Access Control Lists (ACL) is a widely used security mechanism. ACL grants users access to only the application functionality they require to perform their role-based activities. ACL is required for DevTest Solutions so that you can monitor and maintain compliance to the license agreement. License agreements are based on the maximum number of concurrent user sessions.
This overview discusses the following ACL topics:
Planning Deployment of ACLs
Starting with DevTest Solutions 8.0, controlling access through the Access Control Lists (ACL) system is required. Access to DevTest Workstation or the DevTest Portal is not possible without authenticating against the ACL system.
Before configuring ACL, carefully consider how each user will use DevTest Solutions and the corresponding access that is required for each type of user.
By default, only the Super User and the System Administrator have access to the Server Console that provides administrative access to the ACL system.
ACL Adminstration
The ACL Administrator is responsible for the following activities:
The Administrator must have a thorough understanding of the various ACL roles and their associated privileges to assign the appropriate roles to each user.
Important! Do not use the default Super User or the System Administrator users to manage the ACL system. Use the default Super User to create new users with identical roles to the default Super User and System Administrator. Use the new users for managing the ACL system, and change the passwords for the default Super User and System Administrator users to prevent unauthorized access.
Using the Lightweight Directory Access Protocol (LDAP) with DevTest Solutions
You can also choose to manage the passwords for DevTest Solutions through LDAP, especially if an LDAP or Active Directory system is already available. When you use LDAP, user password changes are made by the LDAP administrator. The ACL administrator is no longer able to perform password changes.
Important! The implementation of the ACL system, and any integration with an LDAP service, remain the responsibility of the customer. If you need assistance with these implementation activities, contact CA Services. User administration through ACL is the responsibility of ACL or LDAP administrator. CA Support is unable to progress cases where view access to the roles table is not available.
For example, a customer that reports a problem staging a test due to permission issues needs to ensure that the ACL/LDAP administrator is available when engaging CA support. ACL Administrators must take these factors into account when assigning roles to their users and groups.
Authentication
You can determine how DevTest authenticates users. You can manually add users to the ACL database and specify credentials. The credentials are the user ID and password with which the user can log in to the DevTest Solutions user interface or command-line interface. Or, if your users are already defined with credentials in an LDAP database, you can use the LDAP server for authentication. In this case, you perform the steps in Configure ACL to Use LDAP Authentication.
Authorization
DevTest limits what DevTest features individual users can access based on their business role. DevTest Solutions is installed with over a dozen standard roles. You can experience how users with different roles experience DevTest by logging on as a standard user. Standard users are assigned unique standard roles.
Important! To ensure security, the ACL Administrator should change the default password for (admin, guest) as soon as possible to a password they will not forget.
When you manually add users to the ACL database, you assign a role to each user. The role grants a set of permissions. It is possible to assign multiple roles, but is rarely necessary as roles with more responsibility include permissions from lower related roles. When you use LDAP, the ACL is automatically populated with a row for each user. In this case, you assign only roles as described in authorize users authenticated by LDAP.
The following activities are examples of the activities that you can control with permissions:
User Sessions
When an authorized user logs in to a DevTest UI or CLI, a user session is created. User sessions are audited and form the basis of Usage Audit Reports. These reports include metrics and statistics on maximum concurrent user sessions by user type, where user types are categories that include multiple roles. See ACL and User Sessions
ACL and Backward Compatibility for CLIs and APIs that Ran Without Credentials
To access any DevTest user interface or command-line interface, users must log in with a valid user name and password. The requirement for credentials also applies to running tests and starting virtual services. If test cases that you automated in a previous release execute without credentials, you can temporarily override ACL so that they can continue to execute as scheduled. See ACL and Command-Line Tools or APIs.
ACL Database
The ACL data is stored in the default internal Derby database after the installation. As outlined in Installing, the Derby database should be replaced with an enterprise database. For more information, see Database Administration.
Copyright © 2014 CA Technologies.
All rights reserved.
|
|