Rights Management Admin Page

Rights (group) management is the basic access control subsystem for a few items in EDG:

  • Changing “Any_Role (all users) are administrators” to a specified Tomcat role having administrator rights.

  • Selecting the security role(s) that can create new asset collections by checking the Create box for that Tomcat role.

  • Making selected graphs OTHER THAN EDG asset collections publicly readable. This option is typically applied to files uploaded from TBC to the server.

This page does not control the read/write access for any asset collections created in EDG.

Rights management consists of two types of activities:

  • Defining rights groups

  • Assigning user security roles to various rights groups

Each rights group represents specific access rights (i.e. Create, Read, Update, Delete and Execute) on the group’s selected workspace resources (or their generic “wildcard” types). For example, a file can be specified with CRUD access, whereas a SPARQLMotion script should have CRUD+E, and an exposed web service should have only E access. Users are then assigned to rights groups according to their security roles.

Prerequisite: Users’ Security Roles

The user’s side of rights management consists of knowing their security roles, which are configured during EDG’s installation and initial setup. A user security role must:

  • Be defined in a Tomcat/Realm, such as LDAP or tomcat-users.xml

  • Appear in the permitted security roles setup of the TopBraid (which define entries for security-constraint tags in the application’s web.xml).

EDG also has one special, pre-defined (pseudo-) security role: ANY_ROLE, which automatically represents every user. This role can be used to assign access rights universally.

Defining Rights Groups

AdministratorGroup

EDG has a special, pre-defined rights group, AdministratorGroup, which conveys full access to all EDG resources (including asset collections in EDG).

The AdministratorGroup must always be assigned to at least one user security role that has at least one accessible login.

On initial EDG installation, the AdministratorGroup is assigned to ANY_ROLE. This assignment should be moved to one or more proper security roles as part of the initial application setup (by first assigning the AdministratorGroup to a proper role, then deleting it from ANY_ROLE).

Defining new groups

To define a new rights group:

  1. Select an existing role

  2. Click Add Group

  3. Choose the –New Group– option

  4. Enter a name for the new group

  5. Click Create Group

Rights groups cover one or more resources in the EDG workspace, including projects (directories/folders) and various types of files. The selected group’s workspace resources are listed in the Resource Rights section. Resources can be added or deleted, and each resource’s access rights can be enabled or disabled. To add particular workspace resources, click the Add Resources button. To add generic resource types, click the Add Wildcard button. The defined ANY_ resource types are as follows.

  • ANY_RESOURCE - Any resource defined by TopBraid

  • ANY_SDB_RESOURCE - Any SDB data connector (.sdb file)

  • ANY_TDB_RESOURCE - Any TDB data connector (.tdb file)

  • ANY_GRAPH_RESOURCE - Any named graph in the TopBraid workspace (This is a superset of ANY_SDB_RESOURCE and ANY_TDB_RESOURCE.)

  • ANY_FOLDER_RESOURCE - Any folder in the TopBraid workspace

  • ANY_FILE_RESOURCE - Any file that is not a graph; such a text file, an Excel spreadsheet, or an XML file.

  • ANY_PROJECT_RESOURCE - Any project in the TopBraid workspace (This differs from the PROJECT resource type in that this refers to all Eclipse/Equinox project in the workspace.)

Then for each resource item, select which specific CRUD+E access rights are enabled or disabled for the group. The access types are as follows:

  • Create - Group members can create new resources

  • Read - Group members can read resources

  • Update - Group members can update/modify resources

  • Delete - Group members can delete resources

  • Execute - Group members can execute server-side scripts

Note

To remove a group from a particular role, use the X icon next to the group name. To delete a group completely, use the* trashcan icon. This will remove the group from all roles that were associated with it.

Note

Project names should contain no spaces. If they do, an error will occur when trying to expand them. Correct the source Project name and re-upload it with no spaces.

Further Reading on Rights Management Admin Page

Further Reading on TopBraid