Security

From OpsWise Documentation Wiki

Open as PDF

Contents 1 Overview 2 Default Users and Groups 3 Adding Users 3.1 Field Descriptions 4 Adding Groups 4.1 Field Descriptions 5 Assigning Users to Groups 6 Using Roles to Assign Administrative Permissions 6.1 Description of Roles 6.2 Assigning Roles to Users or Groups 7 Assigning Permissions to Users or Groups 7.1 Permissions Field Descriptions 8 Credentials 8.1 How Credentials are Used 8.2 Defining Credentials

Overview

Setting up Opswise security involves the following steps:

• Creating users and assigning them passwords. You can also assign permissions to users.
• Creating groups of users. You can also assign permissions to groups.
• Assigning permissions to users and groups
• Creating credentials that allow Opswise to log in to remote machines and execute jobs

Default Users and Groups

The default user, ops.admin, has full permission on all system features.

Two default user groups are also provided:

• Administrator Group. Has access to everything within Automation Center.
• Everything Group. Has access to everything except user and group administration.

Adding Users

By default, a new user has no permissions. Until permissions are granted, a user can log into the system and can see options in the navigation pane but will not be able to do anything. You need administrative privileges to add users.

1. Select Security > Users. The User list appears, as shown in the sample below.



2. Click the New button. A blank user form displays.



3. Using the field descriptions provided below, fill in the fields.
4. Right-click on the title bar to save the new user record.
5. Optionally, assign one or more roles to the group, assign the user to a group, or assign permissions to this user.
6. Click Submit to save the new user record.

Field Descriptions

Field Name	Description
User ID	Log in ID for this user.
Time zone	Timezone of this user. When this user logs in, all scheduling times will be shown in the user's timezone, unless the trigger specifies a different timezone.
First name	User's first name.
Business phone	User's business phone number.
Last name	User's last name.
Mobile phone	User's mobile phone number.
Title	User's title.
Password	User's password.
Password needs reset	If enabled, the user will be prompted to reset the password at first login.
Locked out	If enabled, locks out the user.
Active	If enabled, the user ID is active and the user can log in.
Submit button	Submits the new record to the database.
Update button	Saves updates to the record.
Delete button	Deletes the record from the database.
User Roles tab	Allows you to assign roles to this user.
Group Members tab	Allows you to assign this user to one or more groups.
Opswise Permissions tab	Allows you to assign permissions to this user.

Adding Groups

A group is a container for users. You can assign privileges and roles to groups or to users. You can also assign groups to other groups. You need administrative privileges to add groups.

1. Select Security > Groups. The Groups list appears, as shown in the sample below.



2. Click the New button. A blank user form displays.



3. Using the field descriptions provided below, fill in the fields.
4. Right-click on the title bar to save the new group record.
5. Optionally, assign one or more roles to the group, assign members (users) to the group, assign other groups to this group, or assign permissions to this group.
6. Click Submit to save the new group record.

Field Descriptions

Field Name	Description
Name	The name of this group.
Parent	The name of this group's parent group, if any.
Description	Description of this group.
Submit button	Submits the new record to the database.
Update button	Saves updates to the record.
Delete button	Deletes the record from the database.
Group Roles tab	Allows you to assign roles to this group.
Group Members tab	Allows you to assign users to this group.
Groups tab	Allows you to assign other groups to this group.
Opswise Permissions tab	Allows you to assign permissions to this group.

Assigning Users to Groups

You can assign users to groups from the User record or from the Group record.

1. Open the user or group record.
2. Click the Group Members tab. This tab allows you to assign a user to one or more or vice versa. You can also add a new user or group record using this procedure.
3. To add a new user or group:
   1. Click New. A new user or new group screen displays.
   2. Fill in the field using the field descriptions for groups or users as guidance.
   3. Click Submit to save the new record. The record is added and assigned, and you are returned to the Group Members tab.
4. Or, to add an existing record to this user or group:
   1. Click the Edit button. The Edit Members screen displays.
   2. To add a user to this group or add a group to this user, click on the record in the Collection list and click Add. To remove a record, click on the record list and click Remove.
   3. Click Save to save your choices.

Using Roles to Assign Administrative Permissions

Some administrative functions within Opswise are assigned using roles instead of separate permissions. These functions include:

• Setting up security
• Creating reports, filters, and gauges
• Creating agent clusters

Each role is predefined and has certain permissions attached to it. By assigning the role to a user or group, you automatically give that user or group all permissions associated with the role.

Description of Roles

The following table summarizes the roles available in OpsWise Automation Center.

Role Name	Role Description	Contains Roles
filter_global	Can create global filters.
filter_group	Can create filters that belong to a group of which this user is a member.
gauge_maker	Can create gauges from reports.
list_updater	Can use "Update Entire List" and "Update Selected" menu options on lists.
ops_imex	Can import and export records.
ops_admin	The Opswise administrator role. To grant Administration privileges to a user, it is recommended that you add the user to the Administrator Group.	ops_agent_cluster_admin ops_report_admin filter_global filter_group user_admin ops_imex
ops_agent_cluster_admin	The Opswise agent cluster administrator role.
ops_report_admin	Opswise report administrator role.	gauge_maker report_global report_group report_publisher report_scheduler
report_global	Can create global reports.
report_group	Can create reports that belong to a group to which I am a member.
report_publisher	Can publish reports.
report_scheduler	Can schedule reports.
user_admin	Can administer users, and groups.

Assigning Roles to Users or Groups

1. From a User or Group screen, click the User Roles or Group Roles tab.
2. Click the Edit button. The Edit Members screen displays.



3. To add roles to this user or group, click on the roles in the Collection list and click Add. To remove roles, click on the role in the Role list and click Remove.
4. Click Save to save your choices.

Assigning Permissions to Users or Groups

Permissions control access to opswise records and commands. You can add permissions to a user or a group, as described below.

1. Open the user or group to which you want to add permission.
2. Click the Permissions tab, shown below.

   

3. Click New to open the Permissions form.




4. The permissions available differ depending on what you select in the Type field. Available permissions include:
   • Create
   • Read
   • Update
   • Delete
   • Execute
   If the permission does not apply to the record type in the Type drop-down, the permission does not appear in the display. Certain permissions include other permissions:
   • The Create permission implies Read and Update permissions.
   • The Update permission implies Read permission.
   • The Delete permission implies Read permission.
   • Agent Permissions
   
   Read, Update, and Execute permissions can be granted for the Agent permission type. All users can view configured agents in OpsWise Automation Center, so the Read checkbox always appears checked. Only an Administrator can delete configured Agents, so the Delete checkbox does not appear.
   • Calendar Permissions
   
   Create, Read, Update, and Delete permissions can be granted for the Calendar permission type. All users can view Calendars in OpsWise Automation Center, so the Read checkbox always appears checked.
   • Credentials Permissions
   
   Create, Read, Update, Delete, and Execute permissions can be granted for the Credential permission type. All users can view Credentials in OpsWise Automation Center, so the Read checkbox always appears checked.
   • Task Permissions
   
   Create, Read, Update, and Delete permissions can be granted for the Task permission type. Some commands are also supported for tasks.
   • Task Instance Permissions
   
   Read, Update, and Delete permissions can be granted for the Task Instance permission type. Task instances are created when a trigger fires, or when a task is manually launched via the Launch command. Therefore, the Create permission does not appear. Many commands are also supported for task instances.
   • Trigger Permissions
   
   Create, Read, Update, and Delete permissions can be granted for the Trigger permission type. Some commands are also supported for triggers.
5. For details about the remaining fields, refer to the field descriptions provided below.
6. Click Submit to save the permission.
7. Repeat this procedure to add more permissions. Each Type of permission is stored in a separate record.

Permissions Field Descriptions

The table below describes each field on the Permissions form, including the type of permission you can add, and the details of each.

Permission Type	Options	Description
Agent	Read	Grants permission to view a resource definition.
	Update	Grants permission to update a resource definition.
	Execute	Grants permission to execute a task on an agent.
	Commands	N/A
Calendar	Create	Grants permission to create a new calendar.
	Read	Grants permission to read a calendar.
	Update	Grants permission to update a calendar.
	Delete	Grants permission to delete a calendar.
	Commands	N/A
Credential	Create	Grants permission to create a new credential.
	Read	Grants permission to read a credential.
	Update	Grants permission to update a credential.
	Delete	Grants permission to delete a credential.
	Execute	Grants permission to execute a task using a credential.
	Commands	N/A
Task	Create	Grants permission to create a new task.
	Read	Grants permission to read a task.
	Update	Grants permission to update a task.
	Delete	Grants permission to delete a task.
	Commands	All. Grants permission to issue any command. Launch. Grants permission to launch a task. Reset Statistics. Grants permission to reset statistics
Task Instance	Read	Grants permission to read a task instance
	Update	N/A
	Delete	Grants permission to delete a task instance.
	Commands	ALL. Grants permission to issue any command. Cancel. Grants permission to cancel a task instance. Clear Dependencies. Grants permission to clear all dependencies on a task instance. Force Finish. Grants permission to force finish a task instance. Hold. Grants permission to put a task instance on hold. Mark as Satisfied. Can mark a dependency as satisfied. Re-Run. Grants permission to re-run a task instance. Release. Grants permission to release a task instance from hold. Release Recursive. Grants permission to release a workflow and all its tasks from hold. Retrieve Output. Set Completed. Grants permission to set a Manual task instance status to completed. Set Started. Grants permission to set a Manual task instance status to a new started time. Skip. Grants permission to skip a task instance.
Trigger	Create	Grants permission to create a trigger.
	Read	Grants permission to read a trigger.
	Update	Grants permission to update a trigger.
	Delete	Grants permission to delete a trigger.
	Commands	ALL. Grants permission to do all listed below. Disable Trigger. Grants permission to disable a trigger. Enable Trigger. Grants permission to enable a trigger. Trigger Now. Grants permission to trigger (launch) a task.
Field Name	Description
Name	Narrows down the permission to records matching the string specified here. Wildcards are supported.
Opswise Groups	This permission applies only to records that are members of the selected Opswise groups. Click on the lock icon to unlock the field and select groups.
Default Group	This permission applies only to records that do not belong to any Opswise group. If this option is enabled, the user or user group will have the defined permissions on all records that do not belong to any Opswise group.
All Opswise Groups	This permission applies to records that belong to any Opswise group (that is, the record must belong to at least one group).

Credentials

Credentials are defined by the user and used by Opswise to log in to remote machines.

How Credentials are Used

When Opswise executes a task on a remote machine, it may need a login ID and password, also referred to as credentials. When prompted for credentials by a remote machine, Opswise looks in the following locations in the order shown for the ID and password:

1. If the task contains credential information, the agent uses those.
2. If the task does not provide credentials, the agent uses the credentials in the agent resource definition.

In the case of FTP tasks, the Opswise agent may need an additional credential for logging on to the FTP server.

Defining Credentials

1. Select Security > Credentials. Opswise displays the credentials list, as shown in the example below.



2. Click New. A Credentials form displays, as shown in the following example.



3. Enter the Credential name, login ID (Runtime User), and the password. As a best practice, use an alias in the Name field, as you may have several identical user names for different systems all having different passwords. Optionally, assign the credential to an Opswise group.
4. Click Submit to save the record.