Schema for Assigning Roles to channel Repository access by function

Document ID : KB000013933
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Schema for Assigning Roles to channel Repository access by function

Question:

Assume you have 3 agencies using Web Viewer and each agency has 2 CA View databases (A JCL database and a report database). They like their isolation as much as possible. Finance department doesn't want Personnel users seeing their reports and vice versa. As they share a single Web Viewer, when for example a new Finance user comes along, and if they have a valid Mainframe ID they will go into the Default User group (which could be for Personnel or Customer Service). Getting them into the Finance Group requires someone with System Administrator authority, correct? Can you suggest another schema or process that would allow for automatic assignment to the appropriate role? Can we be assured a user from one agency/role won't be able to see the reports of the other two?  

Answer:

Assumptions: 
1. 6 CA View databases secured by mainframe security. 
2. 3 "agencies" each with access to 2 CA View database (no overlap) 
3. 1 instance of Web Viewer to serve all users. 

Recommendations for predefining users (one-time): 
o Define 6 repositories, one for each CA View database. 
o Define 3 roles, one for each "agency". Assign the appropriate repositories (CA View database) to the roles. 
o Create 3 models users, one for each "agency", and assign the appropriate role. 
o From the Administration / User panel, Export the Users. This will produce an XML file (adminUser.xml by default). 
o Copy/edit adminUser.xml and strip out all users (<user>...</user>) records for all users EXCEPT the 3 model users. 
o Edit the resulting file, duplicating the user record (<user>...</user>) for each of the real users to add. Select the model user to match the actual user's agency. 
o From the Administration / User panel, Import the updated User XML file. Suggest conflict = Skip, else may replace already defined users 
o Refresh the user list (using form button, not browser refresh). Review the list to ensure users were added. 

Recommendations for dynamically added users (on-going) 
o Update the Default User role. Remove all assigned repositories. 
o When a new user (not predefined to Web Viewer) logs in, they will be assigned to this role. You will have no "Reports" nor repositories under Advanced Search. 
o These new users should be instructed log off from Web Viewer then request access for their agency. 
o The Web Viewer system administrator (or their proxy) should login to Web Viewer, set their role to System Admin, locate the user under Administration / User then change the Selected Role to their agency (and remove Default User). 

Additional Information:

See Also:

Adding roles to existing CA Output Management Web Viewer users with Export and Import for Releases 12.0 and 12.1

Document ID:  TEC1955968

Introduction: 

It is possible to use the Export and Import features of Web Viewer to add roles to an existing set of users. This is done by exporting the user objects to an xml file, modifying the xml data and importing the xml file.

Instructions:

Before making mass modifications to the database that contains Web Viewer administration objects such as roles, users, repositories, etc., take a database backup.
While logged in as a Web Viewer system admin, perform the following to export User objects from the Web Viewer database to an XML file:
  • Click the Administration tab
  • Click the Export Link
  • When the Admin Object Export – Webpage Dialog appears, select Users then click the Next button
  • When prompted, select a location and name for the file then click Save (the exact steps will vary depending on the browser being used). The default filename is adminUser.xml
  • Click the Close button
Next, use an XML editor of your choice to modify adminUser.xml (or whatever you named the file during the export process). The file contains a series of <user> elements which comprise definitions for all users defined in your Web Viewer database, for example:
<user>
<userID>johndoe</userID>
<firstName>John</firstName>
<lastName>Doe</lastName>
<ownerRoleName>System Admin</ownerRoleName>
<memberOf>
<roleName>Default User</roleName>
</memberOf>
</user>
 
The <memberOf> element contains one or more <roleName> elements which represent the roles defined for the user. To add an existing role to an existing user or set of users, you can either modify an existing <roleName> element or add an additional one. For example:
 
modify an existing <roleName> element
<user>
<userID>johndoe</userID>
<firstName>John</firstName>
<lastName>Doe</lastName>
<ownerRoleName>System Admin</ownerRoleName>
<memberOf>
<roleName>New Role</roleName>
</memberOf>
</user>
 
add an existing <roleName> element 
<user>
<userID>johndoe</userID>
<firstName>John</firstName>
<lastName>Doe</lastName>
<ownerRoleName>System Admin</ownerRoleName>
<memberOf>
<roleName>Default User</roleName>
<roleName>New Role</roleName>
</memberOf>
</user>
 
In either case, when the Import feature is used specifying the Override option and the modified XML file as input, “New Role” will be added to user johndoe. “Default User” will remain; this role has to be deleted manually using the Admin panel if it’s not desired.
 
To perform the import, log in as a system admin and do the following:
 
  • Click the Administration tab
  • Click the Import Link
  • When the Admin Object Import dialog appears, select Users , select Override in the Conflict Option column then click the Browse button
  • Specify the location and name for the modified XML file then click Open
  • Click the Import button
  • When the import is complete, click the Close button