Data Services user and rights management – step by step instructions
Data Services uses the Central Management Server (CMS) for user and rights management. In a stand-alone DS environment, the same functionality is supplied by the Information Platform Services (IPS). Setting up user security is a rather cumbersome process. The procedure for granting access to a DS developer consists of four steps:
- Create the user
- Grant access to the DS Designer application
- Grant access to one or more (or all) repositories
- Allow automatic retrieving of the DS repository password from the CMS
1. Creating the user
By default, the DS installation program does not create any user accounts. Use the “Users and Groups” management area of the CMC to create users.
Figure 1: User List
Right click on the “User List” entry, select New > “New User” and specify the required details.
Figure 2: Create New User
Select the “Create & Close” button to finalize this step.
2. Granting access to DS Designer
User name and password are entered in the DS Designer Repository Logon window.
Figure 3: DS Repository logon
2.1. User management
Unfortunately, the newly created user only has a limited number of access rights by default. More specifically, authorization to run DS
Designer is not granted automatically.
When trying to start the application with this user and password, access is denied:
Figure 4: Access Denied
Access can be granted to an individual user in the Applications area of the CMC. Right-click “Data Services Application” and select “User Security”.
Figure 5: Applications area in CMC
Select the “Add Principals” button:
Figure 6: User security
Select the user from the “User List” in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel.
Figure 7: Add Principals
Select the Advanced tab and then the “Add/Remove Rights” link.
Figure 8: Assign Security
Grant access to Designer and select OK.
Figure 9: Add/remove Rights
2.2. Group management
As mentioned above, the DS installation program does not create any default user accounts. But it does create several default group accounts. One of these groups is called “Data Services Designer”. Members of this group automatically have access to the DS Designer.
After creating a new user, assign it to this group account. That will grant the user with access to DS Designer, the same result as with
the explicit user-level grant, but achieved in a much simpler way.
Return to the “Users and Groups” management area of the CMC. Right-click on the user and select “Join Group”.
Figure 10: Users and Groups
Select the group from the “Group List” in the “Available groups” panel and select the “>” button to move it to the “Destination Group(s)” panel and hit OK.
Figure 11: Join Group
3. Granting access to the repositories
When an authorized user connects to the DS Designer application, following error message is displayed:
Figure 12: No repositories are associated with the user
That is because a user in the “Data Services Designer Users” group has no default access to any of the DS repositories:
Figure 13: Access control list: No access by default
If a user needs access to a given repository, that access has to be explicitly granted to him.
Navigate to the “Data Services” area in the CMC. Right-click on the name of the repository and select “User Security”.
Figure 14: Data Services
The “User Security” dialog box appears and displays the access control list for the repository. The access control list specifies the users and groups that are granted or denied rights to the repository.
Figure 15: User Security
Select the “Add Principals” button. Then select the users or groups from the “User List” or “Group List” respectively in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel. Finally, select “Add and Assign Security”.
Figure 16: Add principals
Select the access level to be granted to the user or group:
- To grant read-only access to the repository, select “View”.
- To grant full read and write access to the repository, select “Full Control”.
- To deny all access to the repository, select “No Access”.
Select the “>” button to move it from the “Available Access Levels” to the “Assigned Access Levels” panel. And hit OK.
- Grant View access to every individual developer (or to the “Data Services Designer Users” group or to a special dedicated group, for that matter) at the level of the Repositories folder. Make sure that, when using the default group for this, it comes with the default settings. If it doesn’t, simply reset security settings (on object repositories and on all children and descendants of object repositories) on the default group before attempting this operation.
- Grant “Full Control” access to every individual developer for his own repository.
When logging in to DS, developers see the full list of repositories they are granted access to. A value of “No” in the second column means full access, “Yes” means read-only.
Figure 18: Typical DS Designer logon screen
Don’t make the list too long. The logon screen is not resizable. And scrolling down may become very tedious!
4. Retrieving the DS repository password from the CMS
The users can now connect to the repositories from within DS Designer. When he starts the application, as an extra security feature, he is prompted for the (database) password of the repository:
Figure 19: Repository password
If this extra check is not wanted, it can be explicitly removed.
Return to the “User Security” dialog box that displays the access control list for the repository. Select the User, then the “Assign Security” button.
In the “Assign Security” dialog box, select the Advanced tab and then the “Add/Remove Rights” link.
Figure 20: Assign Security
Grant both “Allow user to retrieve password” and “Allow user to retrieve password that user owns” privileges and hit OK.
Figure 21: Add/remove Rights
DS Designer will not prompt for a database password anymore when the user tries to connect to this repository.
Note: By applying the same method at the level of the Repositories folder in the “Data Services” area in the CMC, this extra check will be removed from all repositories accessible by this user at once.