Managing scopes, roles, and permissions within Smartfacts CDCM is essential for ensuring proper access control and security of the configuration management system. This chapter provides an overview of how to manage scopes, roles, and permissions and assign them to users effectively.
Scopes and Roles
In Smartfacts CDCM, users can possess multiple "scoped roles," which are roles defined within the system for specific scopes, either Spaces or Configuration Areas within a Space. Here's how it works:
Scoped Roles: Users are assigned roles within specific scopes, such as Spaces or Configuration Areas. These roles define the permissions granted to the user within that scope.
Scope Specificity: Roles assigned to users are valid only within the assigned scope. Users may have different roles for the same scope with overlapping permissions.
Permissions
Permissions in Smartfacts CDCM are predefined and cannot be configured. These permissions dictate access levels to content within the system:
Read: Grants read access to Spaces and all their Configuration Areas except for the Confidential Configuration Areas.
Read Confidential: Grants read access to Confidential Configuration Areas.
Create, Modify, Disable: Automatically created for each Component or Configuration Type. Users must possess scoped roles with appropriate permissions to perform these actions.
Maintain: Includes create, modify, and disable permissions.
Modify: Grants permission for modification only.
Delete: Grants permission for deletion only.
Administrative Permissions: These permissions can only be assigned to a space via a role and include tasks such as maintaining roles, the type system, configuration areas, storage locations, Single Sign-On (SSO) configuration, and Master Data.
Access to Content
Access to content within Smartfacts CDCM is determined by the permissions assigned to users:
Read Access: Users with a role that has the "Read" permission for a space have read access to all non-confidential configuration areas in that space, including all the content of those configuration areas.
Confidential Access: For "Read" access to a confidential Configuration Area, users need a role with a "Read" permission for that confidential configuration area.
Write Permissions
When a new component or configuration type is created in Smartfacts CDCM, Create, Modify, and Disable permissions are automatically generated for that type with the following pattern: <conceptTypeName>Maintain, <conceptTypeName>Modify, <conceptTypeName>Delete. This streamlines the process of managing access rights and ensures consistency across the system. Here's how it works:
Automatic Permissions: Upon creation of a new unit or configuration type, the system automatically generates Create, Maintain, and Delete permissions specifically tailored to that type.
Scoped Role Requirement: In order for users to perform actions such as creating, modifying, or deleting units or configurations of a certain type, they must possess a scoped role that grants the necessary permissions.
Permission Inheritance: Configuration items inherit permissions from the configurations to which they are assigned. This ensures that access rights cascade down appropriately within the hierarchy.
Configuration Item Permissions Inheritance
Configuration items, as integral parts of configurations, inherit permissions from their parent configurations. This inheritance mechanism simplifies permission management and ensures consistency across related entities. Here's how it functions:
Inherited Permissions: Configuration items inherit permissions from the configurations to which they are associated. This means that the access rights granted to configurations are automatically extended to their associated configuration items.
Consistency and Efficiency: By inheriting permissions, configuration items maintain consistency with their parent configurations, streamlining the management of access rights and ensuring efficiency in permission management.
Authorization Process
The authorization process in Smartfacts CDCM involves authentication via a central authentication provider, such as Azure AD. Here's how it works:
Authentication: Users are authenticated via a central authentication provider, such as Azure AD.
Token: When accessing CDCM, users carry a token containing tuples or triples defining which roles they own in which scope (spaces or configuration areas).
Role Assignment: The assignment of roles to users is handled outside of Smartfacts CDCM, with support for authorization providers like Azure AD.
So in order to give a user certain permissions these permissions have to be added to a role in CDCM and the token coming from the identity provider has to be configured with the correct scope and the role key for that role (see image below). This page describes the customization options for the token from the identity provider.
Managing Roles & Permissions
To configure Roles and Permissions in Smartfacts CDCM, follow these steps:
Navigate to Admin Area: Access the admin area of Smartfacts CDCM. (Cogwheel icon at the bottom left in the side menu)
Select Roles & Permissions
Choose an action
Add a new role by clicking on the + Add Role button at the top right
Edit a roles permission by selecting a role from the list
Assign a permission by clicking on the + button in the list of unassigned permissions
Unassign a permission by clicking on the - button in the list of assigned permissions
Permissions can be filtered by access type, unit type and permission type
Example of a Configuration
The following examples of scoped roles include the token provided by the identitiy provider (=IDP). These examples where done with the default settings for Authorization Customization. For example the separator for the different parts of the token can be changed from the default which is a singe .
Give the user a bare minimum role
Create a role which has the permission Space - Read assigned to it. In this example the space has the key spaceOne and the role has the key bm:
Go to the IDP and add the attribute
key | value |
|---|---|
cdcm | spaceOne.bm |
On log-in the user receives the role “Bare Minimum” in the scope of the space with the key “spaceOne” and is now able to read that space and all containing non-confidential configuration areas.
Assign a role to a user for all configuration areas within a space
Create a role which has certain permissions assigned to it. In this example the space has the key spaceOne and the role has the key user:
Go to the IDP and add the attribute
key | value |
|---|---|
cdcm | spaceOne.*.user |
On log-in the user receives the role role “user” (last part of the token value) in the space with the key “spaceOne” (first part of the token value) in all non confidential configuration area (wildcard * in the second part of the token)
Assign a role to a user for a specific configuration area
Create a role which has certain permissions assigned to it. In this example the space has the key spaceOne the configuration area has the key caOne and the role has the key ca-admin:
Go to the IDP and add the attribute
key | value |
|---|---|
cdcm | spaceOne.caOne.ca-admin |
On log-in the user receives the role role “user” (last part of the token value) in the space with the key “spaceOne” (first part of the token value) in the configuration area with the key caOne (second part of the token value)
Conclusion
Managing scopes, roles, and permissions in Smartfacts CDCM is crucial for maintaining proper access control and security within the configuration management system. By defining roles within specific scopes and assigning appropriate permissions, organizations can ensure that users have the necessary access to perform their tasks effectively while maintaining data security. For detailed instructions on managing roles and permissions, refer to the administration documentation or contact support for assistance.