Security in Redwood Platform
Redwood Platform authentication relies on an XML file, which contains both usernames and passwords in clear text.
warning
Redwood strongly recommends using LDAP or database security with Redwood Platform!
The Redwood Platform ships with the following core roles, which have been added to Redwood Platform:
scheduler-administrator- can perform all actions.scheduler-isolation-administrator- can import and modify users.scheduler-user- has access to Redwood Server only, cannot see any objects (always required, even for administrators).
You should add the following roles to your tomcat-users.xml file:
scheduler-bae-only-user- indicates that the user account is restricted to logging in via the SAP Inbound interface, only.scheduler-event-operator- can raise and clear events, as well as all privileges assigned toscheduler-viewer.scheduler-job-administrator- can create/edit/delete event definitions, process definitions, and chain definitions and modify both processes, and chains, as well as all privileges assigned toscheduler-event-operator.scheduler-screen-reader- indicates that you are using a screen reader.scheduler-viewer- read only access to all objects.
If you have purchased the Insight module, you will need the following as well:
scheduler-business-user- can access the business-user-centric user interface.scheduler-it-user- can access the it-user-centric user interface.
Any new roles you need should be added to the XML file; Redwood Platform will have to be restarted, and a user needs to log in with that role before it can be used in Redwood Server.
Redwood Server Security
As soon as a user logs on to Redwood Server with one of the above roles, a user and/or role (if applicable) are created in the system with the same name.
Object and System Privileges can be granted to a user or a role.
System privileges are granted in the user or role object itself, object privileges are granted from the object itself, using the Security tab of the object.
- Using Privileges
- System Privileges
- Object Privileges
- Granting and Revoking System Privileges
- Granting or Revoking Object Privileges
note
You can also assign privileges in the shell, if you have the Scripting Module, which requires the Module.Scripting license key.
Procedure
To add a new user:
- Open
<install_dir>/j2ee/cluster/global/conf/tomcat-users.xml. - Enter a new
usertag containing the values below. - Save the file and restart Redwood Platform.
Values
- username - the user's login name
- password - the user's password
- roles - the privileges the user will have.
To assign a role to an existing user:
- Locate the line containing the entry for the user.
- Add the name of the role to the end of the list of roles, preceded by a comma.
Creating a custom role
- Open
<install_dir>/j2ee/cluster/global/conf/tomcat-users.xml. - Enter a new
roletag containing a role name. - Edit a user, and assign this role to the user.
- Save the file and restart Redwood Platform.
- Log in with the user you assigned the role to.
Editing a custom role
- Navigate to "Security > Roles".
- Choose Edit from the context-menu of an editable role. Editable roles have a description: Created automatically on first login.
- On the Assign Privileges tab, choose an Object definition and then Next.
- Choose the desired range of the privileges.
- Choose a Rank with the desired privileges. Admin privileges allow the user to perform the action and to grant the privilege to others as well. Access privileges allow the user to perform the actions.
Example:
Add the missing roles:
<role rolename="scheduler-event-operator"/>
<role rolename="scheduler-job-administrator"/>
<role rolename="scheduler-viewer"/>
<role rolename="scheduler-screen-reader"/>
Adding jdoe to your tomcat-users.xml file:
<user username="jdoe" password="mysecret" roles="scheduler-user"/>
Add the scheduler-event-operator role to jdoe:
<user username="jdoe" password="mysecret" roles="scheduler-user,scheduler-event-operator"/>
onsiteTopic