Privileges
There are two types of privileges, object privileges and system privileges. Object privileges can be granted for a specific object. System privileges can be granted for object types in the entire system or in a partition and allow you to limit the privilege to objects in a particular partition.
Object Privileges
Object privileges always relate to a specific object and allow the grantee a specific right on the object. A View privilege on the RS_PrintStatements Process Definition, for example, is only valid for that Process Definition. If the user has no other Process Definition-related system privileges and no other object privileges on Process Definitions, the only Process Definition the grantee can view, or access, is RS_PrintStatements
Object privileges cannot be granted directly, you grant ranks of privileges. For example, the Edit rank contains both View and Edit privileges, this prevents human error, as you need to see an object before you can edit it. Furthermore, privileges can be granted as Access and Admin, when you grant a privilege as Admin, the grantee can grant the privilege to other users.
System Privileges
System privileges are granted on two levels, per partition or system wide. If you are using multiple partitions, you can restrict a system privilege to one partition.
The EventDefinition.Raise system privilege, for example, allows the grantee to raise all events he can view, combined with the EventDefinition.View he can access all events in a partition or across the entire system.
The default roles cannot be edited, but roles you created in external authentication systems are editable in Redwood Server provided you have the necessary security module, please check your license if you are unsure. The default permissions granted to built-in roles are listed in the Granted System Privileges section.
Global Privileges
The following global privileges can be used to restrict access to a feature-set:
| Global Privilege Name | Description | Activated |
|---|---|---|
| Access_Control_Center | Restricts access to Control Center. | true |
| AllowRunNow | Restricts access to the 'Run Now' action on a process. | true |
| App_Administrator | Restricts access to the signed apllication installer. | false |
| Archiver_Manager | Restricts usage of archiver processes to this privilege. | true |
| ChangeOwner | Restricts access to changing an owner using setOwner operation. | true |
| Configure_Housekeeping_Dashboard | Restricts configuration of the housekeeping dashboard. | true |
| Configure_Monitoring_Dashboard | Restricts configuration of the monitoring dashboard. | true |
| Configure_Network | Restricts access to change network settings. | true |
| Configure_Platform | Restricts access to change platform settings. These settings usually also require access to the underlying application server or operating system. | true |
| Configure_Published_Webservices | Restricts access to publish a job definition as a webservice. | true |
| Configure_Scheduler | Restricts access to change system-level scheduler settings. | true |
| Default_Navigation_Bar | Restricts access to the default navigation bar. | false |
| Externally_Available_Credential | Restricts access to the 'Externally Modified' attribute of Credentials. | false |
| Housekeeping_Dashboard | Restricts access to the housekeeping dashboard. | true |
| Job_Definition_Parameters | Restricts access to process definition parameters. | false |
| License_Management | Restricts access to license management. | true |
| Monitoring_Dashboard | Restricts access to the monitoring dashboard. | true |
| ObjectSearch | Restricts access to Object Search. | true |
| PLSQL_SetAnyUser | Restricts impersonating other users with jcs.setuser/jcs.use_known_password in the PL/SQL API. | true |
| Portal_Administration | Restricts administrative access to the support portal. | false |
| Redwood_Script | Restricts access to RedwoodScript. | false |
| ReplyAllEquivalentType | Restricts usage of reply all equivalent type for operator message action. | true |
| Support_Files_Get | Restricts access to the 'Get Support Files' action on a process or process server. | false |
| System_Dynamic_Trace | Restricts submit privileges on the System_DynamicTrace definition. | false |
| System_Shell | Restricts access to the web-based shell | true |
| System_Support | Restricts access to the support utilities. | true |
| User_Administration | Restricts access to user management. | true |
| User_Voice | Resticts access to user voice. | false |