Security profiles
| Administration Page | Application/Contract | Syracuse/Collaboration | Class | securityProfiles | Representation | SecurityProfile |
|---|
A security profile defines a set of restrictions and authorizations for the platform administration. To be effective, security profiles must be associated with roles. If a role has no security profile, the user connected with this role will not have restrictions on the administration operations. It is important to set up security profiles to ensure the security of the platform administration.
The information entered while defining a security profile is as follows:
Code
Identifies the security profile.
Description
Describes the security profile.
Personalization level
Defines the level of personalization a user can perform on pages:
* None: no personalization is allowed.
* User: personalization is allowed, but only on a page that is dedicated to the user.
* Administrator: the user can modify authored page shared by several users.
Allow Office document upload
Defines whether the user can upload Office documents or not. By default, it is deactivated to protect against malicious Office documents. It has to be activated so that the user can upload Office documents.
Security Level
Defines a numeric level associated with each profile. Profile levels range from 0 to 99. A user can only create/modify security profiles that are higher than the Security profile he is associated with. In other words a user with Security level 1 can only view /maintain Security profiles with security level 2 and above.
Authorizations
In this grid, a list of predefined codes is displayed with an associated description. Every code identifies the corresponding controlled entities with filters.
For example, the users code controls the access to the users, groups, and roles entities. The myProfile code controls the access to the user profile for the connected user. A user may have the right to change its own profile, but not the profile of other users. The detailed list of the codes and associated entities is given in the Appendix section.
For every code, you can select the check boxes to define the access rights granted by the security profile. When a check box is cleared, the access right is denied. A user cannot provide access to codes for which he doen't have rights. If it is the case,the corresponding check boxes are disabled.
The access rights are the usual CRUD access (Creation, Read, Update, and Delete), plus an additional Execution right. The execution right controls dedicated operations as described in the Appendix section.
Associated roles
This section defines the list of roles where the security profile applies. The assignment can be done here or on the roles management.
A role cannot be associated with several security profiles. If the role has no security profile, there is no restriction set on the role.
Factory
This check box defines if the record is supplied as a factory record. When this happens, a factory code is also displayed and can be entered if you are a factory provider. This features allows to prevent some modifications on records supplied by defaut by Sage or by a vertical solution provider. More information about this feature is given in the following document.
Appendix: definition of security profile codes
The list of codes and their corresponding entities are defined in the following table:
- For every code, a list of entities can be given.
- If the filter is not filled, the access rights apply on the whole entity.
- The Execution right describes the associated operations if they exist.
| Code | Entity | Filter on... | CRUD filter | Properties access restriction (empty if no field restriction) | Execution right |
|---|---|---|---|---|---|
| myProfile | users | connected user | read and update | login, title, firstName, lastName, fullName, password, photo, email can be modified only | |
| Classic client sessions | connected user | lists only the sessions owned by the user | User login, Solution, Folder, User, Language code, Last Access, Time out, Reused, Open, Creation Date | ||
| Session infos | connected user | lists only the sessions owned by the user | Session ID, User name, Badges, Client ID, Last URL | ||
| roles | only the roles the user has access to | read-only access | description can only be viewed | ||
| endpoints | only the endpoints the user has access to | read-only | code, description, application, contract can be viewed only | ||
| Soap Classic pools | only the pools associated to endpoints the user has access to | read-only | |||
| localePreferences | all the locale preferences | read-only access | |||
| Host traces | only traces created by sessions assigned to the user | read-only access | |||
| users | users | yes | |||
| BO servers and BO profiles | read-only access | ||||
| navigation pages | read-only access | ||||
| mobile applications | read-only access | ||||
| groups | yes | ||||
| roles | yes | ||||
| Endpoints | Read-only access | Description | |||
| Applications | read-only access | Description | |||
| security profiles | only the security profiles having a security level with a greater value than the one associated to the user's security level. | yes (CRUD on header and lines) | |||
| teams | yes | ||||
| Badges, and license related data | read-only access | ||||
| technicalSettings | ldap | yes | |||
| Oauth2 | yes | ||||
| Clients reused list | yes | ||||
| Technical information (about...) | yes | ||||
| updates | yes | ||||
| Notification Servers | yes | ||||
| Batch controller | List, interrupt, delete tasks | Start and stop the server | |||
| Roles | Read only access | ||||
| Groups | Read only access | ||||
| Badges, and license related data | yes | ||||
| BO servers and BO profiles | yes | ||||
| HRM web servers and HRM sites | yes | ||||
| Trace records | yes | ||||
| Session infos | yes | ||||
| saml2 | yes | ||||
| scheduler | yes | yes | |||
| Applications | yes | ||||
| EndPoints | yes | ||||
| badge | yes | ||||
| settings | yes | ||||
| x3server | yes | ||||
| localePreference | yes | ||||
| friendServer | yes | ||||
| license | yes | ||||
| patch | yes | ||||
| apatch | yes | ||||
| host | yes | ||||
| license data | yes | ||||
| caCertificate | yes | ||||
| certificate | yes | ||||
| proxyConfiguration | yes | ||||
| storageVolume | yes | ||||
| X3 solutions | yes | ||||
| authoring (personalization) | Applications | read-only access | |||
| pageData | yes | ||||
| dashboardDef | yes | ||||
| Customized pages | yes | ||||
| pages | portlet | yes | |||
| menuItem | yes | ||||
| menuCategory | yes | ||||
| navigationPage | yes | ||||
| landingPage | yes | ||||
| menuModule | yes | ||||
| menuBlocks and sub-blocks | yes | ||||
| Mobile applications | yes | ||||
| Mobile dashboards | yes | ||||
| Mobile gadgets | yes | ||||
| Applications | Read only access | ||||
| Endpoints | Read only access | ||||
| Mobile dashboards upgrade | yes | ||||
| collaborationArea | team | on the teams the user administrates | yes | only on the properties description, isPublic, explorer, tags, administrator, authors, members, documents, templateDocuments | |
| on the teams the user is administrator, author, or member of. | read-only | ||||
| document | on documents not assigned to a team, or assigned to a team the user administrates, or assigned to a team the user is author | creation access | only on the properties description, documentType, documentDate, fileName, content, expiration, uri, isReadOnly, className, x3Keys, representationName, volume, teams, owner, tags, endpoint | ||
| on documents a user owns, or documents not assigned to a team, or documents assigned to a team on which the user has the administration, author, or reader role. | read access | ||||
| on documents not assigned to a team, or documents assigned to a team on which the user has the administration role, or documents a user owns and that are assigned to a team on which the user has the author role. | update / delete access | ||||
| storageVolume | read only | ||||
| documentTag | yes | ||||
| documentTagCategory | yes | ||||
| documentInternalTag | yes | ||||
| msoWordTemplateDocument | yes | ||||
| Users | Read only access | ||||
| Notification events | yes | ||||
| Notification themes | yes | ||||
| Mail templates | yes | ||||
| Notification servers | yes | ||||
| Applications | Read-only access | ||||
| StatusAndUsage | sessionInfo | only deletion is possible | |||
| cvgReuseClient | yes | ||||
| cvgSession | yes | ||||
| Endpoints | yes | ||||
| server logs | yes | ||||
| textTranslation | yes | yes | |||
| searchAdmin | yes | yes | |||
| X3 solutions | Read-only access | ||||
| Classic SOAP web services | yes | ||||
| Rest web services | yes | ||||
| scheduler | yes | ||||
| Groups | read-only access | ||||
| Applications | read-only access | ||||
| License view | read-only access | ||||
| server logs | yes | ||||
| Batch controller | List, interrupt, delete tasks | Start and stop the server | |||
| importData | importSession | yes | |||
| Endpoints | read-only access | yes | |||
| importTool | yes | yes | |||
| x3UserImport | execution only | ||||
| MenuProfleImport | execution only | ||||
| exportData | exportProfile | yes | yes | ||
| Personalization management | yes | yes | |||
| Resource packs | yes | ||||
| Endpoints | read-only access | execution only | |||
| Applications | read-only access | execution only | |||
| Development | Using the Eclipse Editor | yes | |||
| Using the Eclipse Debugger | yes | ||||
| Printing | Using the Print Server (Reports, Prints/group) | yes | yes |