Security Roles and Role Memberships

Learn how to manage security roles and role memberships in Policy Manager.

Location in Policy Manager Management Console: Workbench > Browse > Security.

Security (Home) User Administration

Table of Contents

  1. Security Summary
  2. Role Definitions
  3. Role Memberships

Security Summary

In Policy Manager, the Security Summary page is the starting point for defining and managing:

  • Role definitions: A defined set of permissions associated with a role name. Here, you can add and manage role definitions.
  • Role memberships: The list of role definitions is displayed. Here, you can assign the role to specific users or groups of users, and therefore give them the permissions associate with the role.

Role definitions and memberships represent the object-based security that controls access to Policy Manager functionality.

In Policy Manager, go to Workbench > Security. Role Definitions are shown at the top of the page, and Role Memberships at the bottom. An example is shown below.

Workbench > Security > Roles

back to top

Role Definitions

About role definitions

In Policy Manager, a Role Definition is essentially a template that represents the baseline rules that can be used throughout Policy Manager as a Role Membership. It is s defined set of permissions associated with a role name.

Default installation of Policy Manager includes a set of default roles representing common tasks associated with the Akana infrastructure. A few are reserved for system use; others, you can edit. You can also add new role definitions.

For details of the defaults, see Default role definitions below.

Each Role Definition is replicated to the Role Memberships section of the page. This displays on the Details page of each Sub-Organization. The Manage Role function within the Role Membership Portlet is used to assign Users/User Groups to each Role. Assigned User/User Groups have access to the functional areas defined within the role definition. You can assign a base set of User/User Group assignments at the Root Organization level and then customize the assignments at different Organization tiers.

To manage roles, you can:

back to top

Default role definitions

For role definitions, see:

Reserved role definitions

The role definitions shown below are reserved for system use and cannot be edited.

This setting... Controls this feature...
Security Administrator

The Security Administrator Role:

  • Creates/edits/deletes policies.

  • Manages discovered services for applications that they maintain.

  • Manages access to applications to other user groups.

  • Creates/edits/deletes/moves/secures applications.

  • Manages application identity.

  • Approves the publication of services to an application.

  • Specifies consumer applications that may consume provider applications.

  • Defines and receives service change.

  • Defines SLAs.

  • Defines all alerts.

System Administrator The System Administrator role is a Super User/Reserved role. The behavior of this role is different from every other role. This role does not contain privileges as part of its configuration, because assignment to this role provides complete access to all Policy Manager functionality. This role should be used exclusively by system administrators responsible for managing a Policy Manager production site.
System Agent The System Agent is a reserved role for read-only access to Policy Manager configuration.
System User

In order to allow access Policy Manager functionality, you must assign the System User role to each user who will be accessing the system. This role allows users to view Policy Manager data.

As a general practice, it's best to assign this role to each user, in the Workbench > Security > Role Membership section of the relevant sub-organization that the user will be associated with, immediately after creating the user.

Editable role definitions

The role definitions shown below are system defaults that can be modified.

This setting... Controls this feature...
Developer Role

The Developer Role:

  • Ensures that services to be developed do not exist in the Policy Manager.
  • Develops/deploys new services.
  • Applies policies defined by the provisioning group.
  • Service characteristics, primarily Policy Manager categorization.
  • Migrates managed services by container group. Note that this refers to migration to the development, staging, and production environments.
  • Defines service capabilities. The SD tags services with predetermined Policy Manager search metrics, descriptions, and provider contact information.
Guest This role allows anonymous runtime access.
Infrastructure Manager

The Infrastructure Manager Role:

  • Associates containers with containing applications. (Note: this relationship will be captured during the container configuration process.)
  • Installs containers on servers.
  • Creates/edits/deletes container groups.
  • Creates/edits/deletes/moves/secures containers within groups.
Operation Manager

The Operation Manager Role:

  • Receives all alerts.
  • Throttles services in real time when necessary and for specified durations.
  • Creates/edits/deletes alerts.
Organization Administrator

The Organization Administrator is responsible for:

  • Adding, modifying and deleting organizations, and managing services, policies, and containers within an organization.
Policy Administrator

The Policy Administrator Role is responsible for:

  • Adding, modifying and deleting policies within an organization. This role applies at the root organization only.
Provision Manager

The Provision Manager Role is responsible for:

  • Approving contracts.

back to top

Add a role definition

When you add a role definition, it's added to the Role Memberships list so that you can assign that role to users and groups.

To add a role definition
  1. Go to Workbench > Root Organization > Security. The Security Summary page is displayed.
  2. In the Role Definitions section, at the bottom, click Add Role Definition. The Add Role Definition page is displayed, as shown below.

    Add Role Definition page

  3. Specify a brief but clear name for the role, and a description.
  4. Click Add Privilege to add a privilege to the new role. See To add or update the security privileges for a role below.
  5. When done, click Finish.

When you add a new role, the Role Memberships list refreshes to show the new role. You can now assign the new role to users and groups. See Role Memberships.

back to top

Modify a role definition

For an existing role, you can modify:

  • The role definition (name and description)
  • The security privileges (what resources the privileges relate to, such as apps or contracts, and what access to the resources they relate to, such as read-only or modify)
  • The permissions: whether the privileges define what the role can do or what the role cannot do.
To modify a role definition
  1. Go to Workbench > Root Organization > Security. The Security Summary page is displayed.
  2. In the Role Definitions section, choose the role that you want to modify. On the right, click Modify.
  3. At the Modify Role Definition page, change one or more values, as needed:
    • Role Name
    • Description
    • Object Security Privileges: You can add a new security privilege for the role, or modify or delete existing security privileges. If you add or modify, you'll see the Select Object Type page, where you can choose from a list of object types that the security privilege applies to: for example, contract, policy, script, app, certificate, or deployment zone. For more information, see To add or update the privileges for a role below.
    • Permissions: choose Allow selected actions or Deny selected actions.
  4. Click Finish to save changes.
To add or update the security privileges for a role
  1. Go to Workbench > Root Organization > Security. The Security Summary page is displayed.
  2. In the Role Definitions section, choose the role that you want to modify.
  3. On the right, click Modify. The Modify Role Definition page appears, as shown below.

    Modify Role Definition page

  4. Click Add Privilege.
  5. On the Select Object Type page, choose the object type; for example, group. Click Next.
  6. On the Select Object Actions page, specify:
    • Object Actions: Choose Full Control or one or more of the following: Read, Add, Modify, or Delete.
    • Permissions: Must be one of the following: Allow selected actions or Deny selected actions.
  7. Click Next.
  8. Review the changes on the Modify Role Definition page, and then click Finish.

back to top

Delete a role definition

To delete a Role Definition
  1. Go to Workbench > Root Organization > Security. The Security Summary page is displayed.
  2. In the Role Definitions section, choose the role that you want to delete.
  3. On the right, click Delete, and confirm at the prompt. The role is deleted.

back to top

View a role definition

To view a role definition, go to Workbench > Root Organization > Security. The Security Summary page is displayed.

There are two scenarios:

  • Reserved roles such as System Administrator: click the View link to the right. The View Role page is displayed, with information about the role. An example is shown below.

    View Role page

  • Non-reserved roles: All other roles, whether default or user-defined, can be edited. To view information about the role, click Modify. The Modify Role Definition page appears, with information about the role. When done, click Cancel.

back to top

Role Memberships

About role memberships

You can add or modify the role membership for all types of roles; reserved default roles, editable default roles, or user-defined roles.

Note: the default role memberships affect many of the default activities that specific users and user groups can perform; for example, the Site Admin and API Admin in the developer portal. It's best not to change the defaults unless you're really sure of what you're doing.

back to top

Assign a role to a user

You can assign a role to a specific user in Policy Manager.

The procedure below assigns the System Administrator role. The process works exactly the same for all roles.

To grant System Administrator permission
  1. Log in to the Policy Manager console as the Administrator.
  2. Click the Workbench tab and then, on the left, click Registry.
  3. On the right, click the Security tab, as shown below.

    Add permissions: Security tab

  4. In the right pane, scroll down to the Role Memberships section, and find the System Administrator role. On the right, click Manage Role, as shown below.

    Add permissions: modifying the permission

  5. In the Object Based Security Role page, use the search feature to locate the user. In the example below, choosing Contains with no value and clicking Save returns a full list of users. Click the username in the left pane and click the arrow icon (>>) to move the admin user to the right pane, to assign the role.

    Add permissions: assigning user to role

  6. Click Apply. The admin user now has the System Administrator role and can use the API.

Note: You can also grant permissions in the developer portal: Administration > Users. See How do I assign security roles to users for my organization? (developer portal help). However, you might find that the System Administrator permission isn't displayed on the list since these permissions are senior to the developer portal.

back to top

View role memberships

To view role memberships
  1. To view the users and groups that have membership in a specific role, go to Workbench > Root Organization > Security. The Security Summary page is displayed.
  2. On the second part of the page, Role Memberships, find the role, and click Manage Role.
  3. In the Object Based Security Role page, users and groups who have role membership are displayed in the right column. An example is shown above.
  4. When done, click Cancel.

back to top