Versions Compared

Version Old Version 10 New Version 11
Changes made by

Wanja Mensch

Cornelius Wachinger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Managing scopes, roles, and permissions within Smartfacts CDCM is essential for ensuring proper access control and security of the configuration management system.

This chapter provides an overview of how to manage scopes, roles, and permissions and assign them to users effectively.

...

In Smartfacts CDCM, users can possess have multiple "scoped roles," which are roles defined within the system for specific scopes, either Spaces or Configuration Areas within a Space. Here's how it works:

...

  • Read: Grants read access to Spaces and all their Configuration Areas except for the Confidential Configuration Areas.

  • Read Confidential: Grants read access to Confidential Configuration Areas.

  • Create, Modify, Disable: Automatically created for each Unit or Configuration Type. Users must possess have scoped roles with appropriate permissions to perform these actions.

  • Maintain: Includes create, modify, and disable permissions.

  • Modify: Grants permission for modification only.

  • Delete: Grants permission for deletion only.

  • Administrative Permissions: These permissions can only be assigned to a space via a role and include tasks such as maintaining roles, the type system, configuration areas, storage locations, Single Sign-On (SSO) configuration, and Master Data.

...

  • Read Access: Users with a role that has incorporates the "Read" permission for a space have read access to all non-confidential configuration areas in that space, including all the content of those configuration areas.

  • Confidential Access: For "Read" access to a confidential Configuration Area, users need a role with a "Read" permission for that confidential configuration area.

...

When a new unit or configuration type is created in Smartfacts CDCM, Create, Modify, and Delete permissions are automatically generated for that type with the following pattern: <conceptTypeName>Maintain, <conceptTypeName>Modify, <conceptTypeName>Delete.

This streamlines the process of managing access rights and ensures consistency across the system.

Here's how it works:

  • Automatic Permissions: Upon creation of a new unit or configuration type, the system automatically generates Create, Maintain, and Delete permissions specifically tailored to that type.

  • Scoped Role Requirement: In order for users to perform actions such as creating, modifying, or deleting units or configurations of a certain type, they must possess a scoped role that grants the necessary permissions.

  • Permission Inheritance: Configuration items inherit permissions from the configurations to which they are assigned. This ensures that access rights cascade are cascaded down appropriately within the hierarchy.

Configuration Item Permissions Inheritance

Configuration items , as – which are integral parts of configurations , inherit permissions from their parent configurations. This inheritance mechanism simplifies permission management and ensures consistency across related entities. Here's Here’s how it functionsworks:

  • Inherited Permissions: Configuration items inherit permissions from the configurations to which they are associated. This means that the access rights granted to configurations are automatically extended to their associated configuration items.

  • Consistency and Efficiency: By inheriting permissions, configuration items maintain consistency with their parent configurations, streamlining the management of access rights and ensuring efficiency in permission management.

...

  • Authentication: Users are authenticated via a central authentication provider, such as Azure AD.

  • Token: When accessing CDCM, users carry a token containing tuples or triples defining which roles they own have in which scope (spaces or configuration areas).

  • Role Assignment: The assignment of roles to users is handled outside of Smartfacts CDCM, with support for authorization providers like Azure AD.

So in order to give a user certain permissions these permissions have need to be added to a role in CDCM and the token coming from the identity provider has to must be configured with the correct scope and as well as the role key for that role (see image below). This page describes the customization options for the token from the identity provider. Authorization Customization

...

Managing Roles & Permissions

...