Some features described in this article are available starting with meshIQ Control Center version 12.1 and greater.
For a quick overview of what's new or changed, visit the meshIQ Highlights page for a version-by-version breakdown.
Jump to Section:
Version 12.x and Later
Version 11.3 and Earlier
Version 12.x and Later
Control Center Permissions
You can assign rights to restrict users’ actions in the Control Center application using the Control Center Permissions option. This feature allows you to create user roles that define which features are available to each user.
To log into the Control Center application, a user must have the Manage User Settings/Info right. Roles defined through Control Center Permissions determine the specific rights a user has — such as the ability to view only or make changes.
Examples of Control Center roles include:
Users who can only view settings, but not make any changes.
Auditors who can only view audit reports.
As with all meshIQ management applications, access is assigned based on the group(s) the user belongs to. For example, consider a user named Bob, who is part of the Auditors group (in LDAP) and should only be allowed to view the Control Center Audit Report.
The first step would be to define an Auditors group in Control Center, as described in the User Group Management section.
If Bob does not require any access to the management application, there is no need to assign any User Groups to this group. You can proceed with Control Center Role assignment as described below.
If Bob should have access to both the Control Center and the management applications, you would assign both User Groups and configure Control Center Permissions accordingly.
This group must not be specified on the WGS REST API tab of WGS Properties in AutoPilot Enterprise Manager, as that will override the rights configured through Control Center Permissions.
You see Working with Tables in the Customizing the meshIQ Control Center interface for more information about managing columns.
Add a Control Center Role
To add a new Control Center Role, click Add Control Center Role icon. The Control Center Role Create Window opens.
General Tab
- In the General tab, enter the Control Center Role Name (required) and an optional Description.
- From the list of features, select Manage User Settings/Info (Required). This selection is required to access the Control Center application's online functions.
- Select any specific Control Center features to assign from the list below:
Import Data – Allows importing data into the Control Center application
Export Data– Allows exporting data from the Control Center application
Manage Audit Reports – Allows viewing the Manage Audit log
Control Center Audit Reports – Allows viewing the Control Center Audit log
Refresh Security – Allows requesting a security refresh
Control Center Permissions – Allows viewing Control Center Permissions
- Assign Read, Write, or Delete rights for the selected features.
- By default, when you select a parent checkbox, all child checkboxes under that feature are selected
- Based on your selections, other required options may also be selected automatically.
For example, if you enable the Show right for the Audit Configuration feature, the Server Groups and Object Groups Show checkboxes will be selected as well, since they are prerequisites.
Group Tab
- In the Groups tab, specify the User Group to which this Control Control role will be assigned.
- Select the group name from the Group Name drop-down menu.
- If the group doesn’t exist, type a new group name, press Enter, and click Add.
Check the box labeled:
“Add Specified Group(s) If Not Already Created.” - You can remove a group by clicking the Delete
icon next to the group name.
This must be a defined User Group, although it can be created after being added here.
- Click Save.
Edit a Control Center Role
To edit a Control Center role:
On the Control Center Permissions page, click the Control Center Role Options
icon next to the Control Center role you want to edit.
Select Edit Control Center Role. The Control Center Role Properties window opens. This dialog contains the same fields as the Control Center Role Create window.
Make the necessary changes to the role. For guidance, refer to the instructions above under Add an Control Center Role.
Click Save to apply your changes.
Duplicate a Control Center Role
- If you would like to create a new Control Center Role that has similar rights to an existing role, you can duplicate the existing role so that all the rights of the original role are already selected. As a result, it is easier to complete the task of creating the new role.
- On the Control Center Permissions page, click the Control Center Role Options
- Select Duplicate Control Center Role. The Control Center Role Clone Window opens.
- Give the new role a descriptive name.
- Make your changes to the role. Refer to the instructions above for adding an Control Center role for more details.
- Click Save.
- The new role is displayed, with similar characteristics to the original role, as in the example shown below:
Delete a Control Center Role
To Delete a Control Center Role:
- On the Control Center Permissions page, click the Control Center Role Options
- Select Delete Control Center Role.
- In the Delete Control Center Role dialog, type DELETE (in all capital letters) in the provided field.
Then click Yes, Delete to confirm, or No, Keep to cancel the action.
Export Role's Data
To export a Control Center role’s data:
- On the Control Center Permissions page, click the Control Center Role Options icon next to the Control Center role you want to export.
- Select Export Role’s Data.
- A JSON file containing the selected Control Center role details is exported.
Edit Permissions for a Control Center Role
You can edit permissions for an Control Center Role in the same way that you edit them for other roles. See Edit Permissions in the Role Management article.
Display the Groups for a Control Center Role
- To view the groups that are associated with an Control Center role without opening the Control Center Role Properties window, click the Display Groups button in the role's column header.
- The name or names of the associated group or groups are displayed under the column header, as shown below.
Edit Control Center Role Groups
You can quickly edit the groups that are assigned this Control Center Role by clicking the name of the group that is displayed under the column header (see the Display the Groups for an Control Center Role instructions above). Clicking the name of the group opens the Control Center Role Groups dialog. Groups that are currently assigned to the Control Center Role are listed at the bottom of the dialog.
Assign a New Group to a Control Center Role
Enter the Group Name in the Control Center Role Groups dialog and click Add. The name of the group is listed at the bottom of the dialog. Click Save to add the group.
Remove a Group from a Control Center Role
Find the name of the group in the list at the bottom of the Control Center Role Groups dialog. Click the delete button to remove the group assignment from the Control Center Role.
_____________________________________________________________________________________________________________
Version 11.3 and Earlier
You can assign rights to restrict users' actions in the security application with the API Role Management option. With it, you can create roles for users that control which features are available to them.
A user must have the Manage User Settings/Info right to be able to log into the security application. API management roles determine what rights they have, such as change or view only.
Examples of API Roles would be users that could only view settings but not make changes, or auditors that can only view the audit reports.
As with all usage of the management applications, the assignment is based on group(s) that the user belongs to. As an example, let's take a user, Bob, who belongs to the Auditors group (in LDAP) and should be only able to view the WSM audit report.
The first step would be to define an Auditors group in WSM, as described in User Group Management. If Bob does not require any functions in the management application, it is not necessary to add any User Groups to this group; just follow the details below. If Bob can use both the security and the management applications, then you would add both User Groups and add API Role Management rights as outlined below. This group must not be specified on the WGS REST API tab of WGS Properties in AutoPilot Enterprise Manager for granting access rights to WSM, which will override any rights defined here.
Jump ahead |
Add an API Role
- Click
to add a new API Role. The API Role Create Window opens.
- Select the required entry for Manage User Settings/Info, which provides access to security application online functions.
- Select any specific security application features from the list:
- Data Import - Import into the security application
- Data Export - Export from the security application
- Read Management Audit - View the Management Audit log
- Read Security Management Audit - View the Security Management Audit log
- Refresh Security - Request Refresh Security
- Read API Roles - View API Role Management
- Assign Read/Write/Delete rights for security features.
- By default, when you select the parent check box for a feature, its child check boxes are also selected.
- Depending on your selection, other necessary check boxes may also be selected automatically. For example, the Audit Management feature Show right requires Server Groups and Object Groups to be shown. Therefore when you select the Show right for Audit Management, the Server Groups and Object Groups Show check boxes are selected for you.
- In version 11.1 and earlier, on the Groups tab, indicate the User Group that will be assigned this API Role. Enter the name of the User Group in the Group Name box and click +Add. Repeat as needed to add additional user groups to this API Role. (You can also remove groups by clicking the X next to the group record.) This group must be a defined User Group, although it can be added after you add it here.
In version 11.2, on the Groups tab, specify the User Group to which you will assign this API Role. Select the User Group’s name from the Group Name drop-down menu, or enter a new group name if it is not available in the list, and click Add. After entering the new group name, check the box that says “Add Specified Group(s) If Not Already Created. (You can also remove groups by clicking thenext to the group record.) This group must be a defined User Group, although it can be added after you add it here.
- Click Save.
Add a New Api role and groups in v11.2
Edit an API Role
- On the API Role Management page, click the menu icon
next to the API Role that you want to edit.
Edit API Role in v11.1 and Earlier Edit API Role in v11.2 - Select Edit API Role. The API Role Properties window opens. The API Role Properties dialog contains the same fields as the API Role Create window.
- Make your changes to the role. Refer to the instructions above for adding an API role for more details.
- Click Save.
Edit Permissions for a API Role
You can edit permissions for an API Role in the same way that you edit them for other roles. See Edit Permissions in the Role Management article.
Delete an API Role
- On the API Role Management page, click the menu icon
Delete API Role in v11.1 and Earlier Delete API Role in v11.2
- Select Delete API Role. The Delete Confirmation dialog opens.
- Click Yes to delete the role, or No to cancel the delete action.
Hide an API Role
In version 11.1 and earlier, you can hide a role by clicking the hide icon in its column header. Show, hide, and rearrange table columns in the Customizing the interface article for more information about managing columns.
In version 11.2, the "Hide" feature is not available for hiding roles.
Clone an API Role
In version 11.2, the word 'Clone' has been changed to 'Duplicate,' but the functions remain the same as 'Clone'.
If you would like to create a new API Role that has similar rights to an existing role, you can clone the existing role so that all the rights of the original role are already selected. As a result, it is easier to complete the task of creating the new role.
- On the API Role Management page, click the menu icon
Clone API Role in v11.1 and Earlier Duplicate API Role in v11.2 - Select Clone API Role. The API Role Clone Window opens. By the default, the name of the new role is the name of the original role followed by "(1)" (for example, "WSM Audit Role(1)").
In version 11.2, the name will not appear by default in the API Role Clone Window; the user must provide a descriptive name for the role.
- Give the new role a descriptive name.
- Make your changes to the role. Refer to the instructions above for adding an API role for more details.
- Click Save.
The new role is displayed, with similar characteristics to the original role, as in the example shown below:
Display the Groups for an API Role
To view the groups that are associated with an API role without opening the API Role Properties window, click the Display Groups button in the role's column header.
The name or names of the associated group or groups are displayed under the column header, as shown below.
Edit API Role Groups
You can quickly edit the groups that are assigned this API Role by clicking the name of the group that is displayed under the column header (see the Display the Groups for an API Role instructions above). Clicking the name of the group opens the API Role Groups dialog. Groups that are currently assigned to the API Role are listed at the bottom of the dialog.
Assign a new group to the API Role
Enter the Group Name in the API Role Groups dialog and click +Add (). The name of the group is listed at the bottom of the dialog.
Edit a group
In version 11.1 and earlier, groups that are currently assigned to the API Role are listed at the bottom of the API Role Groups dialog. Edit the name of the group and click Save.
In version 11.2, this function is not available for editing a group.
Remove a group from the API Role
Find the name of the group in the list at the bottom of the API Role Groups dialog. Click the delete button to remove the group assignment from the API Role.