Access Control View

The Access Control view is an administrative area used to view and configure security settings for remote Server access, including LDAP integration.

These security settings are managed through the use of roles and permissions that control the extent to which a remote Server can be accessed by a user. Based on this control, different functionality is either enabled or disabled on other views of the Admin Console perspective. Examples of access control include (but are not limited to):
  • Project installation (using the Projects view)
  • Business Process launch (using the Business Process view)
  • Server suspend and resume (using the Server Environment toolbar)
  • Log data access and reprocessing (using the Auditor view)
  • User settings, permissions management, password reset (using the Access Control view)
  • Resource management: Start/Stop File Monitors, Web Services (using the Resource Monitors view)
  • Licensing (using the Main menu)
Three separate tabs, Users, Roles, and LDAP, are located at the bottom of the Access Control view.

Users tab

A user represents anyone who can possibly interact with a remote Server in some manner. For example, an advanced user may have full access; they could install deployed Projects, or suspend a server. A basic user, however, may have very limited or read-only access to specific functionality, such as the ability to view logs from the Auditor.

Access Control allows you to create and define different users with different functional role-based permissions. The combination of user and role form a user profile. Three pre-configured user profiles are also provided. These users profiles may be enough to provide the server security you require; however additional users with different roles and permissions can be created and configured. These user profiles can also be edited and deleted, with the exception of ebiadmin.

This tab provides these two areas: Users and User Details.

Users: Users are displayed and can be selected from this area. Only users with a specific Access Control permission (Add/Modify/Delete Users, Roles, and LDAP Profiles) can view, add and remove users.

User Details (including Roles): This area displays information for a selected user including User ID and Name, as well as any assigned roles. Users can be assigned roles, which have different permissions. Only users with a specific Access Control permission (Add/Modify/Delete Users, Roles, and LDAP Profiles) can add or remove roles.

The Roles section of User Details display the role(s) assigned to the selected user. Roles define which permissions are granted to specific users. Role assignments and user accounts authenticate and authorize Access Control in Clarify.

Change/Reset Password

Use the Change/Reset Password button to manage passwords. All users can change their own passwords, but only users with a specific Access Control permission (Add/Modify/Delete Users, Roles, and LDAP Profiles) can reset other user passwords.

For more information on how to use this tab to manage users for Access Control, please see these related topics:

Roles tab

Roles describe the relationship between a user and its assigned permissions. For example, the role of SuperUser, shown here, contains many permissions, displayed in the center column. Furthermore, this role has been assigned to the User ID: ebisuper, thereby giving that user all of the role's permissions.

This tab provides these two areas: Roles and Role Details.

Roles: From this area roles can be displayed and selected, which then reflect in the Role Details area. For example, to see the permissions and users assigned to a particular role, then you must select the role in this area. Only users with a specific Access Control permission (Add/Modify/Delete Users, Roles, and LDAP Profiles) can can add and remove roles. In fact, as a user without this permission, only the roles assigned to you are displayed.

Role Details: From this area, a user with Access Control permission (Add/Modify/Delete Users, Roles, and LDAP Profiles) can view, add and remove a role's permissions, and assign a role to a user.

LDAP tab

Access Control also provides LDAP integration support for two common authentication service providers: Active Directory and Apache DS. LDAP groups are mapped to Clarify roles, thereby integrating the two systems and providing additional authentication and authorization to Clarify. With successful LDAP integration in place, users can sign into Clarify using their network credentials, which will be directly mapped to their respective role/permission levels in Clarify. This is how single sign-on can be implemented with Access Control.

The tab provides two sections: LDAP Profiles and LDAP Profile Details.

LDAP Profiles

This section displays all LDAP profiles currently configured in Clarify. From here, new profiles can be added.
Note: While more than one profile may be displayed, only one LDAP profile can be enabled at a time; by enabling one profile, Clarify automatically disables all others. Disabling an active LDAP profile can impact all related users currently signed into Clarify. Users will be automatically logged out, and will be required to log back in. Logout also occurs if changing the configuration of an enabled profile. Administrators must consider and plan for this potential impact to users any time an existing LDAP profile is either edited, enabled, or disabled.

LDAP Profile Details

This section contains these areas: Status, Configuration, and LDAP Group/Role Mappings.

Area Description
Status Use this area to enable or disable (turn on, turn off) the selected LDAP profile.
Configuration Use this area to configure the LDAP integration; this is done by providing and saving LDAP Server connection information, along with validation of the server connection.
LDAP Group/ Role Mappings Map groups from the LDAP server to the roles in Clarify. This relationship allows for true integration between Clarify and your LDAP system.

For more information, please see LDAP Integration.