Access Control: Groups, Roles, and Permissions



On This Page

Overview

The initial administrator user is a global administrator. This user is granted all permissions , which allows the user to access all data and functionality. New users are considered global administrators when they are not assigned to a group. Global administrators have access to the "My Computer" connection. This connection is created in the initial setup and is required to access content on the user's local desktop. Access to the "My Computer" connection is limited by creating groups with associated users.

 

In production installations, it is recommended that users be created in the context of a newly created group. This avoids security issues associated with implicit access to the "My Computer" connection.

Definitions

Groups and group memberships define the data to which users have access. For example, if an NFS connection is created by a user in Group A, a user assigned to Group B will not be able to access that connection. Groups only have access to data created by members of their group and its child groups. A group will not have access to data created by its parent or peer groups.

The term tenant is also used in relation to groups. A tenant is any group created without a parent, otherwise known as a root group. A user is considered a tenant administrator when they are assigned to a root tenant group.

Permissions define the type of data and the level of access. For example, the List Jobs permission allows a user to view a list of jobs that are defined in the group or groups to which the user is included.

Roles define a subset of permissions. For example, a role named 'Job Administrators' might be created that includes the List Jobs, Manage Jobs, and Control Jobs permissions.

 

 


Creating Groups, Roles, and Users through the REST API

There are three REST endpoints used to create groups, roles, and users.

  • POST [base-url]/v1/groups

  • POST [base-url]/v1/roles

  • POST [base-url]/v1/users

 

Create Group

To create a new group, secure an access token using the [base-url]/connect/token endpoint. Then make a REST request using the information below.

Method

POST

URL

[base-url]/v1/groups

Headers

Authorization: Bearer [access_token]
Accept: application/json
Content-Type: application/json

Body

{
    "name": "Tenant 1"
}

 

Alternatively, you can also include a parent reference for nested groups.

{
    "name": "Tenant 1"
    "parent": {
        "id": "[parent-group-id]"
    }}

 

Create Role

Next create a new role by making a REST request using the information below, replacing [role name] with the role name and list of permissions desired. A list of permission ID's and their descriptions is found at GET [base-url]/v1/permissions . You must use a bearer token.

Method

POST

URL

[base-url]/v1/roles

Headers

Authorization: Bearer [access_token]
Accept: application/json
Content-Type: application/json

Body

{
    "name": "[role name]",
    "permissions": [
        "bbd25a404cdc4e01baabd0b79394cbd8",
        "d9507ec76bf7414aa8a74a0c88c32a48",
        "3560a25976504967bcd48a7e668a07a8"
    ]
}

 

Create User

Finally, create a new user by making a REST request using the information below. Replace the monospace items with desired values, the roles ID with the value from the response in the second step, and the group ID with the value from the response in the first step. Note that roles is an array, so multiple IDs may be included here. Alternatively, the roles attribute can be removed and the user will be created as a tenant admin for that group.

Method

POST

URL

[base-url]/v1/users

Headers

Authorization: Bearer [access_token]
Accept: application/json
Content-Type: application/json

Body

{
    "login": "[username]",
    "password": "[password]",
    "name": "[display name]",
    "roles": [{
        "id": "07698d0034064b2b9d3966f4e19da21f"
    }],
    "group": {
        "id": "07698d0034064b2b9d3966f4e19da21f"
    }
}

 



 

DryvIQ Migrate Version: 5.9
Release Date: October 18, 2024