Milestone 6: Configuring Data Privacy Security

Important

This milestone would typically be performed by a Data Privacy Administrator. However, this milestone should be started in order to initially define a Data Privacy Administrator user for the purpose of validating the installation of Data Privacy in Workbench for Eclipse.

In Data Studio’s Data Privacy, users must be assigned Data Privacy roles. This step discusses how these roles are used and how they are configured. After the installation of Data Privacy is completed, full configuration would need to be done by users designated with the role of Data Privacy Administrators.

No specific login is required to access the Data Privacy perspective. When the Data Studio’s Data Privacy perspective is selected, the currently active user ID determines the Data Privacy role assignment. All roles are assigned at the server level and all repositories within the same server will have the same role assignments.

Tip

The following roles prevent users from accessing information that is not available for their role. Information on the mainframe is protected by whatever security the mainframe provides (such as RACF). This means that a Workbench for Eclipse user cannot access any information on the mainframe that cannot be accessed when logging directly to the mainframe.

Role Definitions

Role definition is the process of mapping user IDs and groups to the roles defined within the product. Each role is associated with a predefined set of permissions within the product functionality.

File-AID Services (FAS) installation includes the installation of a Derby database for the security repository. FAS acts as the roles server, and the mapping of users and groups to the roles used by the product are stored in the security repository.

When any functionality is requested using Data Privacy, the user authorizations are checked to verify that they have the appropriate role to perform the requested function. A user must have at least one Data Privacy role to be allowed to open any project in the Data Privacy application. Data Privacy authorizations are specific to the server being used.

Data Studio’s Data Privacy Functionality by Role

Data Privacy Functionality	DP Admin	Project Admin	Global Resource Admin	SME	Privacy Auditor (Only view)
Assign Roles
Create Project
Update Project
Delete Project		( by owner)
Change the Project owner
Add Project Metadata
Manage repositories
Create Data Element
Update Data Element
Delete Data Element
Create Rules
Update Rules
Delete Rules
Create rule actions
Update rule actions
Delete Rule actions
Rule Variables
Import global Data Elements
Import global Rules
Expression builder
Update Global projects
Update Global Data Element
Update Global Rules
Manage Translate tables
Manage Encryption keys
Manage Credentials
Manage Custom Functions
Create Data Identifiers
Update Data Identifiers
Delete Data Identifiers
View Coverage
Run Coverage Analysis
Coverage Report

The following is a description of the default roles provided with Data Studio’s Data Privacy:

Data Privacy Administrator

Different roles will have access to different functions within Data Studio’s Data Privacy. The Data Privacy Administrator role has the highest level of authorization giving complete access to all functions within Data Privacy.

When Data Privacy is installed, the role of Data Privacy Administrator is assigned to a temporary default ID. This administrator-level default ID must be used the first time Data Privacy is accessed in order to assign actual user IDs to Data Privacy roles, including other Data Privacy Administrators. Once another user ID is given the role of Data Privacy Administrator, the temporary default ID can be deleted. Data Studio’s Data Privacy requires at least one user ID assigned to the Data Privacy Administrator role. The Data Privacy Administrator is the only role authorized to manage repositories, set preferences and other definitions that affect the entire Data Privacy installation.

Data Privacy Auditor

The Data Privacy Auditor has the authority to browse and report on all data within all projects. The Data Privacy Auditor cannot change any data.

Data Privacy Global Resource Administrator

The Data Privacy Global Resource Administrator is responsible for defining and managing their sources that are shared by all data privacy projects. This includes global data elements, global rules, managed translation tables, encryption keys, credentials, and custom functions.

Data Privacy Project Administrator

The Data Privacy Project Administrator is responsible for creating projects and managing the definition of privacy within the project. This includes the definition of data elements and rules. Data Privacy Project Administrators can import global definitions into their projects.

Data Privacy SME (Subject Matter Expert)

A user ID assigned the Data Privacy SME role should have knowledge of the application data and thus, is able to create the data element definitions by adding data identifiers to the data elements defined by the project administrator. Users in this role cannot create new data elements. Subject matter experts can use their application knowledge and search the metadata to properly identify the data for each data element.

Task 6.1 Configure Security

Security is configured from within Workbench for Eclipse. If you have the proper authority, you can set up security from within the Data Privacy perspective.

Following are the steps that allow you to set up your site's default authentication, and manage users, groups, and role mapping:

From within Workbench for Eclipse, select BMC > DevX Data Studio > Rules Explorer. The Data Privacy perspective may also be opened from the Windows menu, select Open Perspective > Other > DevX Data Studio > Rules Explorer.
Success
Tip
When you start Data Privacy for the first time, you will receive an error message "User has no roles". You may ignore this message at this time.
Select Configure > Manage Security. Supply Administrator credentials with default user ID: cwsecadmin and password: cwsecadmin. (You should consider changing the password, to limit access to this facility to Data Privacy Administrators only.) The Security Editor Authentication view appears. There are several tabs at the bottom of the screen allowing you to select the different options.
To change the password
1. In the Manage Security window, select cwsecadmin and click Edit.
2. In the Password field, enter the new password.
3. In the Retype Password field, retype the new password.
4. Click OK.
Authentication is preselected. All fields are filled with defaults provided at installation time, and are disabled and cannot be modified.
Select the User Management tab. All user IDs previously configured, including the default security user ID, cwsecadmin (if not removed by user) appear in the User Management tab.
1. To add a new user, click Add.
  1. Enter a domain name and user ID in the User Name field in uppercase. The domain name should be followed by a backslash ‘\’ when preceding the user ID (for example: DOMAINNAME\MYUSERID). Windows authentication is used to validate user by LAN ID.
  2. Click OK. The user is now added to the list. Repeat this step until you have added all of the desired users
2. To modify a user ID’s password, select a user ID and click Edit. Make your changes and click OK.
3. To delete a user, select the user and click Remove.
Select the Group Management tab. The default groups, and any groups that have been added since installation, appear in the Group Name list.
1. To modify a group, select a group and click Edit. The group name cannot be changed, but you can add users to or delete users from the group. Make your changes and click OK.
2. To delete a group, select the group and click Remove.
  Success
  Tip
  If you are adding multiple users to a new or existing group, you can click Apply periodically to save your selections without closing and reopening the dialog box.
3. To add a new group, click Add. Enter a group name in the Group Name field, and move the users you want to add to the group from the Available Users column to the Selected Users column. Then click OK.
  Success
  Default Groups are supplied with the Data Privacy plug-in and should be sufficient to control access to Data Privacy plug-ins. In most cases you do not need to add a new Group.
Select the Role Mapping tab. The default mapped roles, and any roles that have been added since installation, appear in the Name list.

1. To map a group to a role, select one of the Application Roles from the list and click Map Groups. The Group Selection dialog box appears. Select a group name from the list of groups. If you have many groups, you can search for the desired group, Click Search. After you have selected your group, click OK. That group will appear in the role mapping list for that role. Repeat this step until you have mapped all of the desired roles.
2. To map a user to a role, select one of the Application Roles from the list and click Map Users. The User Selection dialog box appears.
  Select a user ID from the list of available users. If you have many user IDs, you can search for the desired user, click Search. After you have selected your user, click OK. That user ID will appear in the roll mapping list for that role. Repeat this step until you have mapped all of the desired roles.
3. To delete a user or group mapping, select the user or group and click Remove.
  Success
  Tip
  We recommend that you assign at least one user to the Data Privacy Administrator role. That user will be able to access this Manage Security utility, without having to provide any special logon ID or password, whenever they are using the Data Privacy plug-in.