- Managing Users
- Managing Groups
- Setting Access Controls
- Clearing ESB Server Database
The Fiorano Platform security policy enables administration and management of Groups and Users across the entire Fiorano Network. This section describes management of Users and Groups by assigning appropriate rights to them on the Fiorano Network.
The Fiorano Platform users and groups can operate from all available nodes in the Fiorano Network. A User Group is identified by a unique name and contains a list of users who inherit all rights assigned to that group. Every User is assigned a unique User Name, Password, and a User Group Membership. Information pertaining to Users and User Groups is utilized during authentication and determines the resources that a User or a User Group is allowed to access.
Fiorano eStudio can be used to manage all users in the Fiorano Network. The management tasks that can be performed are:
- Creating User Accounts
- Deleting User Accounts
- Changing the Password of a User
To view the list of Users, login into the Enterprise Server and click the Users node in the security section. A list of Users is displayed as shown in Figure 15.
Figure 1: Users in the Fiorano Network
Creating a New User Account
You can create a new user account by logging onto the Enterprise Server with the administrator's privileges.
Log in intoEnterprise Server through Fiorano eStudio.
- Select security node from the Enterprise Server tree.
Right-click on the User and click New User. A dialog box is displayed with a prompt to enter the name of the User. Enter the new User Name and click the OK button.
Figure 2: New User creation dialog box
Editing User Password
To change the password,
Right-click the user whose password is to be changed and click the Change Password option.
In the dialog box where the Current Password and the New Password is displayed, enter the new password.
Click the Yes button to complete the process.
Figure 3: Change User Password
Deleting a User Account
To delete a User Account
- Right-click the user to be deleted and select the Delete option
In the Confirm Object Deletion dialog box, click the Yes button to complete the process.
Figure 4: Confirmation of Deletion of User Account
The Fiorano Platform by default creates a Group named EVERYONE. All Users are automatically included in this Group. Expand Groups node present under the Security node to see all groups that are present.
Figure 5: Groups in the Fiorano Network
Creating New Group
Any User with administrative privileges can create a New Group by logging onto the Enterprise Server.
- Choose the Enterprise Server under Server Explorer after logging onto Fiorano eStudio.
- Select the security node from the Enterprise Server tree.
- Right-click on the Groups and select the Add Group option. A dialog box is displayed with a prompt to enter the Name of the Group. Enter the Group Name and click the OK button.
Figure 6: Adding Group
Adding a User to a Group
One or more users may be added to a group as follows:
- Select the Group to which the User is to be added.
- Right-click on the group name and click Members.
Figure 7: Option to add a user
Select the User that is to be added to the Group from the pop-up window and click OK.
Figure 8: User List
Click the OK button to save the settings.
Deleting a User from a Group
You can delete one or more User from a Group by:
- Right-click on the Group Name from which the User is to be deleted and click Members.
- Select the user from the popup window and click Remove to remove the user from the Group.
- Click the OK button to save the settings.
Figure 9: User List of a particular group
Deleting a Group
Any user with administrative privileges can delete a Group by logging onto the Enterprise Server.
To Delete a Group,
- Choose Enterprise Server under Explorer after logging onto Fiorano eStudio
- Select the security node from the Enterprise Server tree.
- Select the Group to be deleted from the Groups. Right-click on the Group and select the Delete option from the pop-up menu.
Figure 10: Menu to delete a group
Setting Access Controls
Users connecting to the Fiorano Network are required to furnish their credentials which are then authenticated by the network. The authentication is performed by the Enterprise Server via the underlying Realm Component. This Realm Component is responsible for maintaining all User and User Group information as well as for authenticating any connection requests. The network administrator can choose from a collection of Realm Components, differing in storage and authentication mechanism.
This security architecture allows the administrator to set up ACLs for various resources. For example, ACLs for an Event Process can specify Users who have the privilege to launch an Event Process on the network. This allows the administrator to exercise control over the privileges available to each Users.
The following permissions can be given to a User or a User Group:
- Permission to create or delete a Principal (User and User Groups)
- Permission to compose an Event Process
- Permission to change properties of an Event Process
- Permission to terminate an Event Process
- Permission to view running and saved Event Processes
- Permission to configure an FPS
- Permission to create, update, and delete a Business Service
- Permission to create an ACL
- Permission to create, edit, and delete a Business Service ACL
- Permission to launch an Event Process
All actions that check for one or more of the above-mentioned permissions generate a security event. Permissions can be requested by any principal registered on the Fiorano Network. The Fiorano eStudio allows the administrator to set access rights for individual Users.
The security module in the Fiorano Network resides within the Enterprise Server. The security architecture allows this module to be plugged, which in turn allows the enterprise administrator to choose a Realm Module from a list of modules provided by the Fiorano Platform.
The FSSM (Fiorano Services and Security Manager) tool is used to assign rights to Users and to User Groups. Rights may be understood as rules associated with the Fiorano Network that are granted to Users and User Groups. They allow Users and User Groups to perform specific tasks on the Fiorano Network. The Fiorano Platform has a well-defined security policy to protect the network against data loss or corruption due to malicious or accidental access. This policy is implemented by assigning appropriate permissions to Users and User Groups thereby preventing illegal access to the Fiorano Network.
When the Access Rights Assignment in the left-hand-side panel is selected, a list of all available permissions is displayed in the right side panel, as shown in the figure below.
Figure 11: Realms Description
The right panel displays the following Network Rights:
- Permission to create or delete a principal: This permission allows a User or a User Group to create, edit, and delete Users and User Groups. Users and/or User Groups with this permission have the right to change passwords.
- Permission to compose an Event Process: This permission allows a User and/or a User Group to create new Event Processes using Fiorano eStudio.
- Permission to change properties of an Event Process: This permission allows a User and/or a User Group to change the basic and advanced properties of the Event Process from the Event Process property sheet in Fiorano eStudio.
- Permission to view running and saved Event Processes: This permission allows a User and/or a User Group to run Event Processes in the Fiorano Event Manager.
- Permission to terminate an Event Process: This permission allows a User and/or a User Group to terminate Event Processes from the Fiorano eStudio.
- Permission to configure a FPS: This permission allows a User and/or a User Group to create, edit, and delete a Fiorano Peer Server using the Fiorano Network Administration tool.
- Permission to create, update, and delete a Business Service: This permission allows a User and/or a User Group to create, update, and delete Business Services using Fiorano eStudio.
- Permission to create an ACL: This permission allows a User and/or a User Group to set access control on Fiorano Components.
- Permission to create, edit and delete Business Service ACL: This permission allows a User to set access control for Fiorano Components. With this permission, the User can specify the nodes on which a Fiorano component can run.
- Permission to launch an Event Process: This permission allows a User and/or a User Group to launch Event Processes.
To Assign Rights
FSSM can be used to assign rights to both Users and User Groups. To assign rights to a User, perform the following steps:
- In the right-hand side of the panel, right-click on the field corresponding to the PERMISSION TO KILL AN APPLICATION option.
- Click the Properties option. The Access Control dialog box is displayed, as shown in the Figure 27.
- Click the Add button, select the User and click the OK button. The user is assigned the permission to kill an Event Process.
Figure 12: Access Control Dialog Box
Removing Network Rights
FSSM can be used to revoke permissions assigned to Users and User Groups. To do this, the User or User Group to whom the permission has been assigned should be deleted, as follows:
- In the right-hand side panel, right-click the field corresponding to the PERMISSION TO CLEAR USER EVENTS option.
- Click the Properties option. The Access Control dialog box is displayed.
- Select the User and click the Remove button to delete the User from the list of Users assigned the permission to clear User Events.
- Click theOK button to register the deletion of the user from the list of users assigned the permission to clear user events.
Clearing ESB Server Database
To clear the FES server database of the default profile (that is profile1), run or double-click the script clearDBServer.bat/.sh –mode fes available under <fiorano_installation_dir>\esb\server\bin directory.
To clear the FES server database of a profile other than the default profile, run the script clearDBServer.bat/.sh available under <fiorano_installation_dir>\esb\server\bin folder with the profile option as shown below:
The following operations are available when this script is executed.
Select the datastore to clear:
- File Based Datastore – Clears the local cache of the Enterprise Server including stored logs.
- Admin Datastore – Clears the admin objects, that is, JMS Connection factories, queue and topic destinations, status of running Event Processes and component instances.
- Peer Repository – Clears all the fetched peer server profiles from Enterprise Server runtimedata.
- Events Database – Clears the Events Database using the configurations provided in eventsdb.cfg file present under: <fiorano_installation_dir>/esb/server/profiles/<profilename>/FES/conf directory.
- SBW Database – Clears the SBW database using the configurations provided in the sbwdb.cfg file present under: <fiorano_installation_dir>/esb/server/profiles/<profilename>/FES/conf directory.
The Enterprise Server processes System events, SBW events and Backlog events and takes appropriate actions. System events and SBW events are queued up to be inserted into an external database while Backlog events are queued up to be handled by various alert handlers. Before this processing happens, events are temporarily stored in persistent database that are created during runtime data of the Enterprise Server. After an event has been processed, it gets deleted from the temporary store. If these events are not able to be processed, the temporary datastore may grow to occupy a large amount of disk-space. Option 7, 8, and 9 can be used to delete the temporary persistent datastore of different events.
- Events Persistent Database – Clears the temporary persistent datastore of system events.
- SBW Persistent Database – Clears the temporary persistent datastore of SBW events.
- Backlog Persistent Database – Clears the temporary persistent datastore of backlog events.
- All – Clears all nine of the above.
This script can be executed in Quiet Mode as follows.
- -mode - to clear fps or fes runtimedata
- -dbPath - runtime data directory for the profile
- -profile - profile name for which runtimedata is to be cleared
- -q - to run the script in quiet mode.