Users and Privileges
Overview
Each user in TisGraph is assigned to exactly one user group.
Any number of security contexts exists (they might e.g. correspond to different departments or rivers).
Each category in the document tree is assigned to exactly one security context, which takes effect for all documents in that category.
Each user group has read- and write privileges for a custom set of security contexts; this set of privileges takes effect for all users in the user group at hand.
Example: What privilege has user U concerning document D?
- Document D is in category C
- Category C has security context K
- User U is assigned to a user group, that provides a read privilege for security context K
Thus, user U may read that document, but not write to it.
Security Contexts
Currently, the set of security contexts cannot be managed through the GUI. The administrator may use the dojo-config-manager to configure the
users.contextList
The security context of a category can be defined using the corresponding field in the category properties. That context takes effect for all documents in that category.
Users
Users login using a LDAP, JAAS or Wiski user. Users of TISGraph may authenticate via one of the following systems:
- Kisters TSM-User database (WDB Users, see below)
- Active Directory/LDAP-Server
- OpenID Connect Authorization Provider (e.g. Windows Server 2019 Federation Services)
- Manual User Management
WDB Users / Standalone Groups
On first login, a user is assigned to a configurable default user group automatically. Usually, that user group has rather limited privileges.
The administrator can change the assignment from users to user groups using the following dialog (reachable via Administration ---> Users). Using the Delete button (below Actions), a user can be removed from the system if needed.
Automatic LDAP/Jaas User and Groups
One may configure TisGraph to use the backend group assignment, instead. By that you can configure the permission assignment to a user via your Active Directory.
User Groups
Using the following dialog (reachable via Administration ---> User Groups), the administrator can create, rename or delete user groups.
In case of LDAP and Jaas, the name needs to exactly match a CN in LDAP, so that a group assignment of a user to this group is recognized by TisGraph.
Privileges
Using the following dialog (reachable via Administration ---> Privileges), the administrator can grant privileges to user groups, or revoke them. For each security context, either no permission, or a read permission, or a write permission can be granted. This can be done using the buttons on the right side of the list. The choose window for adding or removing privileges is already filtered for not yet added, or existing and thus revokable privileges.
If, given its user group, a user only has read permissions for a document, TisGraph automatically switches to a read-only-mode when opening that document.
This means,
- The navigation bar at the top is usable, in particular the time range of interest can be adapted
- The tools at the right are mostly deactivated, only the tools for data inspection, and for changing the currently displayed portion of the drawing area are activated
- Document properties can be viewed, but not changed
Furthermore, document and tag tree will display only categories and documents for which a read permission actually exists.