Role Based Security

Role Based Security is a method of controlling or restricting access to a software system. It employs the following constructs to achieve security control:

• Users
• Roles
• Privileges/Permissions

A "User" object can be tied to either an individual Windows account or a Group account. Each "User" may have one Role. Roles represent the job function a User will perform within ACM. Each Role is configured with a list of privileges and permissions to either allow or deny access to specific functionality and access points.  

Each Windows or Group account is represented by a single User object.  Each User object has a single role.  Each Role can have one to many privileges and permissions.

Folder Security and Security Override Records

By default, all Role Based Security assignments in ACM are applied server-wide, but sometimes at a folder level it is necessary to override privileges granted at the server level. The Folder object has a "Security Overrides" tab to override the role assigned to a user.  Folder Override Records provide a way to apply a Security Override for a group of objects contained within a folder. Each record specifies a User/Role object combination. The privilege options defined for the Role object in this record will override any Role object this user has at the server-wide level.

Example: UserA was assigned a server-wide Role called OperatorsRole with the ability to modify objects. A folder named ProductionWells contains objects for which UserA should not have Modify permissions. A new Role object was created named ProductionOperatorsRole that disables the privilege to Modify objects. An override record is added on the ProductionWells folder with UserA assigned to the ProductionOperatorsRole. When UserA tries to modify an object contained by the ProductionWells folder, the action will be denied.

How it Works

When a configuration task or action requires a security privilege check, the following steps are taken to allow or deny the task:

1. Is Security Enabled on the Server? If NO then allow the task. If YES then proceed to step 2.
2. Does the User requesting the action have Windows administrator privileges AND is the $Server option "Windows administrators have full access" enabled? If YES then allow the task. If NO then proceed to step 3.
3. Does the parent folder (or its parents on up the tree to the root $Server) of the object contain a security override record with the User? If YES, use this Role and proceed to step 5. If NO, proceed to step 4.
4. Does the User have a server-wide Role? If YES, use this Role and proceed to step 5. If NO, then deny the task.
5. Does the Role have an enabled privilege for that task? If YES then allow the task. If NO then deny the task.

Configuration tasks or actions that require a security privilege check consist of the following:

• Creating Objects
• Deleting Objects
• Modifying Objects
• Executing Commands
• Configuring Security Objects

Configuration

Considerations 

Before configuring security it is important to know the following:

With security DISABLED (Default):

• All ACM users have full access to all objects. This means they can create, modify, delete and execute commands against objects, including security-related objects. Security related objects include:
  • $Server
  • Role
  • User

With security ENABLED:

• Windows users must be associated with ACM User Objects either by specifying individual user accounts or by specifying the windows group that contains the users needing access.
• If the $Server option "Windows administrators have full access" is enabled, Windows users who are members of a local or domain administrator group are considered to be ACM administrators. They are granted full access to all objects, including security related objects and are not required to be associated with any ACM User Objects.
• Windows users who do not fall into the ACM administrator category, and who are not configured within an ACM User Object do not have access to the configuration.
• Users with a Role object that have no permissions enabled have Read Only access to ALL objects.
• Windows users who do not fall into the ACM administrator category must have a User and Role object configured and enabled with the Configure Security privilege granted to them in order to enable/disable security or manage any User and Role objects.

Enabling Role Based Security in ACM

In order to use Role Based Security in ACM, it must first be enabled from within the configuration client. If this is the first time security is being enabled, create at least one User and Role object with the Configure Security option enabled for the Role. Open the $Server object from the object listing on the left and check the box titled Enable User Security.