Logo Sonatype CLM The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

The CLM Book - Optimized Component Lifecycle Management with Sonatype CLM

2.6. Role Management (Permissions) Overview

Roles control the permissions for use within the CLM Server as well as the connected suite of tools. When users are mapped to a role they are granted a set of permissions associated with that role. This section describes the available roles, as well as how to map users to those roles.

2.6.1. Role Definitions

Administrator

The Administrator role is considered a global role, and is managed via system preferences figs/web/clm-server-system-preferences-icon.png.. It has the full permissions to view, create, and modify any element of the Sonatype CLM Server. This extends to interaction with the entire suite of Sonatype CLM tools, and includes permission to evaluate applications or components and review the results.

[Warning]

Due to the unrestricted access of the Administrator role, changing the password from the provided default is highly recommended.
Owner
The Owner role provides full permissions for the user mapped to the Organization or Application. This includes viewing, creating, and modifying any element within the scope of the respective organization/application. It also includes permisson to evaluate applications or components and review the results.
Developer
The Developer role provides view permissions for the user mapped to the Organization or Application. It also includes permission to evaluate components and review the results.
Application Evaluator
The Application Evaluator role provides permission to submit applications for evaluation and retrieve summary-level results for the user mapped to the Organization or Application. This role is useful for tools such as continuous integration (e.g. CLM for Bamboo or CLM for Hudson/Jenkins) and command line evaluation (e.g. CLM for CLI). This role can also be used to configure these tools and allows these tools to display a summary of the policy evaluation.
Component Evaluator
The Component Evaluator role provides permission to submit components for evaluation and retrieve summary-level results for the user mapped to the Organization or Application. This role is useful for tools such as an IDE (e.g. CLM for IDE) and Nexus (e.g. CLM for Nexus) which retrieve policy evaluation at the component level. While this role can retrieve evaluation results, it cannot override any component data nor apply component labels.
[Note]

For all roles except the Administrator role, when a user is mapped to a role for an Organization, the user will have the same permissions associated with that role for any attached Applications.

2.6.2. Mapping Roles

To map a user (or group if you have configured LDAP) to a role, follow the instructions below:

  1. Log in to the Sonatype CLM Server with a user mapped to either the Administrator role, or the Owner role (for an Organization and/or Application).

    [Note]

    When mapping users with the Owner role, you will only be able to map users to the Organization and/or Application you are an owner for.
  2. Navigate to an Organization or Application, click on the Security tab, and then click the Edit icon (it resembles a pencil).

  3. A search widget will be displayed. In the search field, enter as much of the user’s complete name as possible, followed by a trailing wildcard (e.g. Isaac A*), and then click the Search button.

    [Note]

    Practice caution as use of leading wildcards can greatly impact user search times.

  4. Once you see the user you wish to add in the Available column, click the Plus icon to move them to the Applied column. To remove users from a role, follow the same process above, just click the Minus icon to move the user from the Applied column to the Available column. Click the Save button to save your changes.

    [Tip]

    You may notice that below each user, there is additional information. Most often this is the email. However, to the right of the email you will see the Realm (e.g. LDAP). Use this to ensure you add the appropriate account.
    figs/web/role-management-assigning-standard-roles.png

    Figure 2.14. Mapping Users to roles


2.6.3. Excluding Groups from Search Results

Mapping a group to a role utilizes elements that are configured via the LDAP System Preferences area. If you go with the default options, groups will be included with the search results. That is, when you enter something into the Find User field, both groups and single users will be returned.

However, because the size of LDAP implementation can vary, you may want to consider not including groups with your search results. This option can be adjusted when using Dynamic Groups settings.

Making this change will then allow you to manually enter group names. However, when entering groups this way, no search or validation will be performed.

figs/web/mapping-groups-search-excluded.png

Figure 2.15. Mapping Groups When Not Included With Search