Privileges

There are two types of privileges, object privileges and system privileges. Object privileges can be granted for a specific object. System privileges can be granted for object types in the entire system or in a partition and allow you to limit the privilege to objects in a particular partition.

Object Privileges

Object privileges always relate to a specific object and allow the grantee a specific right on the object. A View privilege on the RS_PrintStatements Process Definition, for example, is only valid for that Process Definition. If the user has no other Process Definition-related system privileges and no other object privileges on Process Definitions, the only Process Definition the grantee can view, or access, is RS_PrintStatements.

Object privileges cannot be granted directly, you grant ranks of privileges. For example, the Edit rank contains both View and Edit privileges, this prevents human error, as you need to see an object before you can edit it. Furthermore, privileges can be granted as Access and Admin, when you grant a privilege as Admin, the grantee can grant the privilege to other users.

System Privileges

System privileges are granted on two levels, per partition or system wide. If you are using multiple partitions, you can restrict a system privilege to one partition.

The EventDefinition.Raise system privilege, for example, allows the grantee to raise all events he can view, combined with the EventDefinition.View he can access all events in a partition or across the entire system.

The default roles cannot be edited, but roles you created in external authentication systems are editable in Redwood Server provided you have the necessary security module, please check your license if you are unsure. The default permissions granted to built-in roles are listed in the Granted System Privileges section.

Global Privileges

The following global privileges can be used to restrict access to a feature-set:

Global Privilege Name Description Activated
App_Administrator Restricts access to the signed apllication installer. false
ChangeOwner Restricts access to changing an owner using setOwner operation. true
Configure_Platform Restricts access to change platform settings. These settings usually also require access to the underlying application server or operating system. true
Configure_Scheduler Restricts access to change system-level scheduler settings. true
Default_Navigation_Bar Restricts access to the default navigation bar. false
Externally_Available_Credential Restricts access to the 'Externally Modified' attribute of Credentials. false
Job_Definition_Parameters Restricts access to Process Definition parameters. false
License_Management Restricts access to license management. true
ObjectSearch Restricts access to Object Search. true
PLSQL_SetAnyUser Restricts impersonating other users with jcs.setuser/jcs.use_known_password in the PL/SQL API. true
Portal_Administration Restricts administrative access to the support portal. false
Redwood_Script Restricts access to RedwoodScript. false
Support_Files_Get Restricts access to the 'Get Support Files' action on a process or Process Server. false
System_Dynamic_Trace Restricts submit privileges on the System_DynamicTrace definition. false
System_Shell Restricts access to the web-based shell true
System_Support Restricts access to the support utilities. true
User_Administration Restricts access to user management. true
User_Voice Resticts access to user voice. false

Note: Deactivated global privileges must be activated before they have any effect. Note that as soon as you activate the privileges, users who do not have these privileges granted to any of their roles will not be able to use the affected feature.

The following RedwoodScript code illustrates activating the Default_Navigation_Bar global privilege:

Copy
{
  GlobalPrivilege priv = jcsSession.getGlobalPrivilegeByName(GlobalPrivilege.PRIVILEGE_DEFAULT_NAVIGATION_BAR);
  priv.setActivated(true);
  jcsSession.persist();
}

Listing Privileges for a User

The following code prints all the privileges granted to a specific user, either directly or via any of his roles:

Note that the privileges are not sorted and privileges will be printed multiple times if the privilege was granted to more than one of the subjects (user and/or roles).

Copy
{
  String username = "Administrator";
  Subject user = jcsSession.getSubjectByTypeName(SubjectType.User, username);
  if (user != null)
  {
    jcsOut.println("#############################################################################");
    jcsOut.println(username);
    jcsOut.println("#############################################################################");
    jcsOut.println("-Global Grants");
    for (SubjectGlobalPrivilegeGrant sgpg: user.getAssignedSubjectGlobalPrivilegeGrants())
    {
      jcsOut.println("---"+sgpg.getGrantedGlobalPrivilege().getName());
    }
    jcsOut.println("-Object Type Grants");

    for (SubjectObjectTypePrivilegeGrant sotpg: user.getAssignedSubjectObjectTypePrivilegeGrants())
    {
      jcsOut.println("---"+sotpg.getObjectDefinition().getObjectName()+" at rank "+sotpg.getGrantedRank()+" at level "+sotpg.getLevel().toString());
    }
    jcsOut.println("-Direct Object Grants");

    for (SubjectObjectPrivilegeGrant sopg: user.getAssignedSubjectObjectPrivilegeGrants())
    {
      String rank = sopg.getGrantedRank().getName();
      SchedulerEntity se = sopg.getSchedulerEntity();
      String bk = "";
      if (se instanceof BusinessKeyObject)
      {
        BusinessKeyObject bkObject = (BusinessKeyObject) se;
        bk = bkObject.getBusinessKey().toString();
      }
      else
      {
        bk = se.getErrorNameEN();
      }
      //all users have access to their personal registry hive
      if(bk.indexOf("user."+username) < 0)
      {
        jcsOut.println("---"+bk+" with rank "+ rank);
      }
    }

    //Get Role Grants and their privileges
    for (SubjectRoleGrant rGrant: user.getAssignedSubjectRoleGrants())
    {
      Subject role = rGrant.getGrantedSubject();
      jcsOut.println("--#############################################################################");
      jcsOut.println("--"+role.getName());
      jcsOut.println("--#############################################################################");
      jcsOut.println("---Global Grants");
      for (SubjectGlobalPrivilegeGrant sgpg: role.getAssignedSubjectGlobalPrivilegeGrants())
      {
        jcsOut.println("-----"+sgpg.getGrantedGlobalPrivilege().getName());
      }
      jcsOut.println("---Object Type Grants");

      for (SubjectObjectTypePrivilegeGrant sotpg: role.getAssignedSubjectObjectTypePrivilegeGrants())
      {
        jcsOut.println("-----"+sotpg.getObjectDefinition().getObjectName()+" at rank "+sotpg.getGrantedRank()+" at level "+sotpg.getLevel().toString());
      }
      jcsOut.println("---Direct Object Grants");

      for (SubjectObjectPrivilegeGrant sopg: role.getAssignedSubjectObjectPrivilegeGrants())
      {
        String rank = sopg.getGrantedRank().getName();
        String bk = "";
        SchedulerEntity se = sopg.getSchedulerEntity();
        if (se instanceof BusinessKeyObject)
        {
          BusinessKeyObject bkObject = (BusinessKeyObject) se;
          bk = bkObject.getBusinessKey().toString();
        }
        else
        {
          bk = se.getErrorNameEN();
        }
        jcsOut.println("-----"+bk+" with rank "+ rank);
      }
    }
  }
  else
  {
    throw new RuntimeException("User " + username + " does not exist.");
  }
}

See Also