.. include:: /includes.rst.txt .. comments - headings # with overline, for parts * with overline, for chapters = for sections - for subsections ^ for subsubsections " for paragraphs * for H5 + for H6 .. index:: Rights Management .. _rights_management: Rights Management ----------------- Rights (group) management is the basic access control subsystem for a few items in EDG: * Changing “Any_Role (all users) are administrators” to a specified Tomcat role having administrator rights. * Selecting the security role(s) that can create new asset collections by checking the Create box for that Tomcat role. * Making selected graphs OTHER THAN EDG asset collections publicly readable. This option is typically applied to files uploaded from TBC to the server. This page *does not* control the read/write access for any asset collections created in EDG. Rights management consists of two types of activities: * Defining *rights groups* * Assigning user *security roles* to various rights groups Each rights group represents specific access rights (i.e. **C**\reate, **R**\ead, **U**\pdate, **D**\elete and **E**\xecute) on the group’s selected workspace resources (or their generic “wildcard” types). For example, a file can be specified with **CRUD** access, whereas a SPARQLMotion script should have **CRUD+E**, and an exposed web service should have only **E** access. Users are then assigned to rights groups according to their *security roles*. Prerequisite: Users’ Security Roles ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The user's side of rights management consists of knowing their security roles, which are configured during EDG’s installation and initial setup. A user security role must: * Be defined in a Tomcat/Realm, such as LDAP or ``tomcat-users.xml`` * Appear in the permitted security roles setup of the TopBraid (which define entries for security-constraint tags in the application’s ``web.xml``). EDG also has one special, pre-defined (pseudo-) security role: *ANY_ROLE*, which automatically represents every user. This role can be used to assign access rights universally. .. seealso:: See :ref:`edg_installation_and_authentication` for details. Defining Rights Groups ^^^^^^^^^^^^^^^^^^^^^^ AdministratorGroup """""""""""""""""" EDG has a special, pre-defined rights group, *AdministratorGroup*, which conveys full access to all EDG resources (including asset collections in EDG). The *AdministratorGroup* must always be assigned to at least one user security role that has at least one accessible login. On initial EDG installation, the *AdministratorGroup* is assigned to ANY_ROLE. **This assignment should be moved** to one or more proper security roles as part of the initial application setup (by first assigning the *AdministratorGroup* to a proper role, then deleting it from ANY_ROLE). Defining new groups """"""""""""""""""" To define a new rights group: #. Select an existing role #. Click **Add Group** #. Choose the **–New Group–** option #. Enter a name for the new group #. Click **Create Group** Rights groups cover one or more resources in the EDG workspace, including projects (directories/folders) and various types of files. The selected group’s workspace resources are listed in the Resource Rights section. Resources can be added or deleted, and each resource’s access rights can be enabled or disabled. To add *particular* workspace resources, click the **Add Resources** button. To add *generic* resource types, click the **Add Wildcard** button. The defined *ANY_* resource types are as follows. * **ANY_RESOURCE** - Any resource defined by TopBraid * **ANY_SDB_RESOURCE** - Any SDB data connector (.sdb file) * **ANY_TDB_RESOURCE** - Any TDB data connector (.tdb file) * **ANY_GRAPH_RESOURCE** - Any named graph in the TopBraid workspace (This is a superset of ANY_SDB_RESOURCE and ANY_TDB_RESOURCE.) * **ANY_FOLDER_RESOURCE** - Any folder in the TopBraid workspace * **ANY_FILE_RESOURCE** - Any file that is not a graph; such a text file, an Excel spreadsheet, or an XML file. * **ANY_PROJECT_RESOURCE** - Any project in the TopBraid workspace (This differs from the PROJECT resource type in that this refers to all Eclipse/Equinox project in the workspace.) Then for each resource item, select which specific **CRUD+E** access rights are enabled or disabled for the group. The access types are as follows: * **Create** - Group members can create new resources * **Read** - Group members can read resources * **Update** - Group members can update/modify resources * **Delete** - Group members can delete resources * **Execute** - Group members can execute server-side scripts .. note:: To *remove* a group from a particular role, use the **X** icon next to the group name. To *delete* a group completely, use the* **trashcan** icon. This will remove the group from all roles that were associated with it. .. note:: Project names should contain *no* spaces. If they do, an error will occur when trying to expand them. Correct the source Project name and re-upload it with no spaces.