UrbanCode Release provides a flexible, role-based security model that maps to your organizational structure. Different product areas, such as components, can be secured by roles. Each area has a set of permissions available to it. To configure security for an area, you create roles using the available permissions—execute, read, write, and so forth.
So, how are permissions applied to users? First, global default permissions can be granted. Default permissions are granted by product area and apply to all users. If default permissions are granted for, say, the agent area, a user will have those permissions even if she is also part of a group or role that does not.
Another way users can be granted permissions is by being a member of a group. Groups can have default permissions that apply to all group members. If a user is assigned to a group with default permissions for the agent area, as above, she will have those permissions even if she is also assigned a role that does not have them.
Finally, users can be assigned to roles. Role members inherit a role's permissions. Except for UI and system security, users are assigned to roles on an item by item basis. For example, a user can be assigned a role that enables them to see only one application or only one component. Both groups and individual users can be assigned to roles.
Roles and permissions, including default permissions, are configured on an area by area basis; granting the execute permission to one role does not grant it to another. The default admin role has all permissions, but you can create another user with all permissions by creating a role for each area with all permissions granted, then assigning the user to each role. Typically, new roles are added to product areas during setup and occasionally thereafter.
While any number of roles can be created for an area, areas themselves cannot be created, modified (the available pool of permissions cannot be changed), or deleted.
Generally, you perform the following steps in order when setting-up security:
-
Create Roles Create roles and define permissions for the various product areas. For most evaluations, the default roles should be adequate.
Use the UI security area to quickly assign access permissions to the different areas of UrbanCode Release.
Use the system security area to assign usage permissions, including the ability to define security for other users.
-
Authorization Realms. Authorization realms are used by authentication realms to associate users with groups and to determine user access. UrbanCode Release includes both an internal database for storing security information as well as integration with the Lightweight Directory Access Protocol (LDAP). LDAP is a widely-used protocol for accessing distributed directory information over IP networks. If you are implementing a production version of UrbanCode Release, the LDAP integration is recommended. If you are evaluating UrbanCode Release, it is not necessary to set up the LDAP integration—full security is configured and enforced by the server.
-
Create Groups and Define Default Permissions. Determine default permissions by product area. Global default permissions can be granted.
-
Create Authentication Realm. The authentication realm is used to determine a user's identity within an authorization realm. If more than on realm has been configured, user authentication is determined following the hierarchy of realms defined on the Authentication pane. When a user attempts to log in, all realms are polled for matching credentials.
-
Add Users. Add users to an authentication realm, then assign them to groups and roles. If your are using LDAP, you can import users and map them to the security system.
