The initial administrator user is a global administrator. This user is granted all permissions - can access all data and functionality. New users are considered global administrators when they are not assigned to a group.
Global administrators have access to the "My Computer" connection. This connection is created in the initial setup and is required for Agents to access content on the user's local desktop. Access to the "My Computer" connection is limited by creating groups with associated users.
In production installations, it is recommended that users be created in the context of a newly created group. This avoids security issues associated with implicit access to the "My Computer" connection.
Definitions
Groups and group memberships define the data to which users have access. For example, if an NFS connection is created by a user in Group A, a user assigned to Group B will not be able to access that connection. Groups only have access to data created by members of this group and its child groups. A group will not have access to data created by its parent or peer groups.
The term tenant is also used in relation to groups. A tenant is any group created without a parent. Otherwise known as a root group. A user is considered a tenant administrator when they are assigned to a root tenant group.
Permissions define the type of data and the level of access. For example, the List Jobs permission allows a user to view a list of jobs that are defined in the group or groups the user is included.
Roles define a subset of permissions. For example, a role named 'Job Administrators' might be created that includes the List Jobs, Manage Jobs, and Control Jobs permissions.
Related:
How To
There are three ReST endpoints used to create groups, roles, and users.
- POST
[base-url]/v1/groups
- POST
[base-url]/v1/roles
- POST
[base-url]/v1/users
Create Group
To create a new group, secure an access token using the [base-url]/connect/token
endpoint.
Then make a ReST request using the information to the right as a template.
Method | POST |
URL | [base-url]/v1/groups |
Headers | Authorization: Bearer [access_token] Accept: application/json Content-Type: application/json |
Body |
...or include a parent reference for nested groups...
|
Create Role
Next create a new role by making a ReST request using the information to the right, replacing [role name]
with the role name and list of permissions desired.
A list of permission ID's and their descriptions is found at GET [base-url]/v1/permissions
- you must use a bearer token.
Method | POST |
URL | [base-url]/v1/roles |
Headers | Authorization: Bearer [access_token] Accept: application/json Content-Type: application/json |
Body | { "name": " [role name] ","permissions": [ "bbd25a404cdc4e01baabd0b79394cbd8", "d9507ec76bf7414aa8a74a0c88c32a48", "3560a25976504967bcd48a7e668a07a8" ] } |
Create User
Finally create a new user by making a ReST request using the information to the right.
Replace the monospace items with desired values, the roles ID with the value from the response in the second step, and the group ID with the value from the response in the first step.
Note that roles
is an array - multiple IDs may be included here. Alternatively, the roles
attribute can be removed and the user will be created as a tenant admin for that group.
Method | POST |
URL | [base-url]/v1/users |
Headers | Authorization: Bearer [access_token] Accept: application/json Content-Type: application/json |
Body | { "login": " [username] ","password": " [password] ","name": " [display name] ","roles": [{ "id": "07698d0034064b2b9d3966f4e19da21f" }], "group": { "id": "07698d0034064b2b9d3966f4e19da21f" } } |