Nexus Documentation - Nexus IQ Server 1.16

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

TOC

6.3. Role Management

Roles provide a set of permissions which grant various levels of access and control over the Sonatype CLM Server, as well as the connected suite of tools. In the following sections we’ll describe how to access role definitions, view the associated permissions, create custom roles, and assign users to a role.

6.3.1. Viewing Role and Permission Descriptions

To view role descriptions:

Log into the Sonatype CLM Server.
Next, click on the System Preferences (the gear icon located on the upper right corner of the CLM Server toolbar), and then the Roles menu item.
Now, a list of available roles will be displayed. Click on a specific role to see the associated permissions.

figs/web/role-permission-descriptions.png

Figure 6.11. Role and Permission Descriptions


	You will need to be assigned to one of the administrator roles in order to see the information above. It is important to note that if you are using the built-in Admin user account, it has been assigned to all administrator roles, and we highly recommend changing the password.

6.3.2. Assigning Users to Roles

Users can be assigned to two types of roles: Administrative and/or Organizational. Each of these roles has a slightly different scope that can affect overall permissions.

Administrators

There are two types of administrator roles, each allowing a user to affect the system globally in a unique way.

System Administrator: For a System Administrator this extends to configuration elements of the server. This includes user, LDAP and product license management, as well as the ability to assign other users to the System Administrator role.
CLM Administrator: In the case of the CLM Administrator, full control over anything related to custom roles, organizations, applications, and policies is granted. Specifically, in the case of organizations, only a CLM Administrator will have the ability to create. Even if a custom role is created, and the Edit CLM Elements permission is granted, only a CLM Administrator can create an organization.

Organizational

Organizational roles are those managed at the organization and application level. The scope of permissions granted to users in these roles is governed by their position in the hierarchy. For example, when a user is added to a role at the organizational level, that permission will extend to any applications connected to that organization. Likewise, the scope of permission can be limited by adding a user to a role at the application level. In this case, if a role has the permission to Edit CLM Elements, and a user is added at the application level, that user would not be able to create applications. In contrast, the same user placed in the role at the organization level would be able to create applications.

To assign a user to a role…

First, determine which type of role you want to assign a user to.
1. Administrators - click on the System Preferences icon and then Administrators.
2. Organization/Application - Select an organization or application, and then click on the Security tab.
Next, for either type of role you selected, click the Edit icon (it resembles a pencil).

A search widget will be displayed. In the search field, enter as much of the user’s complete name as possible, followed by a trailing wildcard (e.g. Isaac A*), and then click the Search button.


	Practice caution as use of leading wildcards can greatly impact user search times.

Once you see the user you wish to add in the Available column, click the Plus icon to move them to the Applied column. To remove users from a role, follow the same process above, just click the Minus icon to move the user from the Applied column to the Available column. Click the Save button to save your changes.


	You may notice that below each user, there is additional information. Most often this is the email. However, to the right of the email you will see the realm (e.g. LDAP). Use this to ensure you add the appropriate account.

figs/web/role-management-assigning-standard-roles.png

Figure 6.12. Assigning Users to Roles

6.3.3. Creating Custom Roles

The Sonatype CLM Server ships with a set of built-in roles. While these roles cannot be modified, you can create your own custom roles. To perform this action, you will need a user that has the permission to Edit Custom Roles, e.g., the default admin account and the CLM Administrator role that ship with the Sonatype CLM Server have this permission.

To create a custom role:

First, click on the System Preferences icon, and then Roles.
Next, click on the Create Role button.
The New Role form will be displayed. Enter a name and description for the role, then click the Can/Cannot slider to enable/disable a permission.
Click the Save button.

figs/web/role-management-custom-roles.png


	Custom roles are limited to providing permissions for a specific organization or application. The ability to create an organization is not included in the permissions available to custom roles. Only a CLM Administrator can perform this action.

6.3.4. Excluding Groups from Search Results

Assigning a group to a role utilizes elements that are configured via the LDAP System Preferences area. If you go with the default options, groups will be included with the search results. That is, when you enter something into the Find User field, both groups and single users will be returned.

However, because the size of LDAP implementation can vary, you may want to consider not including groups with your search results. This option can be adjusted when using Dynamic Groups settings.

Making this change will then allow you to manually enter group names. However, when entering groups this way, no search or validation will be performed.

figs/web/assigning-groups-search-excluded.png

Figure 6.13. Assigning Groups Manual Search

TOC