • Configuring rights

User Roles

COGNITUM monitors individual access rights to the applications with three security levels:

  • anonymous
  • default
  • Specified
NOTE
The anonymous and default roles can be used in applications accessing LDAP directories, DSML files, and relational databases. Specified user roles can be defined when applications access LDAP directories only.

Figure: Application login page

NOTE
When the Automatic Connection option has been selected at the application level, the login prompt box is not displayed. The account given for the automatic connection is used by default by the application on behalf of all users. Access rights are granted accordingly. For more information, see “Login properties”. When a Generic Account has been defined at the application level, users connect automatically under this account. The generic account specifies the access rights and the span of data that users are entitled to access on the directory. For more information, see “Data source access authentications”.

Built-in User Roles

COGNITUM provides two built-in user roles—to access data from LDAP and RDBMS data sources:

  • The anonymous user account is provided to allow guests to access the COGNITUM system. Guests can represent a considerable security risk for the system. That is why the access rights of the anonymous user should be kept to a minimum, by giving only read access for example. The anonymous role stands for a guest account. When a user connects to the application on the COGNITUM portal without entering login nor password, the anonymous role is automatically granted to him/her. Therefore, the user is not authenticated. The user inherits the parameters defined in the configuration tabs of the anonymous item in the COGNITUM Console.
  • The default user account is provided to allow members of the data source to access the COGNITUM system with the same standard access rights.

Modifying the access rights of the default user automatically assigns those same access rights to all users to be created as well as previously created ones. The default role is granted to users identified on the data source but not defined as belonging to a COGNITUM role. Therefore, the parameters entered in the configuration tabs of the default item in the COGNITUM Console tabs apply to these users.

NOTE
These accounts are created automatically whenever an application is created. However, access rights on forms are not granted by default to users of these types. Therefore, the anonymous and default accounts should be configured as soon as possible, otherwise users logging on action is unable to perform further.

Creating a User Role

Adding a new user role consists in specifying the DN of a member in the accessed LDAP directory.

NOTE
Specified user roles can be defined when applications access LDAP directories only.

In the COGNITUM Console, a click on the New User toolbar button displays the New User dialog box.

Figure: New user creation

Application: This is the application for which the user role is defined. When available, a click on the corresponding list box makes it possible to select another application.

Data Source: In this box, the LDAP directory used for authentication must be referenced. When available, a click on the corresponding list box makes it possible to select another data source.

Name: It is the label of the user role. The name should be intuitive enough to be easily recognized by the designers in the COGNITUM Console. Non-alphanumerical characters and blank spaces are prohibited.

DN: It is the DN of the user in the directory. The torch button displays the Search for the DN of a User dialog box.

Figure: Search for the DN of a User box

In the Search for the DN of a User dialog box, the Base and Filter boxes are automatically filled in to build the LDAP request necessary for the specified search. A click on the torch button of the Base box makes it possible to change the Base DN parameter. A click on the torch button of the Filter box makes it possible to change the LDAP request through the LDAP Request Builder wizard, see “Creating an LDAP request”.

The Scope options is selected according to the depth of the LDAP request in the directory tree from the base DN.

A click on the Search button displays the DNs of all users belonging to the group.

A click on the OK button validates the DN and closes the Search for the DN of a User box.

Back in the New User dialog box, a click on OK validates the role creation. The tree is updated with the icon and label of the new user.

TIP
Further descriptive information can be entered with the Edit Description command accessible with a right-click on the user role in the tree. The role description appears as a pop up window when leaving the cursor on the user tree item.

To add a user role

  1. In the COGNITUM Console tree, select the Roles or Users item and click the New User toolbar button.
  2. In the New User dialog box, you can change the Application entry with another application with the list box when available.
  3. In Data Source, potentially select the LDAP data source used for authentication.
  4. In the Name box, enter the label of the user role.
  5. Populate the DN box with the DN of the user in the directory. Use the torch button to display the Search for the DN of a User dialog box.
  6. Click OK.

Copying a user role

A user role created and configured for an application can be duplicated into the same application, or into another application. This feature allows to bypass the complete role creation process.

The Copy command is accessible from a selected user role from its context menu or from the Edit menu.

The target Roles or Users item must be selected before choosing the Paste command from the context men or from the Edit menu. When the role is duplicated within the same application, a message box pops up to give another name for the duplicate.

NOTE
A user role can be copied with a simple drag-and-drop action as well.

Parameter changes may proved necessary. See “Updating the definition parameters of a user role”.

To copy a user role

  1. In the COGNITUM Console tree, select the user role to copy.
  2. Choose the Copy command from the context menu.
  3. Select the target Roles or Users item.
  4. Choose the Paste command from the context menu.
  5. Update the parameters of the user role duplicate as required.

Updating the definition parameters of a user role

The definition parameters of a user role can be modified at any time:

  • Once a user role is added to the tree. Its parameters can still be modified or reset. The role parameters can be adjusted to match the user’s needs.
  • To update an existing user role.
NOTE
The definition parameters of the anonymous and default user roles cannot be modified. For more information, see “Built-in user roles”.

When a user role is selected in the COGNITUM Console tree, the Definition tab is displayed by default. It lists the parameters for the definition and the operational scope of the role.

Figure: User definition properties

Name: It is the label of the user role in the COGNITUM Console tree. Another name can be entered. Non-alphanumerical characters and blank spaces are prohibited.

Data Source In this box, another LDAP directory used for authentication can be selected if more than one directory are defined for this application in the COGNITUM Console.

DN: It is the DN of the user in the directory. It can be changed with the torch button which displays the Search for the DN of a User dialog box described in “Creating a user role”.

Bind Accounts to the Data Sources: This area allows to define proxy (generic) accounts associated to the role. For each data source, a generic account can be selected—one account per data source can be defined:

  • Data Source: To create a Data Source cell, the Insert button must be clicked. The selected cell lists the data sources available to authenticate the generic account.
  • Login: The cell must be populated with the complete user DN or with the user login only (COGNITUM automatically retrieves the corresponding DN) for the generic account. A click on the Browse DNs button helps select the DN of a user in the Search for the DN of a User dialog box documented in “Creating a user role”.
  • Password: The box must be populated with the password associated with the login entered. A click on the Test button checks that the login and password are validated on the data source.
NOTE
The generic account specified in a role is only taken into account when the corresponding data source is configured to use a generic account. For more information, see “Data source access authentications”.

A click on the Apply button validates the parameters.

To update the definition parameters of a user role

  1. In the COGNITUM Console tree, select the user role you want to modify.
  2. Select the Definition tab.
  3. In the Name box, you can change the label of the user role.
  4. In Data Source, you can select another LDAP directory for authentication if more than one directory are defined for this application in the COGNITUM Console.
  5. Update the DN box with the DN of the user in the directory.
  6. In the Bind Accounts to the Data Sources area, you can define connection account(s) to access the directory(-ies).
  7. Click Apply.

Configuring rights for a user role

Once authenticated, a user has potential access to the COGNITUM resources, services, forms, and Web services they are entitled to. COGNITUM secures further operations on data as specified in the Rights tab.

Rights must be configured for each of the Physical Rights, Services, Forms and Web Services sub tabs.

Figure: User rights definition tabs

Configuring physical rights on resources for a user role

For a resource, rights can be assigned or restricted on actions on the data source. When a user role is selected in the COGNITUM Console tree, the Physical Rights sub tab below the Rights tab displays the data rights assignment table.

NOTE
The physical rights can be configured at the resource level as documented in “Setting the rights on an LDAP resource”.

Figure: Physical rights properties on resources for a user role

Resources: This tree lists the application resources. The facing actions boxes can be selected/unselected for each selected resource.

Vertically are listed all the types of actions to be performed on a resource data. They are the READ, CREATE, UPDATE, and DELETE columns. Rights can be assigned on a resource by selecting the facing action check box(es). For a given action, selecting the check box facing the application name amounts to granting rights on all the resources.

Physical rights are checked by the COGNITUM engine when accessing the data source. For instance, when reading an entry of a resource, the engine checks that the connected user is allowed to read the entries of the resource.

A click on Apply validates the operation(s). The rights configuration can be checked in the end-users’ interface when connecting as a member to the group.

To configure physical rights on resources for a user role

  1. In the COGNITUM Console tree, select a user role.
  2. Select the Rights tab.
  3. Select the Physical Rights sub tab.
  4. Expand the Resources tree and select one or more resources.
  5. To authorize actions on the resource data, select the facing check boxes.
  6. Click Apply to validate the rights assignment.

Configuring rights on the services for a user role

The rights of a selected user role on the services can be configured in the Services sub tab of the Rights tab.

The listed services must have been specified beforehand, as described in “Services and operations”. The rights on the services define the operations which the user can launch.

Figure: Rights properties on the services for a user role

ACCESS: A click in the check box facing a service and/or operation allows access to it.

NOTE
For more information about services, see, “Services and operations”.

A click on the Apply button validates the parameters.

To configure rights on services for a user role

  1. In the COGNITUM Console tree, select a user role.
  2. Choose the Rights tab.
  3. Choose the Services sub tab.
  4. In the Name column, select a service or expand it to choose an operation.
  5. Select the facing ACCESS check box to authorize access.
  6. Click Apply.

Configuring rights on the application Web Accessible forms for a user role

The rights of a selected user role on the application forms can be configured in the Web Accessible Forms sub tab of the Rights tab.

The listed forms must have been specified beforehand, as described in “Forms”. The rights on the forms define the actions which can be performed for each view.

Figure: Rights properties on the application Web Accessibleforms for a user role

Views: This tree lists all the views defined for the application. For each view, the facing Forms list items can be selected.

TIP
A right-click on a Resources tree item gives access to the Select All / Deselect All commands.
NOTE
Tree views allow multi-selection. Pressing the ctrl or shift keys, a number of views can be selected.
WARNING
This list of forms is informative only, as business forms can be created at will.

A click on the Apply button validates the parameters.

To configure rights on the application Web Accessible Forms for a user role

  1. In the COGNITUM Console tree, select a user role.
  2. Select the Rights tab.
  3. Select the Web Accessible Forms sub tab.
  4. Expand the Views tree and select one or more views.
  5. In the facing Forms list, select the forms associated with the view.
  6. Click Apply.

Configuring rights on the application FRM Forms for a user role

The rights of a selected user role on the application forms can be configured in the FRM Forms sub tab of the Rights tab.

The listed forms must have been specified beforehand, as described in FRM Forms. The rights on the forms define the actions which can be performed for each Resource under view.

Figure: Rights properties on the applications FRM Forms for a user role

Resources: This tree lists all the Resources under Views defined for the application. For each Resource, the facing Forms list items can be selected.

TIP
A right-click on a Resources tree item gives access to the Select All / Deselect All commands.
NOTE
Tree views allow multi-selection. Pressing the ctrl or shift keys, a number of views can be selected.
WARNING
This list of forms is informative only, as business forms can be created at will.

A click on the Apply button validates the parameters.

To configure rights on the application's FRM Forms for a user role

  1. In the COGNITUM Console tree, select a user role.
  2. Select Rights tab.
  3. Select FRM Forms sub tab.
  4. Expand the Resources tree and select one or more Resources.
  5. In the facing Forms list, select the forms associated with the Resource.
  6. Click Apply.

Configuring rights on Web services for a user role

The rights of the user role on the services can be configured in the Web Services sub tab of the Rights tab.

Figure: Rights properties on Web services for a user role

Functions: This area lists the Web services and functions created for the application. A click on a Web service node opens it to display its relative functions.

ACCESS: A click in the check box facing a Web service and/or function allows access to it.

NOTE
Functions which use the COGNITUM Administration account are not displayed in the Rights tab.
NOTE
For more information about Web services, see, “Services and operations”.

A click on the Apply button validates the parameters.

To configure rights on Web services for a user role

  1. In the COGNITUM Console tree, select a user role.
  2. Choose the Rights tab.
  3. Choose the Web Services sub tab.
  4. In the Name column, select a Web service or expand it to choose a function.
  5. Select the facing ACCESS check box to authorize access.
  6. Click Apply.

Configuring the browsing mode for a user role

By default, COGNITUM gives access to data in HTML or DHTML pages. A user role may be configured in order to restrict browsing modes.

NOTE
Configuring the browsing mode is necessary for migrated applications. DHTML mode is applicable only for migrated applications from COGNITUM versions 4.5, 5.0, 5.1

The browsing mode HTML or DHTML is set in the Preferences tab.

Figure: Browsing mode properties for a user role

HTML Mode: This option box must be unchecked when the interface must not be displayed in HTML.

DHTML Mode: This option box must be unchecked when the interface must not be displayed in DHTML.

Default Mode: In the selection box, the allowed browsing mode used when the group role members connect the application can be chosen. The other modes are however available in the end-users application display options.

A click on the Apply button validates the parameters.

To configure the browsing mode for a user role

  1. In the COGNITUM Console tree, select a user role.
  2. Choose the Preferences tab.

  3. Select the browsing mode(s) check box(es) to allow/inhibit the

  4. HTML Mode

  5. DHTML Mode

  6. In Default Mode, select the browsing mode used when the members of the user role connect the application.

  7. Click Apply.

Deleting a user role

COGNITUM makes it possible to delete a user role easily and safely. The Delete command is accessible from a selected user role context menu.

NOTE
The anonymous and default user roles are built-in roles; they cannot be deleted. For more information, see “Built-in user roles”.

The Delete User message box pops up. Clicking Yes confirms the deletion. COGNITUM automatically updates the user roles list.

To delete a user role

  1. In the COGNITUM Console tree or property view, click the user role you want to delete.
  2. Choose Delete from the context menu.
  3. Validate the removal in the warning box.

Group Roles

Figure: New Group Role

A group role is based on the definition of a static group of the directory. When accessing a COGNITUM application, a group member must authenticate. His/her credentials are compared to static group members.

NOTE
Static group roles can be configured for applications accessing LDAP directories only. To create group roles on relational databases, see “Dynamic roles”.

Creating a Group Role

Adding a new group role involves defining a group of users matching the corresponding static group in the LDAP directory. Users belonging to the defined group role are those part of the static group in the directory.

In the COGNITUM Console, a click on the New Group toolbar button displays the New Group dialog box.

Application: This is the application for which the group role is defined. When available, a click on the list box makes it possible to select another application available.

Data Source: In this box, when available, the LDAP directory used for authentication must be referenced. When available, a click on the corresponding list box makes it possible to select another data source.

NOTE
Static group roles can be configured for applications accessing LDAP directories only. To create group roles on relational databases, see “Dynamic roles”.

Name: It is the label of the group role. The name should be intuitive enough to be easily recognized by the designers in the COGNITUM Console. Non-alphanumerical characters and blank spaces are prohibited.

DN: It is the DN of the static group in the directory. The torch button displays the Search for the DN of a Group dialog box.

Figure: Search for the DN of a Group box

The Base and Filter boxes are automatically filled in to build the LDAP request necessary for the specified search. A click on the torch button of the Base box makes it possible to change the Base DN parameter. A click on the torch button of the Filter box makes it possible to change the LDAP request through the LDAP Request Builder wizard— see “Creating an LDAP request”.

The Scope options is selected according to the depth of the LDAP request in the directory tree from the base DN.

A click on the Search button displays the DNs of all users belonging to the group. A click on the OK button validates the DN and closes the Search for the DN of a area.

Back in the New Group dialog box, a click on OK validates the role creation. The tree is updated with the icon and label of the new static group.

TIP
Further descriptive information can be entered with the Edit Description command accessible with a right-click on the group role in the tree. The role description appears as a pop up window when leaving the cursor on the group tree item.

To add a group role

  1. In the COGNITUM Console tree, select the Roles or Groups item and click the New Group toolbar button.
  2. In the New Group dialog box, you can change the Application entry with another application through the list box, when available.
  3. In Data Source, select the LDAP data source used for authentication when the list box is available.
  4. In the Name box, enter the label of the group role.
  5. Populate the DN box with the DN of the static group in the directory. Use the torch button to display the Search for the DN of a Group dialog box.
  6. Click OK.

Copying a group role

A group role created and configured for an application can be duplicated into the same application, or into another application. This feature allows to bypass the complete role creation process.

The Copy command is accessible from a selected group role from its context- sensitive menu or from the Edit menu.

The target Roles or Groups item must be selected before choosing the Paste command from the context menu or from the Edit menu. When the role is duplicated within the same application, a message box pops up to give another name for the duplicate.

NOTE
A group role can also be copied with a simple drag-and-drop action, and with the ctrl+c/ctrl+v shortcuts.

Parameter changes may proved necessary. See “Updating the definition parameters of a group role”.

To copy a group role

  1. In the COGNITUM Console tree, select the group role to copy.
  2. Choose the Copy command from the context menu.
  3. Select the target Roles or Groups item.
  4. Choose the Paste command from the context menu.
  5. Update the parameters of the group role duplicate as required.

Updating the definition parameters of a group role

The definition parameters of a group role can be modified at any time:

  • Once a group role is added to the tree. Its parameters can still be modified or reset. The role parameters can be adjusted to match the users’ needs.
  • To update an existing group role.

When a group role is selected in the COGNITUM Console tree, the Definition tab is displayed by default. It lists the parameters for the definition and the operational scope of the role.

Figure: Definition properties of a group role

Name: It is the label of the group role in the COGNITUM Console tree. Another name can be entered. Non-alphanumerical characters and blank spaces are prohibited.

Data Source: In this box, another LDAP directory used for authentication can be selected.

DN: It is the DN of the group in the directory. It can be changed with the torch button which displays the Search for the DN of a Group dialog box described in “Creating a group role”.

Attribute: By default, the Attribute box is filled in with the uniqueMember attribute. The attribute of the group DN must contain the user who wants to connect as a member of this group.

Bind Accounts to the Data Sources: This area allows to define proxy (generic) accounts associated to the role. For each data source, a generic account can be selected—one account per data source can be defined:

  • Data Source: To create a Data Source cell, the Insert button must be clicked. The selected cell lists the data sources available to authenticate the generic account.
  • Login: The cell must be populated with the complete user DN or with the user login only (COGNITUM automatically retrieves the corresponding DN) for the generic account. A click on the Browse DNs button helps select the DN of a user in the Search for the DN of a User dialog box documented in “Creating a group role”.

The Base and Filter boxes are automatically filled in to build the LDAP request necessary for the specified search. A click on the torch button of the Base box makes it possible to change the Base DN parameter. A click on the torch button of the Filter box makes it possible to change the LDAP request through the LDAP Request Builder wizard—see “Creating an LDAP request”. The Scope options is selected according to the depth of the LDAP request in the directory tree from the base DN.

A click on the Search button displays the DNs of all users belonging to the group. A click on the OK button validates the DN and closes the Search for the DN of a User box.

  • Password: The box must be populated with the password associated with the login entered. A click on the Test button checks that the login and password are validated on the data source.
NOTE
The generic account specified in a role is only taken into account when the corresponding data source is configured to use a generic account. For more information, see “Data source access authentications”.

A click on the Apply button validates the parameters.

To update the definition parameters of a group role

  1. In the COGNITUM Console tree, select the group role you want to modify.
  2. Select the Definition tab.
  3. In the Name box, you can change the label of the group role.
  4. In Data Source, you can select another LDAP directory for authentication if available.
  5. Update the DN box with the DN of the group in the directory.
  6. Leave the Attribute default value, or change it when you want the directory to ask for another user information type.
  7. In the Bind Accounts to the Data Sources area, you can define connection account(s) to access the directory(-ies).
  8. Click Apply.

Configuring rights for a group role

Once authenticated, members of a group role have potential access to the COGNITUM resources, services, forms, and Web services they are entitled to. COGNITUM secures further operations on directory data as specified in the Rights tab.

Rights must be configured for each of the four Physical Rights, Services, Forms and Web Services sub tabs, as documented in “Configuring rights for a user role”.

Figure: Rights properties of a group role

To configure physical rights on resources for a group role

  1. In the COGNITUM Console tree, select a group role.
  2. Select the Rights tab.
  3. Select the Physical Rights sub tab.
  4. Expand the Resources tree and select one or more resources.
  5. To authorize actions on the resource data, select the facing check boxes.
  6. Click Apply to validate the rights assignment.

To configure rights on services for a group role

  1. In the COGNITUM Console tree, select a group role.
  2. Choose the Rights tab.
  3. Choose the Services sub tab.
  4. In the Name column, select a service or expand it to choose an operation.
  5. Select the facing ACCESS check box to authorize access.
  6. Click Apply.

To configure rights on the application forms for a group role

  1. In the COGNITUM Console tree, select a group role.
  2. Select the Rights tab.
  3. Select the Forms sub tab.
  4. Expand the Resources tree and select one or more resources.
  5. In the facing Forms areas, select the forms associated with the resource.
  6. Click Apply.

To configure rights on Web services for a group role

  1. In the COGNITUM Console tree, select a group role.
  2. Choose the Rights tab.
  3. Choose the Web Services sub tab.
  4. In the Functions column, select a Web service or expand it to choose a function.
  5. Select the facing ACCESS check box to authorize access.
  6. Click Apply.

Configuring the browsing mode for a group role

By default, COGNITUM gives access to directory data in HTML pages. A group role may be configured in order to restrict browsing modes.

NOTE
Configuring the browsing mode is necessary for migrated applications.

The browsing mode HTML is set in the Preferences tab documented in “Configuring the browsing mode for a user role”.

Figure: Browsing mode properties for a group role

To configure the browsing mode for a group role

  1. In the COGNITUM Console tree, select a group role.
  2. Choose the Preferences tab.

  3. Select check box to allow/inhibit the browsing mode:

  4. HTML Mode

  5. In Default Mode, select the browsing mode used when the members of the group role connect the application.

  6. Click Apply.

Deleting a group role

COGNITUM makes it possible to delete a group role easily and safely. The Delete command is accessible from a selected group role context menu.

The Delete Group message box pops up. Clicking Yes confirms the deletion. COGNITUM automatically updates the group roles list.

To delete a group role

  1. In the COGNITUM Console tree or property view, selct the group role you want to delete.
  2. Choose Delete from the context menu.
  3. Validate the removal in the warning box.

Dynamic Roles

COGNITUM makes it possible to define user groups virtually established with a query onto the accessed data source. According to the login entries, COGNITUM may give access to the data source content through the applications.

NOTE
Dynamic roles can be configured for applications accessing LDAP directories and relational databases.

Creating a dynamic role

A dynamic role is a set of users that respond to a specified LDAP or SQL query. When a user connects an application, COGNITUM checks that the user belongs to the role defined by the query. When the data source responds positively, the user is authenticated as a member of the dynamic role.

NOTE
Variables may be used in queries to create dynamic roles. For more information, see “Using variables in dynamic roles”.

In the COGNITUM Console, a click on the New Dynamic Role toolbar button displays the New Dynamic Role dialog box.

Figure: New dynamic role creation

Application: This is the application for which the dynamic role is defined. Another application can be selected in the list, when available.

Data Source: In this box, when available, another source—LDAP or RDBMS—used for authentication can be selected.

Name: It is the label of the dynamic role in the COGNITUM Console tree. Another name can be entered. Non-alphanumerical characters and blank spaces are prohibited.

Request: This area contains the query representing the dynamic role. It is LDAP¬oriented when the selected data source is LDAP-compliant. The area is SQL-oriented for an RDBMS database.

  • Base: It is the start node of the request on the LDAP directory. The torch button displays the list of the available DNs in the directory accessed by the selected application.
  • Filter: This box must be populated with the script of the request onto the LDAP directory. The request may include a variable (See “Using variables in dynamic roles”). A click on the torch button launches the LDAP Request Builder. For more information, see “Creating an LDAP request”.
  • Scope: It is the depth of the LDAP request in the directory tree from the base DN. One of the three options must be selected.
  • SQL Query: When the data source is of RDBMS type, the query must be entered with the SQL syntax.

Test: This button makes it possible to check the consistency of the dynamic role parameters. A click on it opens the Identification dialog box.

Figure: Identification box

In the Identification dialog box, the user or alias account to use for executing the dynamic role test request must be specified:

  • Use a User Account: Selecting this option enables the User and Password boxes:
  • User: This box must be populated with the user name or DN of the account to use. A click on the torch button opens up the DN Chooser dialog box for quickly locating the DN to enter.
  • Password: This box must be populated with the password matching the user name or DN entered above.
  • Use an Alias Account: Selecting this option enables the corresponding list box. A click on the Alias list box makes it possible to select the alias account to use for the dynamic role test request. The list box displays the aliases having an account defined on the authentication data source.

A click on OK validates the selection and closes the Identification dialog box.

Back in the New Dynamic Role dialog box, a result line beside the Test button displays the test outcome.

A click on the OK button validates the parameters for the new dynamic role. The tree and property views are updated with the icon and label of the new dynamic role.

TIP
Further descriptive information can be entered with the Edit Description command accessible with a right-click on the dynamic role in the tree. The role description appears as a pop up window when leaving the cursor on the dynamic role tree item.

Example

A dynamic role can be Secretary standing for a virtual group of users whose title attribute would be Assistant.

The Secretary role is defined with:

  • BaseDN: $userDN
  • Filter: (title=secretary)
  • Scope: Object

A user belongs to the role when the LDAP request yields at least one result. Without the (cn=$userDN.cn) part, the request would bring results whoever the user is.

Another role example can be an Administrator dynamic role. Any user belongs to the role when he/she is a member of one of the groups below ou=groups, o=mycompany, c=US the name of which starts with admin. The Administrator role is defined in the Group role property view with:

  • BaseDN: ou=groups, o=mycompany, c=US
  • Filter: (&(cn=admin*)(uniquemember=$userDN))
  • Scope: ONE_LEVEL

Dynamic Role based on RDBMS datasource

The Dynamic Role gets evaluated based on SQL query as shown below,

Figure: Dynamic Role SQL Query

In the Members tab, you can check the members that belongs to this Dynamic Role. A list of all the members of the Dynamic Role can be retrieved.

Figure: Members of Dynamic Role

To add a Dynamic Role

  1. In the COGNITUM Console tree, select the Roles or Groups item and click the New Dynamic Role toolbar button.
  2. In the New Dynamic Role dialog box, you can change the Application entry with another application through the list box, when available.
  3. In Data Source, select the LDAP or RDBMS data source used for authentication, when the list box is available.
  4. In the Name box, enter the label of the dynamic role.

  5. Populate the Request area corresponding to the data source type:

  6. When it is an LDAP directory, fill in the Base with the directory node from which the LDAP request starts. Populate the Filter with the LDAP request. Click the torch buttons to launch the respective wizards. Then select one of the Scope options.

  7. When it is an RDBMS data source, fill in the SQL Query box.

  8. Click Test to specify a user or an alias and check the parameters of the dynamic role.

  9. Click OK.

Copying a dynamic role

A dynamic role created and configured for an application can be duplicated into the same application, or into another application. This feature allows to bypass the complete role creation process.

The Copy command is accessible from a selected dynamic role from its context-sensitive menu or from the Edit menu.

The target Roles or Dynamic Roles item must be selected before choosing the Paste command from the context menu or from the Edit menu. When the role is duplicated within the same application, a message box pops up to give another name for the duplicate.

NOTE
A dynamic role can be copied with a simple drag-and-drop action as well.

Parameter changes may proved necessary. See “Updating the definition parameters of a dynamic role”.

To copy a dynamic role

  1. In the COGNITUM Console tree, select the dynamic role to copy.
  2. Choose the Copy command from the context menu.
  3. Select the target Roles or Dynamic Roles item.
  4. Choose the Paste command from the context menu.
  5. Update the parameters of the dynamic role duplicate as required.

Updating the definition parameters of a dynamic role

The definition parameters of a dynamic role can be modified at any time:

  • Once a dynamic role is added to the tree. Its parameters can still be modified or reset. The role parameters can be adjusted to match the users’ needs.
  • To update an existing dynamic role.

When a dynamic role is selected in the COGNITUM Console tree, the Definition tab is displayed by default. It lists the parameters for the definition and the operational scope of the role.

Figure: Definition properties of a dynamic role

Name: It is the label of the group role in the COGNITUM Console tree. Another name can be entered. Non-alphanumerical characters and blank spaces are prohibited.

Data Source: In this box, another LDAP directory or RDBMS database used for authentication can be selected if more than one data source is defined for the corresponding application in the COGNITUM Console.

Base: The start node of the LDAP request can be changed with the torch button.

Filter: This LDAP request can be modified with the LDAP Request Builder accessible with the torch button. For more information, see “Creating an LDAP request”.

Scope: The depth of the LDAP request in the directory tree from the base DN can be changed.

SQL Query: When the data source is of RDBMS type, the SQL query can be modified.

Test: A click on the button opens up the Identification dialog box where a user or alias account is specified for executing the dynamic role test request, as described in “Creating a dynamic role”.

Bind Accounts to the Data Sources: This area allows to change the proxy (generic) accounts associated to the role:

  • Data Source: A clicked cell makes it possible to change the data source to authenticate the generic account.
  • Login: The cell is populated with the user DN or login for the generic account. A click on the Browse DNs button helps select the DN of a user.
  • Password: The box must be populated with the password associated with the login entered. A click on the Test button checks that the login and password are validated on the data source.
NOTE
The generic account specified in a role is only taken into account when the corresponding data source is configured to use a generic account. For more information, see “Data source access authentications”.

A click on the Apply button validates the parameters.

To update the definition parameters of a dynamic role

  1. In the COGNITUM Console tree, select the dynamic role you want to modify.
  2. Select the Definition tab.
  3. In the Name box, you can change the label of the dynamic role.
  4. In Data Source, you can select another LDAP directory or RDBMS database for authentication if more than one data source is defined for the corresponding application in the COGNITUM Console.

  5. Change the Request area corresponding to the data source type:

  6. When it is an LDAP directory, fill in the Base with the directory node from which the LDAP request starts. Populate the Filter with the LDAP request. Click the torch buttons to launch the respective wizards. Then select one of the Scope options.

  7. When it is an RDBMS data source, fill in the SQL Query box.

  8. In DN, select a test user. Click the Test button to check the new parameters of the dynamic role.

  9. In the Bind Accounts to the Data Sources area, you can define connection account(s) to access the directory(-ies) or database(s).
  10. Click Apply.

Generating the dynamic role members list

COGNITUM makes it possible to draw up the list of all the users belonging to a dynamic role.

The members of the dynamic role can be retrieved by means of an LDAP or SQL request according to the data source the role is mapped to. The users responding to the specified request are returned as a result.

Once the dynamic role is selected in the tree, a click on the Members tab makes it possible to enter the request.

Figure: Dynamic role members list properties

Base: This is the start node of the request on the directory. A click on the torch button displays the available DNs in the directory.

Filter: This box must be populated with the script of the request onto the LDAP directory. The request may include a variable (See “Using variables in dynamic roles”). A click on the torch button launches the LDAP Request Builder. For more information, see “Creating an LDAP request”.

Scope: This is the depth of the LDAP request in the directory tree from the base DN.

SQL Query: When the data source is a relational database, this box must be populated with the SQL query allowing to return all the members of the dynamic role. A variable can be included in the query (See “Using variables in dynamic roles”).

Test: A click on this button launches the request and displays the result(s) in the Members of this Dynamic Role table.

A click on Apply validates the parameters.

Example

The ChinaUsers dynamic role identifies all the users working in France. This role is mapped to an LDAP directory.

To obtain the list of all the users of the directory working in France hence belonging to the ChinaUsers dynamic role, the LDAP request should be:

Base: "ou=China,ou=locations,o=itc.com"

Filter: "(&(objectclass=person)(objectclass=organizationalPerson)(objectclass =inetOrgPerson))"

To generate the members list of a dynamic role

  1. In the COGNITUM Console tree, select the dynamic role for which you want to get the list of users belonging to it.
  2. Click the Members tab.

  3. When the data source is an LDAP directory:

  4. Fill in the Base box with the start node of the request.

  5. Fill in the Filter box with the LDAP request or click the torch button to open the LDAP Request Builder.

  6. Select one of the Scope options.

  7. When the data source is a relational database, fill in the SQL Query box with the script of the query on the database.

  8. Click the Test button to launch the request and check out the role members.
  9. Click Apply to validate the modifications.

Configuring rights for a dynamic role

Once authenticated, members of a dynamic role have potential access to the COGNITUM resources, services, forms, and Web services they are entitled to. COGNITUM secures further operations on data as specified in the Rights tab.

Rights must be configured for each of the Physical Rights, Services, Forms and Web Services sub tabs, as described in “Configuring rights for a user role”.

Figure: Rights properties for a dynamic role

To configure physical rights on resources for a dynamic role

  1. In the COGNITUM Console tree, select a dynamic role.
  2. Select the Rights tab.
  3. Select the Physical Rights sub tab.
  4. Expand the Resources tree and select one or more resources.
  5. To authorize actions on the resource data, select the facing check boxes.
  6. Click Apply to validate the rights assignment.

To configure rights on services for a dynamic role

  1. In the COGNITUM Console tree, select a dynamic role.
  2. Choose the Rights tab.
  3. Choose the Services sub tab.
  4. In the Name column, select a service or expand it to choose an operation.
  5. Select the facing ACCESS check box to authorize access.
  6. Click Apply.

To configure rights on the application forms for a dynamic role

  1. In the COGNITUM Console tree, select a dynamic role.
  2. Select the Rights tab.
  3. Select the Forms sub tab.
  4. Expand the Resources tree and select one or more resources.
  5. In the facing Forms areas, select the forms associated with the resource.
  6. Click Apply.

To configure rights on Web services for a dynamic role

  1. In the COGNITUM Console tree, select a dynamic role.
  2. Choose the Rights tab.
  3. Choose the Web Services sub tab.
  4. In the Name column, select a Web service or expand it to choose a function.
  5. Select the facing ACCESS check box to authorize access.
  6. Click Apply.

Configuring the browsing mode for a dynamic role

By default, COGNITUM gives access to data in HTML or DHTML pages. A dynamic role may be configured in order to restrict browsing modes.

NOTE
Configuring the browsing mode is necessary for migrated applications.

The browsing mode HTML is set in the Preferences tab described in “Configuring the browsing mode for a user role”.

Figure: Browsing mode properties for a dynamic role

COGNITUM makes it possible to delete a dynamic role easily and safely. The Delete command is accessible from a selected dynamic role context menu.

The Delete Dynamic Role message box pops up. Clicking Yes confirms the deletion. COGNITUM automatically updates the dynamic roles list.

To delete a dynamic role

  1. In the COGNITUM Console tree or property view, click the dynamic role you want to delete.
  2. Choose Delete from the context menu.
  3. Validate the removal in the warning box.

Authorization Wizard

The Authorization wizards allows users to manage the permissions of all types of roles from a single wizard.

To manage permissions for roles

  1. Right click the Roles option under an application.
  2. From the menu displayed, select Manage Permissions. The Roles column lists all roles and users in the application. Resources, Operations and Forms tabbed pages display all resources, operation and forms in the application respectively.
  3. To assign permissions to a user, select the user from the list displayed. You can assign permissions only to a single user at a time, so make sure that the other users are not selected.
  4. Select appropriate resources, services and forms on the respective tabbed pages.
NOTE
When configuring roles and permissions for multiple users, first select the new user from the list, then deselect the currently selected user and repeat step 3 and step 4 for each user.
  1. After you have assigned roles and permissions for all the desired users, select all the roles for which you want to save the changes and click OK.

The selected users are assigned the selected permissions.

Improvements in Roles feature in COGNITUM 7.8.00

COGNITUM 7.8.00 brings an improvement over previous Calendra, CDM and COGNITUM versions in View Features,

Role Based Theme Functionality is explained in the document Application with new Features and Improvements in COGNITUM 7.8.

results matching ""

    No results matching ""