Documentation Nexus IQ Server 1.18

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

5.4. Role Management

Roles provide a set of permissions that grant various levels of access and control over the IQ Server as well as the connected suite of tools. To grant permissions to a user, you assign that user to an administrator or organizational role at one of the levels in the system hierarchy: organization or application. Which role and level you choose for a user determines what permissions that user receives.

5.4.1. Viewing Built-in Roles

IQ Server has several built-in roles, which are shown below. If one does not suit your needs, you can create a custom role.

Administrator Roles
  • System Administrator - Manages IQ Server configuration and users, which includes LDAP and product license management as well as the ability to assign other users to the System Administrator role.
  • CLM Administrator - Provides full control over organizations, applications, policies, policy violations and custom roles. Only the CLM Administrator has the ability to create organizations.
Organizational Roles
  • Owner - Manages assigned organizations, applications, policies, and policy violations.
  • Developer - Views all information for their assigned organization or application.
  • Application Evaluator - Evaluates applications and views policy violation summary results.
  • Component Evaluator - Evaluates individual components and views policy violation results for a specified application.

To view roles in IQ Server:

  1. Click the System Preferences icon on the IQ Server toolbar.
  2. Click Roles on the System Preferences submenu. A list of built-in roles is displayed.
[Warning]

Only a user assigned to an administrator role can see the information below. If you are using the built-in Admin user account, it is assigned to all administrator roles. It is highly recommended that you change the Admin password.

figs/web/role-permission-descriptions.png

Figure 5.11. Role and Permission Descriptions


5.4.2. Viewing Permissions of Built-in Roles

To view permissions assigned to built-in roles:

  1. Click the System Preferences icon on the IQ Server toolbar.
  2. Click Roles on the System Preferences submenu. A list of roles is displayed.
  3. Click the arrow next to a specific role to view its details and permissions.

The built-in roles have the permissions shown below.

figs/web/builtin-role-permissions.png

Figure 5.12. Permissions of Built-in Roles


[Note]

CLM Elements includes organizations, applications, policies, labels, license threat groups, tags, policy violations and waivers.

5.4.3. Understanding the Importance of Hierarchy

The scope of permissions granted to a role is governed by where that role is assigned in the system hierarchy. A role assigned to:

  • Organization - Grants permissions to that individual organization and any applications attached to it.
  • Application - Grants permissions only to the individual application.

To apply this logic, consider a role with permission to Edit CLM Elements. If a user is assigned to that role at the application level, the user cannot create applications. However, if a user is assigned to that role at the organizational level, the user can create applications.

5.4.4. Assigning Users to Roles

To assign a user to a role:

  1. Determine which type of role you want for a user:

    1. Administrator: Click System Preferences on the IQ Server toolbar, then click Administrators.
    2. Organizational: Select an organization or application, and then click the Security tab.
  2. For either type of role, click the Edit Role button of a specific role.
  3. Locate a user in the search dialog box by following these steps:

    1. Enter as much of the user’s complete name as possible, followed by a trailing wildcard (e.g. Isaac A*).

      [Caution]

      The use of a wildcard can greatly impact search times. Be careful in how you use one.

    2. Click the Search button. The user’s name should appear in the Available list.
    3. Click the Plus icon in the Available list to move the user to the Applied column. If you want to remove the user from the role, click the Minus icon.
  4. Click Save.
figs/web/role-management-assigning-standard-roles.png

Figure 5.13. Assigning Users to Roles


[Tip]

As shown above, you may see an email address listed as well as a realm (such as an LDAP realm). You can use this information to ensure you are working with the appropriate account.

5.4.5. Creating Custom Roles

[Important]

You must have permission to Edit Custom Roles if you want create a custom role. The default Admin account and the built-in CLM Administrator role have this permission.

To create a custom role:

  1. Click the System Preferences icon on the IQ Server toolbar and then click Roles.
  2. Click the Create Role button.
  3. Enter a name and description for the role.
  4. Click the Can/Cannot slider to enable or disable a permission as desired.
  5. Click the Save button.
figs/web/role-management-custom-roles.png
[Note]

Custom roles are limited to providing permissions for a specific organization or application. The ability to create an organization is not included in the permissions available to custom roles. Only a CLM Administrator can perform this action.

5.4.6. Excluding Groups from Search Results

Assigning a group to a role utilizes elements that are configured via the LDAP System Preferences area. If you go with the default options, groups will be included with the search results. That is, when you enter something into the Find User field, both groups and single users will be returned.

However, because the size of LDAP implementation can vary, you may want to consider not including groups with your search results. This option can be adjusted when using Dynamic Groups settings.

Making this change will then allow you to manually enter group names. However, when entering groups this way, no search or validation will be performed.

figs/web/assigning-groups-search-excluded.png

Figure 5.14. Assigning Groups Manual Search