User, Group, and Capabilities
It is an identification of any user, by which user should be able to login. It contains User id, Password, Name, Email, Mobile etc. User can be authenticated by LDAP if LDAP settings are enabled.
The LDAP server setting requires following parameters to be specified for LDAP authentication.
Connection method: This is the LDAP set to default. User can choose between LDAP and LDAPs. This can be further enhanced to define other methods in future e.g. MS domain authentication.
For now, we support one LDAP server as LDAP servers normally federated.
LDAP Server Name (or IP address): An example would be 10.10.200.1 ldap.cavsauth.local.
LDAP Server port number: The default value is 389 (this should be displayed). If LDAPs is chosen as connection method, then default should be displayed as 686. User can enter the port number of the LDAP server being used.
Base DN (Distinguished Name): This indicates the root level domain distinguished name for LDAP authentication. Following are examples of base DN:
DC=cavs,DC=com. Cn=adminuser, dc=cavs, dc=local. Ou=netsuite, dc=performance, dc=cavisson, dc=local
Security protocol: The default value is ‘None’ and user can select TLS.
It denotes the group of users. For example, there is a department like HR/Accounts and it has many users. Therefore, we can create a group for that and assign all those users to this group. By this handing, it is easy while doing changes in access.
Each group can have multiple users. Each group can also have access to multiple group of capabilities. If multiple capabilities are assigned to one group, then it makes union of allowed things.
Case 1: if capability1 has access of Tier1 and capability2 has access of Tier2 then for Team Leads, we can assign both capabilities to have access for both tiers.
Case 2: If user, which has capability2 access, is going for leave then capability2 can be assigned to other user with his own capabilities.
Capabilities are list of access permissions, which can be assigned to group(s). There are some predefined capabilities available in system. User can create new capabilities also.
Users with this capability have read only access for all tiers, all project/sub-projects and all features. User cannot write anything like cannot add/update any favorite, cannot add rules etc.
Read Write All
Users with this capability have access to read and write for all tiers, all project/sub-project and all features except few features, which has access for Admin only.
Other than read write, users with this capability have more access to do like add/update/delete users/groups/projects/, Audit log for all users.
Users with this capability have read only permissions and many other features are disabled like metric tree, compare etc. User is able to configure features and favorites available to Business User.
A user can create new Capabilities also. User can give mixed read/write permissions to first level of metric hierarchy (Mostly Tier). For example – user can give write permission to Tier1 but read only permissions to Tier2. In addition, we need to assign Project/Sub-Project to the capability. Few objects like scripts, scenarios are not associated with metric hierarchy but they are belonging to one project/sub-project. Objects under a project/sub-project are authorized to view/edit by that capability which have access to that project/sub-project. In addition, advance users can give permissions to components and features.
Example of User Mapping
Let us take an example to understand the user mapping with permissions:
- User 1 and User 2 have read only access to all Tiers. These users are able to see everything (all favorites, all rules, all reports, all templates etc.) but cannot add or update anything.
- User 3, User 4 and User 5 have read and write access to all tiers. These users are able to see and update everything (all favorites, all rules, all reports, all templates etc.).
- User 6 has read and write access to all tiers. In addition, this user has access to do anything in User management.
- User 7 and User 8 have read only access to all Tiers. In addition, they cannot see tree and other things.
- User 9 is part of multiple groups (G4, G5, and G6). This user has read write access to Tier1, Tier2 and Read only access to all other Tiers. It means, this user is able to view all objects but is able to edit object, which only having metrics of Tier1 and Tier2.
- User 10 and User 11 have write access to Tier1 and Tier2. It means this user is not be able to view those objects, which is having anything other than Tier1 and Tier2. This user can only be able to update those objects which have metrics of Tier1 or/and Tier2.