pasPortal uses role-based security to secure access to protected content both inside the system and in pasUNITY Enterprise Suite products that tie into the security system.

Role-Based Security Mechanics

To assign permissions we begin by defining the roles that represent functional collections of accounts to which we can assign permissions. Roles are created and maintained using the Role Manager module which is accessible to administrative users. Roles are analogous to groups in other systems (such as Windows Active Directory) but in this documentation we always refer to them as roles.

Once roles have been defined we populate the roles using either the Role Manager module or the Profile Editor which can be accessed through the Account Manager module.

The procedure for establishing permissions on the various securable objects in the system depends on the object itself. The most common object on which to assign permissions are tabs which is done using the Tab Designer toolbar. Regardless of the securable to which you will assign permissions the process is the same. The administrative end-user selects the role to apply the permission for and the permission level to assign and adds the combination of role, securable object, and permission level to the system.

Once permissions have been assigned they are then applied. Each action in the system has a permission demand assigned to it. At the moment in which the user attempts to invoke the demand action the system computes the complete set of aggregate permissions that the account in question has and if the sum total of permissions meets or exceeds the demand requirements the action succeeds.

Role Scopes and Types

Site-level roles are those that exist at the highest level and can be used to apply permissions anywhere in the entire system. Site-level roles are available for use anywhere in the system. Only Site Administrators and Security Administrators can create and assign accounts to site-level roles.

Dashboard-level roles are defined in a specific dashboard and can only be used to apply permissions against securable items defined in the same dashboard. Only Site Administrators, Security Administrators, and Dashboard Administrators can create dashboard-level roles.

Some roles are designated as System Roles and are required to be present for proper operation of the system and these roles cannot be renamed, deleted, or otherwise disabled.

The following are the Site-Level System Roles that are defined by the system:

•Anonymous Users: Any user who has not yet authenticated with the system in a member of this role. This system maintained role cannot be edited or manipulated by any user.

•Authenticated Users: Any user who has authenticated with the system has implicit membership in this role. This system maintained role cannot be edited or manipulated by any user.

•Dashboard Managers: Any user assigned to the Dashboard Admin role in a specific dashboard has implicit membership in this role.

•Enumeration Users: Any user assigned to this role can view a list of all roles and accounts in the system. This is reserved solely for use by internal system components. Only members of Site Administrators can make assignments to this role.

•Security Administrators: Users in this role can edit security account information on any account anywhere in the system with the exception of accounts that are members of the Site Administrators role. Only members of the Site Administrators role can make assignments to this role. This role is reserved solely for use by technical support and customer service staff.

•Site Administrators: Users in this role can edit any detail of any editable object in the entire system. Only members of the Site Administrators role can make assignments to this role. This role is reserved solely for use by the technical support staff that maintains the system.

The following are the Dashboard Level System Roles defined by the system:

•Dashboard Access: Any user who is to be granted explicit access to a dashboard must be assigned to this role. No other dashboard-level role assignments can be made until an account has been placed into this role. Only members of Site Administrators, Security Administrators, and Dashboard Admin roles can make assignments to this role.

•Dashboard Admin: Any account that already has membership in the Dashboard Access role of a given dashboard can be assigned to this role but once they are in it they can administer any securable object within the dashboard and manipulate security details on accounts with access to the dashboard that are not members of either the Site Administrators or Security Administrators roles. Only members of Site Administrators, Security Administrators, and Dashboard Admin roles can make assignments to this role.

Site-level system roles cannot be provisioned using Single Sign On role rules but Dashboard-level system roles can as detailed in the Role Manager module.

Send comments on this topic.