Maintaining Security

This article contains the following topics:
casm172
This article contains the following topics:
Security
Before you allow user access to CA APM, set up security to control access to the product, protect your repository from unauthorized or inaccurate changes, and make necessary data available to users. For example, you can provide one user with access to models and assets, and another user with access to legal documents.
Setting up security involves the following tasks:
  1. Users. Define the users who can access the product.
  2. User Roles. Define groups of users who perform similar tasks.
  3. Authentication. Define how users are authenticated when they log in.
  4. Searches. Define which users can use searches.
  5. Configuration. Protect users from performing unauthorized tasks.
One or more system administrators perform these security tasks in CA APM. A system administrator with the user ID
uapmadmin
acts as a global system administrator, with complete control over all security aspects of the product.
You enforce security across the enterprise by using the web interface. Minimal database skills are required to perform these tasks.
Users
You establish user security when you add new users to the product and assign a user ID and password. If a user does not have a valid user ID and password, they cannot log in. For each person, a user record is established, and the record is associated with a contact in the ca_contact table.
You can add users to the product in the following ways:
  1. Import them.
  2. Manually define them.
When manually defining users, you can immediately authorize them to use the product. However, when you import users, import them first, and then you can authorize them.
When you define a user manually, a corresponding CA EEM user is also created. CA EEM verifies the user name and password when the user logs in to CA APM.
After you define all CA APM users, assign each user to a
user role
and assign the entire role access rights to determine what they see and can access when they log in.
Best Practices (Users and Roles)
Use the following best practices to effectively manage users and roles:
  • A user must have a valid user ID and password, and be authorized, to log in.
  • Remove a user from a role before assigning a new role to the user.
    The product does not allow you to assign a user to more than one role.
  • Verify that there are no users assigned to a role before deleting the role.
  • Delete users before deleting a role.
Import and Synchronize Users
Verify that the user completing this task belongs to a role in which user management access is enabled.
You can import a list of users from an external user store such as an active directory through CA EEM, and synchronize them to be saved as contacts in CA APM. Importing users helps you to save time when defining your users, and helps ensure the accuracy of the user information. After you import and save the users, authorize them to access the product.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the User Management menu.
  3. Click LDAP Data Import and Sync.
  4. If multi-tenancy is enabled, select a tenant from the drop-down list.
  5. Click Start LDAP Data Import and Sync.
    The import process begins and users are imported from the external store. If multi-tenancy is enabled, users are imported for the selected tenant as contacts into the ca_contact table. You can then authorize the imported users to access the product.
The LDAP Data Import and Sync works for user names that begin with a letter or number. User names that begin with a special character are not imported.
Define a User
Verify that the user completing this task belongs to a role in which user management access is enabled.
You define all users of CA APM and provide them with access to the product. After you define a user, assign a role to the user.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the User Management menu.
  3. Click New User.
  4. Enter the information for the new user and the contact-related information.
  5. (Optional) Specify if you want to authorize the user to access to the product.
  6. Click Save.
    The user is defined.
Authorize a User
Verify that the user completing this task belongs to a role in which user management access is enabled.
You can authorize a user so they can log in and use the product. Before you can authorize a user, save the user as a contact.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the User Management menu.
  3. Click Authorize Users.
  4. Search to find the list of available users.
  5. Select the user you want to authorize and click OK.
    The user appears in the Authorized Users list.
  6. Click the Edit icon next to the user name.
  7. (Optional) Select a contact to assign a user with contact details.
    If you do not select a contact, a new contact is created for the user.
  8. (Optional) Select a role to assign to the user.
  9. Click Authorize.
    The selected user is authorized to log in to the product.
Deny a User Access
Verify that the user completing this task belongs to a role in which user management access is enabled.
You can deny a user access and prevent them from logging in to the product. For example, you hire a new asset technician and want to prevent them from using the product until they have received proper training. When you deny a user access, the contact information for the user is not deleted from the product.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the User Management menu.
  3. Click Authorize Users.
  4. Select the user for which you want to deny access from the Authorized Users list.
  5. Click De-Authorize.
    The user is prevented from logging in to the product.
User Roles
A
user role
is the primary record that controls security and user interface navigation in the product. Each role defines a focused view of the product by exposing only the functionality necessary for users to perform the tasks that are assigned to their business roles. The default role for a user and the associated user interface configuration determine the data and functions that are available to the user. A user can belong to only a single role.
Define user roles to apply functional and field-level repository access rights. You determine and assign the level of access that is required for each role. Group the users with the same job function and assign them the corresponding role. Role assignment prevents the users from performing unauthorized tasks, such as adding or deleting data. For example, users in an Administrator role need full access to all records, while users in an Asset Technician role need limited access to fewer records.
The product contains predefined System Administrator and user roles that you can use as the basis for user management.
You can perform several tasks to set up and manage user roles:
  • Define a role.
  • Assign a role to a user.
  • Remove a user from a role.
  • Update a role.
  • Delete a role.
  • Assign a configuration to a role.
Predefined Roles
The product provides a System Administrator role, which has complete control and access to all objects and tenant data. This role is associated with the System Administrator contact and cannot be deleted. A user in this role can define, update, and delete objects, in addition to defining and updating more roles to meet your business requirements. You cannot assign a configuration to the System Administrator role.
The product also provides the following predefined user roles to help you manage users:
  • CA APM Asset Technician - Provides access to the data and functions that are required for working with asset information only.
  • CA APM Contract Manager - Provides access to the data and functions that are required for working with legal documents and the contract management process only.
  • CA APM Default User - Provides read-only access to a limited view of the product. This role can view most of the data in the product. However, this role cannot modify the product data.
  • CA APM Fulfiller - Provides access to the data and functions that are required for asset fulfillment tasks only.
  • CA APM Receiving - Provides access to the data and functions that are required for updating assets that are received from a fulfillment process only.
Each predefined user role has associated configurations, which provide access to the data that is required to complete the particular function. You can modify the configurations that are associated with each predefined role. The predefined roles are available only after a new installation.
Define a User Role
Verify that the user completing this task belongs to a role in which role management access is enabled.
 
You can define customized user roles to meet your site-specific business requirements. For example, you can define one role with access to reconciliation management, and another with access to asset fulfillment.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the Role Management menu.
  3. Click New Role.
  4. Enter the information for the role.
    • User Management Access
      Select this check box so a user assigned to the role can access the user management functionality (Administration, User/Role Management, User Management). The User/Role Management subtab is available only when the role has access to the user management functionality, the role management functionality, or both.
    • Role Management Access
      Select this check box so a user assigned to the role can access the role management functionality (Administration, User/Role Management, Role Management). The User/Role Management subtab is available only when the role has access to the user management functionality, the role management functionality, or both.
    • System Configuration Access
      Select this check box so a user assigned to the role can access the system configuration functionality (Administration, System Configuration).
    • Web Services Access
      Select this check box so a user assigned to the role can access the CA APM web services documentation and WSDL (Administration, Web Services). If this check box is not selected and a user in the role attempts to access the web services from an external client application, the user receives a login error.
    • Filter Management Access
      Select this check box so a user assigned to the role can access the filter management functionality (Administration, Filter Management).
    • Other Information Configuration Access
      Select this check box so a user assigned to the role can access the Other Information Configuration functionality. This function allows the user to access additional related information for selected objects. The user can access this additional information by selecting menu items under Relationships on the left side of the page.
    • Data Importer User Access
      Select this check box so a user assigned to the role can access the Data Importer functionality (Administration, Data Importer) with user permissions. Users can create imports and can modify or delete their own imports. Users can also view any import that was created by another user.
    • Data Importer Admin Access
      Select this check box so a user assigned to the role can access the Data Importer functionality (Administration, Data Importer) with administrator permissions. Administrators can create imports and can modify or delete any import that was created by any user.
    • Reconciliation Management Access
      Select this check box so a user assigned to the role can access the reconciliation rules management functionality (Administration, Reconciliation Management).
    • Asset Fulfillment Access
      Select this check box so a CA Service Catalog user assigned to the role can perform asset fulfillment using CA Service Catalog.
    • Tenancy Admin Access
      Select this check box so a user assigned to the role can access the multi-tenancy administration functionality to enable multi-tenancy, define tenants, define subtenants, and define tenant groups (Administration, Tenancy Management).
    • Normalization Access
      Select this check box so a user assigned to the role can access the normalization rules management functionality (Directory, List Management, Normalization).
    • Mass Change Utilities Access
      Select this check box so a user assigned to the role can access the Mass Change Utilities functionality. This function allows the user to change the asset family for a model and also to change the model for an asset.
  5. (Optional) Specify the read/write permissions for tenants. Multi-tenancy expands the purpose of the role to control the tenant or tenant group that a user within the role can access. When multi-tenancy is enabled, the Tenant Information section includes Tenant Access Read and Tenant Access Write drop-down lists.
    The Tenant Information section is visible only when multi-tenancy is enabled. For information about how to enable multi-tenancy, see Implementing Multi-Tenancy. In addition, users associated with a tenant other than the service provider can only create or update objects associated with their own tenant. Only users associated with the service provider are permitted to create or update objects belonging to tenants other than their own.
    • All Tenants
      Contains no tenant restrictions. A user in a role with this access can view any object in the database (including public objects). In addition, a user associated with the service provider can update or create objects associated with any tenant. When a service provider user with this access creates an object, the product requires the user to select the tenant of the new object.
    • Contact's Tenant
      (Default value) Associates the role with the tenant of the contact. The product restricts a user in a role with this access to viewing, creating, and updating only those objects associated with their own tenant (and to view public objects). When a user with this access creates an object, the user cannot select a tenant. The tenant is automatically set to the tenant for the contact.
    • Contact's Tenant Group
      Associates the role with the tenant group of the contact. The product restricts a user in a role with this access to viewing, creating, and updating only those objects associated with the tenants in their tenant group (and to view public objects). When a user with this access creates an object, the user can select any tenant belonging to the tenant group.
    • Single Tenant
      Associates the role with a named tenant. When you select this option, select a specific tenant in either the Tenant Write or Tenant Read field. The product restricts a user in a role with this access to viewing, creating, and updating only those objects associated with the tenant you select (and to viewing public objects). When a user with this access creates an object, the user cannot select a tenant. The tenant is automatically set to the tenant you select.
      Only a service provider user can create or update data for a tenant other than their own. A tenant user in a role with single tenant access to another tenant is restricted to read access.
    • Tenant Group
      Associates the role with a named tenant group. When you select this option, select a specific tenant group in either the Tenant Group Write or Tenant Group Read field. The product restricts a user in a role with this access to viewing only those objects that belong to any tenant in the tenant group. In addition, a user associated with the service provider can update or create objects associated with any tenant in the group. When a service provider user with this access creates an object, the product requires the user to select the tenant for the new object.
    • Update Public (check box)
      Available only when you select All Tenants. Select this check box to authorize a user in the role to create or delete tenanted public data.
  6. Click Save.
    The role is defined and you can assign users to the role.
Assign a Role to a User
Verify that the user completing this task belongs to a role in which role management access is enabled. In addition, if you do not assign a role to a user, the Administration tab is hidden from the user.
You can assign a role to a user to define a focused view of the product and determine what they see when they log in. For example, assign an administrator to the system configuration role. You can assign a user to only a single role. Save a user as a contact before you assign the user to a role.
Remove a user from their previous role before assigning a new role to the user.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the Role Management menu.
  3. Click Role Search.
  4. In the Role Contact area of the page, click Assign Contact.
    All users not assigned to a role appear.
  5. Select the user for which you want to assign the role.
  6. Click OK.
  7. Click Save.
    The role is assigned to the user.
Remove a User from a Role
Verify that the user completing this task belongs to a role in which role management access is enabled.
You can restrict the access rights for a user by removing them from a role. For example, an administrator is transferred to a different department and you remove them from the system configuration role. Remove a user from a role before assigning them to another role, or if they are no longer a part of your site or organization.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the Role Management menu.
  3. Click Role Search.
  4. Click the delete icon next to the user you want to remove from the role.
  5. Click Save.
    The user is removed from the role.
Update a User Role
  Verify that the user completing this task belongs to a role in which role management access is enabled.
At any time, you can update a user role to change what the user sees when they log in to the product. For example, the users in a particular role no longer perform tenancy management functions. In this situation, remove the tenancy management access for the role.
You can delete a role that is no longer active in your site or organization, or when the role functions are no longer required. You cannot delete the predefined System Administrator role.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the Role Management menu.
  3. Click Role Search.
  4. Search for and select a role.
  5. To update the user role, change the information for the role and click Save.
    The role is updated.
  6. To delete the user role, click Delete.
    The role is deleted.
Assign a Configuration to a Role
  Verify that the user completing this task belongs to a role in which role management access is enabled.
You can configure the user interface to simplify how users enter, manage, and search for data. When you assign a configuration to a role, you help ensure that any user assigned to the role sees the product as you have configured it for them.
Example: Assign a configuration to an asset manager
In this example, an asset manager must quickly view, and monitor the most important information that has been entered into the product for an asset. This information is used for reporting, cost analysis, and inventory control. The administrator configures the search results to display the asset name, model name, quantity, serial number, operating system, purchase order number, and cost center. The administrator saves the configuration and assigns it to the asset manager role. When an asset manager logs in to the product, the configuration for the asset manager role is selected and appears.
For more information about configurations, see How to Configure the User Interface.
Follow these steps:
  1. Click Administration, User/Role Management.
  2. On the left, expand the Role Management menu.
  3. Click Role Search.
  4. Search for and select a role.
  5. Click Role Configuration.
  6. Click Select New.
    The list of saved configurations appears.
  7. Select the configuration you want to assign to the role.
  8. Click OK.
  9. Click Save.
    The configuration is assigned to the role. Any user assigned to the role sees the configuration when they log in to the product.
Authentication
Authentication
is the process of obtaining identification credentials from a user such as name and password to validate their credentials to verify that the user exists. If the credentials are valid, the user is authenticated. After a user is authenticated, the authorization process determines whether the user can log in to the product.
CA APM uses CA EEM to process user authentication.
The following types of authentication are supported:
  • Form Authentication. A user is prompted for a user name and password to log in to the product.
    Form authentication is the default authentication type.
  • Windows Integrated Authentication. A user already logged in to the Windows domain can access the product without having to provide additional login credentials.
You can provide additional security by defining tab and menu configuration in the product to restrict the pages and tabs that a user can access.
Configure Form Authentication
Verify that the user completing this task belongs to a role in which system configuration access is enabled.
You can configure form authentication so a user is prompted for a user name and password when logging in.
Follow these steps:
  1. Click Administration, System Configuration.
  2. On the left, click EEM.
  3. Select Form from the Authentication Type drop-down list.
  4. Click Save.
    Form authentication is enabled.
Configure Windows Integrated Authentication
Verify that the user completing this task belongs to a role in which system configuration access is enabled.
You can configure Windows integrated authentication and reference the CA EEM server to the active directory used for authentication. With Windows integrated authentication enabled, a user already logged in to the Windows domain can access the product without having to provide any additional login credentials.
You can also configure Windows integrated authentication with CA EEM and CA SiteMinder. CA SiteMinder uses the active directory for authentication. For information about this configuration, see the CA EEM product documentation.
For Windows integrated authentication to work, the CA EEM server, the Active Directory, and the client computer making the authentication request must belong to the same domain.
In addition, when you create and authorize a user in the CA EEM local store with a user name that exists in the Active Directory, the corresponding Active Directory user is automatically authorized.
Follow these steps:
  1. On the computer where CA EEM is installed, configure the CA EEM server to reference your Active Directory or LDAP system.
    For information about performing these functions, see the CA EEM product documentation.
  2. In CA APM, click Administration, System Configuration.
  3. On the left, click EEM.
  4. Select Windows Integrated from the Authentication Type drop-down list.
  5. Click Save.
    Windows integrated authentication is enabled.
Single Sign-On
Single sign-on
is an authentication process where the user can enter one user ID and password and access a number of resources within the organization. Single sign-on eliminates the need to enter additional authentication credentials when switching from one solution to another.
Single sign-on lets users log in to the product automatically using Windows login information. After you add the user ID to any role, the product verifies the login credentials and displays the appropriate home page to the user.
For single sign-on to work correctly, configure Windows user accounts as domain user accounts, and not as the local user accounts.
Search Security
Default searches let you find objects in the repository. For example, use the default searches to find assets, models, contacts, and so forth. The security for the default searches makes them available to all users and configurations. You can use these searches to create additional searches.
In contrast, you can apply security to the searches that you create to limit who can use the search. When you save a configured search, you can select specific user roles and configurations (restricted to administrators). By default, the security for the searches you create makes them available to all users and configurations. By applying unique security to your searches, you help ensure that certain users cannot view sensitive information that a search returns.
Consider the following information when applying security to searches:
  • You can access all searches (default and user-defined searches) so that you can configure and troubleshoot searches for users.
  • You can access all scheduled searches and exports so that you can configure and troubleshoot scheduled searches and exports for users.
  • All users that are assigned to a role and configuration can access the default searches and the user-defined searches that are assigned to the role and configuration. However, the search results that users see for the default searches do not display information and fields that you hide and secure.
  • When a default and user-defined search becomes invalid because of configuration changes, you may not need the search. You can delete any default and user-defined search in CA APM.
Troubleshooting Search Security
Troubleshooting tips related to search security help you when working with configured searches.
Role Cannot Be Assigned to a Configured Search
Valid on all supported operating environments.
Symptom:
When attempting to provide a role with access to a configured search, I receive an error similar to one of the following errors:
You cannot assign role <role name> to the search because the role cannot access the following field(s): <field name> on Asset Type <asset family>
You cannot assign role <role name> to the search because the role cannot access the Asset Type <asset family>
You cannot assign role <role name> to the search because the configuration cannot access the following field(s): <field name>, <field name>
Solution:
Use any of the following solutions to resolve this error:
  1. Update the configuration and provide the role or user with access to the search.
  2. Update the configuration and remove the hidden field from the search.
  3. Do not allow the role to access the search.
  4. Remove the configuration from the role.
Configuration Cannot Be Assigned to a Configured Search
Valid on all supported operating environments.
Symptom:
When attempting to provide a global or local configuration with access to a configured search, I receive an error similar to one of the following errors:
You cannot assign configuration <configuration name> to the search because the configuration cannot access the following field(s): <field name> on Asset Type <asset family>
You cannot assign configuration <configuration name> to the search because the configuration cannot access the Asset Type <asset family>
You cannot assign configuration <configuration name> to the search because the configuration cannot access the following field(s): <field name>, <field name>
Solution:
Use any of the following solutions to resolve this error:
  1. Update the configuration and make the hidden field available to the search.
  2. Update the configuration and remove the hidden field from the search.
  3. Do not allow the configuration to access the search.