Security and Role Management

casm172
HID_Access_Types
This article contains the following topics:
Set up security and role management for user authentication, user access level, and the mode of authentication while logging in.
Access Types
Access types define contact roles, contacts authentication, and whether the contacts can modify web forms or the database schema.
Modify the predefined access types and create new ones.
Assign Access Type Using LDAP Groups
Assign AccessTypesvaluestocontactsautomatically with a Lightweight Directory Access Protocol (LDAP) server.
 To enable this feature, install the ldap_enable_group and ldap_group_object_class options.
Perform the following steps: 
  1. Select Security and Role Management, Access Types on the Administrator tab.
  2. Select the Access Type you want to associate with an LDAP Group. For example, select Administration.
    If the ldap_enable_group option is installed, the LDAP Access Group field appears on the Web Authentication tab.
    : If an LDAP Group is already associated with the selected Access Type, a link to the LDAP Group Detail appears. Click the link for a read-only description of the LDAP Group and a listing of its members.
  3. Click Edit on the Access Type Detail page to associate an Access Type with an LDAP Group.
  4. Click the LDAP Access Group link.
  5. (Optional) Enter filter criteria to limit the search to the LDAP groups of interest.
  6. Select the LDAP Group that you want to associate with this Access Type.
  7. Click Save.
    Association of the selected LDAP Group with the Access Type is complete.
Create an Access Type
Access types
 define how contacts are authenticated when they log in to the web interface, whether the contacts can modify web forms or the database schema using Web Screen Painter, and which roles are available for the contacts.
You can modify the predefined access types and create new ones.
The access types define all aspects of security. Several predefined access types are included, and you can modify them or can define new ones. Each access type for a user controls the following aspects of system behavior:
  • How CA SDM performs the web authentication when the user logs in.
  • The access level for the user.
  • Whether the user can modify web forms or the database schema using Web Screen Painter.
  • What are the roles available to the user.
Perform the following steps: 
  1. Select
    Security and Role Management
    ,
    Access Types
    on the Administration tab.
    The Access Type List page is displayed. 
    Default:
     15
  2. Click
    Create New
    and complete the access type fields, as appropriate, on the Create New Access Type page.
  3. Use the tabs to complete the following tasks:
    • Configure Web Authentication for an Access Type
    • Assign Web Screen Painter Permissions to an Access Type
    • Assign Roles to an Access Type
  4. Click
    Save
    .
    The access type is created.
Access Type Fields
The following fields appear on the Create Access Type, Access Type Detail, and Update Access Type pages.
  • Symbol
    Specifies a unique identifier for the access type.
  • Default?
    Indicates whether this access type is the default that is associated with contacts.
  • Record Status
    Specifies whether this access type is Active or Inactive.
  • Description
    Describes the access type. Use this field to help identify the characteristics of the access type.
  • Receive Internal Notification
    Determines whether the contacts associated with the access type receive internal notification of activities that are related to tickets.
  • Access Level
    Determines which access types a user can grant to another user. A user can assign an access typeto the contact record of another user only if the access level of the access type they are attempting to assign is ranked the same as or lower than thegrant level for their own access type. The levels are ranked as follows:
    • Admin (highest)
    • Analyst
    • Cust/Emp
    • None (lowest)
    Licensed?
    Determines whether thiscontact is a licensed access type. Contacts assigned to unlicensed access types can only view or update their own personal data.
     
     KPIs counts the concurrent usages of the users from the system (for example, CA SDM Web UI, SOAP Web Services, REST Web Services, and so on). For example, the webConcurrentLicenseCt KPI counts the maximum number of unique users (with the "Licensed?" option selected) logged in to the CA SDM Web UI during the interval.
Configure Web Authentication for an Access Type
You can configure the web authentication and validation type to specify how roles assigned to this access type are authenticated when users attempt to access the CA products. Complete the following fields in the 
Web Authentication
 tab.
  • Allow External Authentication
    Select this check box if you want to allow contacts to be authenticated externally, for example by the HTTPD server or the operating system. If you select this option, users with this access type are validated by the appropriate external method as configured during installation.Checks ensure that no external validation has taken place (for example, that the user has not attempted access through a non-secure server) and that the user is defined as a valid contact in the system using the login ID. Then, it uses the access type to determine the correct interface to use.
  • Validation Type
    Defines how users are authenticated when an external authorization is either not permitted or fails (for example, if the user is attempting access through a non-secure server). The available options are:
    • No Access
      Denies access to CA products unless external authentication is allowed and is valid.
    • Open
      Access to the CA products are always allowed, with no additional authentication required.
    • OS
      Access to the CA products are allowed through operating system user name and password.
    • PIN / PIN Number
      Users of this type can access only if they enter the correct value for the PIN field in their contact record. If you select the PIN option, you can choose which field in the contact record stores the PIN by entering the field attribute name in the PIN Field edit box.
    • CA EEM
      Access to the CA products are allowed through CA EEM. This option is available only if CA SDM is integrated with CA EEM.
    • OS-Use Operating System
      When the Administration Access Type Validation Type drop-down is set to 
      OS-Use Operating System Authentication
       and if you want to login using the CASMAdmin user, you must first create the CASMAdmin user in the Operating System for the login to be successful.
Assign Web Screen Painter Permissions to an Access Type
The Web Screen Painter (WSP) utility allows CA SDM users to build and publish web forms and schemas. The Web Screen Painter tab also controls the database access for Web Screen Painter preview sessions. For the details about WSP, see Using the Web Screen Painter (WSP).
Select the permissions that you want to allow for an access type in the Web Screen Painter tab.
  • Modify Forms
    Allows the users todo the changes to existing forms withoutdoing the changes available to all users.
  • Modify Schema
    Allows the users todo the changes to an existing schema withoutdoing the changes available to all users.
  • Publish Forms
    Allows the users to make their modified forms available to all users.
  • Publish Schema
    Allows the users to make their modified schema available to all users.
  • Preview Session Can Update Database
    Allows the users to do the changes to the database during a preview session. By default, database changes are not allowed during a preview session.
Assign Roles to an Access Type
Assign the roles to an access type to limit contacts access to functional areas for assigned roles.
Perform the following steps: 
  1. Select the following roles for this access type:
    • Reporting Role
      Defines the reporting access for this type.
    • REST Web Service API Role
      Defines the access to the REST web services for this type.
    • SOAP Web Service API Role
      Defines the access to the SOAP web services for this type.
    • Command Line Utility Role
      Defines the access to the command-line utilities and attachments for this type.
  2. Click Update Roles.
  3. Enter any search criteria that you want to limit the list tot he roles of interest, and then click Search.
    The Roles Assigned - Update page opens, listing the roles that matched the search criteria.
  4. Select the roles that you want to assign. To select multiple items, hold down the CTRL key while clicking the left mouse button.
  5. Click the double right-directional arrows, after you have selected all the roles that you want.
    The selected roles move to the Roles Assigned list on the right.
  6. Click OK.
    The Access Type Detail page opens, with the assigned roles listed on the Roles tab.
  7. Click Save.
    The Access Type Detail page opens, with a confirmation message that your changes have been saved.
  8. Select the role that you want to be the default for this access type upon login. Click Set Default Role.
    Your selection for the default role is saved.
Search Access Types
You can enter search criteria to filter the Access Type List to display only the types of interest.
To search for an access type
  1. Select
    Security and Role Management
    ,
    Access Types
    on the Administration tab.
    The Access Type List page appears.
  2. Click
    Show Filter
    and complete one or more of the search fields.
  3. Click
    Search
    .
    The Access Type List page displays the types that match your search criteria.
Define Contact Notification Parameters
You can define the contact information and the method you want to use to notify a contact.
To set up contact notification parameters:
  1. On the Contact Detail page, select the
    Notification
    tab.
  2. Enter the appropriate contact information, such as Telephone Number, Fax Number, Email Address, etc.
  3. Select the notification method you want to use for each message urgency level for this contact (low, normal, high, and emergency).
    For example, you may want to notify this contact using the Email method for normal level activities, but you may want to use the Pager_Email notification method for emergency level activities.
  4. Select the workshift that is valid for each notification urgency level.
    For example, you may assign a Regular workshift (five-day week, eight-hours a day) to the normal level notification, but a 24 hour workshift to the emergency level notification.
  5. Click
    Save
    to save the notification parameters.