API Role Management

You can assign rights to restrict users' actions in Navigator Security Manager with the API Role Management option.  With it, you can create roles for Security Manager users that control which Security Manager features are available to them.

Examples of API Roles would be users that could only view settings but not make changes, or auditors that can only view the audit reports. 

As with all Navigator usage, the assignment is based on group(s) that the user belongs to.  As an example, let's take a user, Bob, who belongs to the Auditors group (in LDAP) and should be only able to view the WSM audit report. 

The first step would be be define an Auditors group in WSM as described in User Group Management. If Bob does not require Navigator functions, it is not necessary to add any User Groups to this group; just follow the details below.  If Bob can use both Navigator and Security Manager, than you would add both User Groups and add API Role Management rights as outlined below.  This group must not be specified on the WGS REST API tab of WGS Properties in AutoPilot Enterprise Manager for granting access rights to WSM, which will override any rights defined here.  

Add an API Role

1. Click to add a new API Role. The API Role Create Window opens.
2. Select the required entry for Manage User Settings/Info, which provides access to WSM online functions. 
3. Select any specific WSM features from the list:
   • Data Import - Import into WSM
   • Data Export - Export from WSM
   • Read Management Audit - View the Management Audit log 
   • Read Security Management Audit - View the Security Management Audit log
   • Refresh Security - Request Refresh Security 
   • Read API Roles - View API Role Management 
4. Assign Read/Write/Delete rights for Security Manager features.

• • • By default, when you select the parent check box for a feature, its child check boxes are also selected. 
    • Depending on your selection, other necessary check boxes may also be selected automatically.  For example, the Audits feature Read right requires Server Groups and Object Groups to be read. Therefore when you select the Read right for Audits, the Server Groups and Object Groups Read check boxes are selected for you. 

5. On the Groups tab, indicate the User Group that will be assigned this API Role. Enter the name of the User Group in the Group Name box and click +Add. Repeat as needed to add additional user groups to this API Role. (You can also remove groups by clicking the X next to the group record.) This group must be a defined User Group, although it can be added after you add it here. 
   
6. Click Save. 

Edit an API Role

1. On the API Role Management page, click the menu icon  next to the API Role that you want to edit.
   
2. Select Edit API Role. The API Role Properties window opens.  The API Role Properties dialog contains the same fields as the API Role Create window.
3. Make your changes to the role. Refer to the instructions above for adding an API role for more details.
4. Click Save.

Edit Permissions for a API Role

You can edit permissions for an API Role in the same way that you edit them for other roles. See Edit Permissions in the Role Management article.

Delete an API Role

1. On the API Role Management page, click the menu icon  next to the API Role that you want to delete.
   
2. Select Delete API Role. The Delete Confirmation dialog opens. 
   
3. Click Yes to delete the role, or No to cancel the delete action.

Hide an API Role

You can hide a role by clicking the hide icon in its column header. See Show, hide, and rearrange table columns in the Customizing the Security Manager interface for more information about managing columns.

Clone an API Role

If you would like to create a new API Role that has similar rights to an existing role, you can clone the existing role so that all the rights of the original role are already selected. As a result, it is easier to complete the task of creating the new role.

1. On the API Role Management page, click the menu icon  next to the API Role that you want to make a copy of (or "clone").
   
2. Select Clone API Role. The API Role Clone Window opens. By the default, the name of the new role is the name of the original role followed by "(1)" (for example, "WSM Audit Role(1)").
3. Give the new role a descriptive name.
   
4. Make your changes to the role. Refer to the instructions above for adding an API role for more details.
5. Click Save.

The new role is displayed, with similar characteristics to the original role, as in the example shown below:

Display the Groups for an API Role

To view the groups that are associated with an API role without opening the API Role Properties window, click the Display Groups button in the role's column header.

The name or names of the associated group or groups are displayed under the column header, as shown below. 

Edit API Role Groups

You can quickly edit the groups that are assigned this API Role by clicking the name of the group that is displayed under the column header (see the Display the Groups for an API Role instructions above). Clicking the name of the group opens the API Role Groups dialog. Groups that are currently assigned to the API Role are listed at the bottom of the dialog.

Assign a new group to the API Role

Enter the Group Name in the API Role Groups dialog and click +Add (). The name of the group is listed at the bottom of the dialog.

Edit a group

Groups that are currently assigned to the API Role are listed at the bottom of the API Role Groups dialog. Edit the name of the group and click Save. 

Remove a group from the API Role

Find the name of the group in the list at the bottom of the API Role Groups dialog. Click the delete button to remove the group assignment from the API Role.