Privileges
There are two types of privileges, object privileges and system privileges. Object privileges can be granted for a specific object. System privileges can be granted for object types in the entire system or in a partition and allow you to limit the privilege to objects in a particular partition.
Object Privileges
Object privileges always relate to a specific object and allow the grantee a specific right on the object. A View privilege on the RS_PrintStatements process definition, for example, is only valid for that process definition. If the user has no other process definition-related system privileges and no other object privileges on process definitions, the only process definition the grantee can view, or access, is RS_PrintStatements.
Object privileges cannot be granted directly, you grant ranks of privileges. For example, the Edit rank contains both View and Edit privileges, this prevents human error, as you need to see an object before you can edit it. Furthermore, privileges can be granted as Access and Admin, when you grant a privilege as Admin, the grantee can grant the privilege to other users.
System Privileges
System privileges are granted on two levels, per partition or system wide. If you are using multiple partitions, you can restrict a system privilege to one partition.
The EventDefinition.Raise system privilege, for example, allows the grantee to raise all events he can view, combined with the EventDefinition.View he can access all events in a partition or across the entire system.
The default roles cannot be edited, but roles you created in external authentication systems are editable in Redwood Server provided you have the necessary security module, please check your license if you are unsure. The default permissions granted to built-in roles are listed in the Granted System Privileges section.
Global Privileges
The following global privileges can be used to restrict access to a feature-set:
Global Privilege Name | Description | Activated |
---|---|---|
App_Administrator | Restricts access to the signed apllication installer. | false |
ChangeOwner | Restricts access to changing an owner using setOwner operation. | true |
Configure_Platform | Restricts access to change platform settings. These settings usually also require access to the underlying application server or operating system. | true |
Configure_Scheduler | Restricts access to change system-level scheduler settings. | true |
Default_Navigation_Bar | Restricts access to the default navigation bar. | false |
Externally_Available_Credential | Restricts access to the 'Externally Modified' attribute of Credentials. | false |
Job_Definition_Parameters | Restricts access to process definition parameters. | false |
License_Management | Restricts access to license management. | true |
ObjectSearch | Restricts access to Object Search. | true |
PLSQL_SetAnyUser | Restricts impersonating other users with jcs.setuser/jcs.use_known_password in the PL/SQL API. | true |
Portal_Administration | Restricts administrative access to the support portal. | false |
Redwood_Script | Restricts access to RedwoodScript. | false |
Support_Files_Get | Restricts access to the 'Get Support Files' action on a process or process server. | false |
System_Dynamic_Trace | Restricts submit privileges on the System_DynamicTrace definition. | false |
System_Shell | Restricts access to the web-based shell | true |
System_Support | Restricts access to the support utilities. | true |
User_Administration | Restricts access to user management. | true |
User_Voice | Resticts access to user voice. | false |
note
Deactivated global privileges must be activated before they have any effect. Note that as soon as you activate the privileges, users who do not have these privileges granted to any of their roles will not be able to use the affected feature.
The following RedwoodScript code illustrates activating the Default_Navigation_Bar global privilege:
{
GlobalPrivilege priv = jcsSession.getGlobalPrivilegeByName(GlobalPrivilege.PRIVILEGE_DEFAULT_NAVIGATION_BAR);
priv.setActivated(true);
jcsSession.persist();
}
Listing Privileges for a User
The following code prints all the privileges granted to a specific user, either directly or via any of his roles:
Note that the privileges are not sorted and privileges will be printed multiple times if the privilege was granted to more than one of the subjects (user and/or roles).
{
String username = "Administrator";
Subject user = jcsSession.getSubjectByTypeName(SubjectType.User, username);
if (user != null)
{
jcsOut.println("#############################################################################");
jcsOut.println(username);
jcsOut.println("#############################################################################");
jcsOut.println("-Global Grants");
for (SubjectGlobalPrivilegeGrant sgpg: user.getAssignedSubjectGlobalPrivilegeGrants())
{
jcsOut.println("---"+sgpg.getGrantedGlobalPrivilege().getName());
}
jcsOut.println("-Object Type Grants");
for (SubjectObjectTypePrivilegeGrant sotpg: user.getAssignedSubjectObjectTypePrivilegeGrants())
{
jcsOut.println("---"+sotpg.getObjectDefinition().getObjectName()+" at rank "+sotpg.getGrantedRank()+" at level "+sotpg.getLevel().toString());
}
jcsOut.println("-Direct Object Grants");
for (SubjectObjectPrivilegeGrant sopg: user.getAssignedSubjectObjectPrivilegeGrants())
{
String rank = sopg.getGrantedRank().getName();
SchedulerEntity se = sopg.getSchedulerEntity();
String bk = "";
if (se instanceof BusinessKeyObject)
{
BusinessKeyObject bkObject = (BusinessKeyObject) se;
bk = bkObject.getBusinessKey().toString();
}
else
{
bk = se.getErrorNameEN();
}
//all users have access to their personal registry hive
if(bk.indexOf("user."+username) < 0)
{
jcsOut.println("---"+bk+" with rank "+ rank);
}
}
//Get Role Grants and their privileges
for (SubjectRoleGrant rGrant: user.getAssignedSubjectRoleGrants())
{
Subject role = rGrant.getGrantedSubject();
jcsOut.println("--#############################################################################");
jcsOut.println("--"+role.getName());
jcsOut.println("--#############################################################################");
jcsOut.println("---Global Grants");
for (SubjectGlobalPrivilegeGrant sgpg: role.getAssignedSubjectGlobalPrivilegeGrants())
{
jcsOut.println("-----"+sgpg.getGrantedGlobalPrivilege().getName());
}
jcsOut.println("---Object Type Grants");
for (SubjectObjectTypePrivilegeGrant sotpg: role.getAssignedSubjectObjectTypePrivilegeGrants())
{
jcsOut.println("-----"+sotpg.getObjectDefinition().getObjectName()+" at rank "+sotpg.getGrantedRank()+" at level "+sotpg.getLevel().toString());
}
jcsOut.println("---Direct Object Grants");
for (SubjectObjectPrivilegeGrant sopg: role.getAssignedSubjectObjectPrivilegeGrants())
{
String rank = sopg.getGrantedRank().getName();
String bk = "";
SchedulerEntity se = sopg.getSchedulerEntity();
if (se instanceof BusinessKeyObject)
{
BusinessKeyObject bkObject = (BusinessKeyObject) se;
bk = bkObject.getBusinessKey().toString();
}
else
{
bk = se.getErrorNameEN();
}
jcsOut.println("-----"+bk+" with rank "+ rank);
}
}
}
else
{
throw new RuntimeException("User " + username + " does not exist.");
}
}