API Role Management

You can assign rights to restrict users' actions in the security application with the API Role Management option.  With it, you can create roles for users that control which features are available to them.

Examples of API Roles would be users that could only view settings but not make changes, or auditors that can only view the audit reports. 

As with all usage of the management applications, the assignment is based on group(s) that the user belongs to.  As an example, let's take a user, Bob, who belongs to the Auditors group (in LDAP) and should be only able to view the WSM audit report. 

The first step would be to define an Auditors group in WSM, as described in User Group Management. If Bob does not require any functions in the management application, it is not necessary to add any User Groups to this group; just follow the details below.  If Bob can use both the security and the management applications, then you would add both User Groups and add API Role Management rights as outlined below.  This group must not be specified on the WGS REST API tab of WGS Properties in AutoPilot Enterprise Manager for granting access rights to WSM, which will override any rights defined here.  

Add an API Role

1. Click to add a new API Role. The API Role Create Window opens.
2. Select the required entry for Manage User Settings/Info, which provides access to security application online functions. 
3. Select any specific security application features from the list:
   • Data Import - Import into the security application
   • Data Export - Export from the security application
   • Read Management Audit - View the Management Audit log 
   • Read Security Management Audit - View the Security Management Audit log
   • Refresh Security - Request Refresh Security 
   • Read API Roles - View API Role Management 
4. Assign Read/Write/Delete rights for security features.

• • • By default, when you select the parent check box for a feature, its child check boxes are also selected. 
    • Depending on your selection, other necessary check boxes may also be selected automatically.  For example, the Audit Management feature Show right requires Server Groups and Object Groups to be shown. Therefore when you select the Show right for Audit Management, the Server Groups and Object Groups Show check boxes are selected for you. 

5. In version 11.1 and earlier, on the Groups tab, indicate the User Group that will be assigned this API Role. Enter the name of the User Group in the Group Name box and click +Add. Repeat as needed to add additional user groups to this API Role. (You can also remove groups by clicking the X next to the group record.) This group must be a defined User Group, although it can be added after you add it here. 
   In version 11.2, on the Groups tab, specify the User Group to which you will assign this API Role. Select the User Group’s name from the Group Name drop-down menu, or enter a new group name if it is not available in the list, and click Add. After entering the new group name, check the box that says “Add Specified Group(s) If Not Already Created. (You can also remove groups by clicking the next to the group record.) This group must be a defined User Group, although it can be added after you add it here.
   
6. Click Save. 

Add a New Api role and groups in v11.2

Edit an API Role

1. On the API Role Management page, click the menu icon  next to the API Role that you want to edit.
   Edit API Role in v11.1 and Earlier                                          Edit API Role in v11.2
                
2. Select Edit API Role. The API Role Properties window opens.  The API Role Properties dialog contains the same fields as the API Role Create window.
3. Make your changes to the role. Refer to the instructions above for adding an API role for more details.
4. Click Save.

Edit Permissions for a API Role

You can edit permissions for an API Role in the same way that you edit them for other roles. See Edit Permissions in the Role Management article.

Delete an API Role

1. On the API Role Management page, click the menu icon  next to the API Role that you want to delete.
   Delete API Role in v11.1 and Earlier                                       Delete API Role in v11.2
                  

1. Select Delete API Role. The Delete Confirmation dialog opens. 
   
2. Click Yes to delete the role, or No to cancel the delete action.

Hide an API Role

In version 11.1 and earlier, you can hide a role by clicking the hide icon in its column header. Show, hide, and rearrange table columns in the Customizing the interface article for more information about managing columns.

In version 11.2, the "Hide" feature is not available for hiding roles.

Clone an API Role

In version 11.2, the word 'Clone' has been changed to 'Duplicate,' but the functions remain the same as 'Clone'.

If you would like to create a new API Role that has similar rights to an existing role, you can clone the existing role so that all the rights of the original role are already selected. As a result, it is easier to complete the task of creating the new role.

1. On the API Role Management page, click the menu icon  next to the API Role that you want to make a copy of (or "clone").
   Clone API Role in v11.1 and Earlier                                     Duplicate API Role in v11.2                
2. Select Clone API Role. The API Role Clone Window opens. By the default, the name of the new role is the name of the original role followed by "(1)" (for example, "WSM Audit Role(1)").
   In version 11.2, the name will not appear by default in the API Role Clone Window; the user must provide a descriptive name for the role.
3. Give the new role a descriptive name.
   
4. Make your changes to the role. Refer to the instructions above for adding an API role for more details.
5. Click Save.

The new role is displayed, with similar characteristics to the original role, as in the example shown below:

Display the Groups for an API Role

To view the groups that are associated with an API role without opening the API Role Properties window, click the Display Groups button in the role's column header.

The name or names of the associated group or groups are displayed under the column header, as shown below. 

Edit API Role Groups

You can quickly edit the groups that are assigned this API Role by clicking the name of the group that is displayed under the column header (see the Display the Groups for an API Role instructions above). Clicking the name of the group opens the API Role Groups dialog. Groups that are currently assigned to the API Role are listed at the bottom of the dialog.

Assign a new group to the API Role

Enter the Group Name in the API Role Groups dialog and click +Add (). The name of the group is listed at the bottom of the dialog.

Edit a group

In version 11.1 and earlier, groups that are currently assigned to the API Role are listed at the bottom of the API Role Groups dialog. Edit the name of the group and click Save. 

In version 11.2, this function is not available for editing a group.

Remove a group from the API Role

Find the name of the group in the list at the bottom of the API Role Groups dialog. Click the delete button to remove the group assignment from the API Role.