Creating an Administrator security role
All user access definition and management is performed through forms that are accessible to administrators. Policy management and implementation are controlled through the use of access control groups and security role definitions and privileges. Access control groups are the basis by which all user access is granted. Access control in AR System is added progressively, as required. Each user starts out with no access to AR System controlled objects, and administrators or subadministrators add permissions as needed. Administrators can set default permissions and specific permissions on objects in AR System, and subadministrators can set specific permissions to objects where assigned.
Roles, including security roles, are specified in the AR System by membership in groups. The AR System reserves eight group IDs for special group definitions with associated access privileges, including the groups administrator and subadministrator. Members of the administrator group have the Administrator security role. Members of the subadministrator group have the Subadministrator security role .
Configuration of application servers, including application server passwords, is controlled by administrators by using the forms such as AR System Administration: Server Information form. You can access these forms through a browser. Many settings managed in the AR System Administration: Server Information form are stored in the server configuration file (ar.cfg on Windows or ar.conf on UNIX). The administrator must protect this and other configuration files from tampering by setting the appropriate directory permissions and file settings. In addition to the file protections assumed to be provided by the operational environment, application service passwords stored in configuration files are obfuscated using a proprietary implementation of DES.
In your application development and production environments, you can provide different levels of access for other administrators. The Overlay Group option on the Group Information Form provides the following access options:
- Overlay Group field set to 1
When a group assigned to the user has the Overlay Group field set to 1, the user is restricted to working on overlay and custom mode objects. In Developer Studio, the user can work only in Best Practice Customization mode. - Overlay Group field set to 0
When a group assigned to the user has the Overlay Group field set to 0, the user is restricted to working on base mode objects. In Developer Studio, the user can work only in Base Developer mode. Overlay Group field set to 999999999
When a group assigned to the user has the Overlay Group field set to 999999999, the user is restricted from creating, modifying, deleting, and importing objects. The user can only read and export objects from all layers.
Overlay Group set to (clear)
When the Overlay Group is set to (clear) the Group provides no restrictions on access to base, overlay, or custom objects. For more information about Overlay Groups, see Creating-and-managing-access-control-groups.
To create a new group with the Overlay Group option set to 1
- From the AR System Administration Console, select Application > Users/Groups/Roles > Groups.
- Create the Group as desired, and select 1 from the Overlay Group list.
To create Struct Admin Permissions
- From the AR System Administration Console, select Application > Users/Groups/Roles > Groups.
- Create a group named Struct Admin Permissions, to provide access to the objects.
- Set the Group Category field to Regular.
- Set the Group Type field to Change.
- Specify a Group ID that no other groups use and that is outside of the range of BMC reserved Group IDs.
To assign group assignments to a user
- From the AR System Administration Console, select Application > Users/Groups/Roles > Users.
- Assign the following groups:
- Struct Admin
- Struct Admin Permissions
For details, see Struct-Admin-group-permissions.