Managing users and roles

Directories supported

User authentication on Optima through Optima DB is always enabled.

Furthermore, Optima can perform user authentication with:

For the necessary configuration related to LDAP settings, see → OptimaWSI configuration > OptimaAuth section.

Standard Roles

Role Description

Admin

Role of the Optima Super Administrator.

The Admin can do anything.

Operator

 

Role of the common user of the Optima interfaces.

An Operator can have access to:

  • TS GUI (or any other GUI associated to the role).
  • Public APIs

Generally, they can make CRUD (Create, Read, Update, and Delete) operations through GUIs and APIs.

An Operator cannot:

  • Access the Administration Dashboard
  • Create other users
  • Create other groups
  • Change permissions associated to users or groups
  • Change the configuration of the product

User

It is the most limited role.

A User can generally only READ the information contained inthe Optima system.

A User cannot:

  • Access the Administration Dashboard
  • Create other users
  • Create other groups
  • Change permissions associated to users or groups
  • Change the configuration of the product
  • Add or update any type of data which is already stored in the Optima system.

Roles model

In order to query the customer's LDAP system user you need:

  1. To define in the Optima DB the role that must be associated to the LDAP system user U (see → Managing users and roles > Adding a role).

  2. To ensure that the role created in the previous step MATCHES EXACTLY (case sensitive) the LDAP user group (see → LDAP Attributes) of the user U in the LDAP system.
  3. Repeat steps 1 and 2 for every role to be matched with a specific LDAP system user group.
  4. For every new LDAP system role, if necessary, you can update all the predefined Privilege Groups by adding the new roles in the OptimaWSI Administration GUI (Privileges tab) (see → Managing users and roles > Updating the Privileges Groups).

You can perform this procedure through the OptimaWSI Administration GUI.

To open the configuration panel of the user directory:

  1. On the OptimaWSI Administration GUI, on the Security menu, click User Management

    The interface contains two panels: Users and User roles.

You can mainly:

  • Manage the Optima user directory (internal directory only).
  • Add users.
  • Add roles.
  • Associate roles to users.
  • Update Privilege Groups.
  1. Open the User Management tab.
  2. In the User roles panel, click Add.

  3. Define the role name attributes.

    Tip:  If the role must be compliant with the LDAP service, the role name must match exactly the name of the LDAP system user group that is associated to the role.

  4. Click Save.
  1. Open the User Management tab.
  2. On the Users panel, click Add.
  3. Define the user name attributes.
  4. Click Save.
  1. Open the User Management tab.

  2. Select a user and click on the corresponding column User roles.

    The associated combo-box opens.

  3. Select the role to be associated to the user.
  4. Click Save.
  1. Open the User Management tab.
  2. In the User roles panel, select a role from the list.

  3. Click Delete.

    Tip:  You cannot delete a role that is associated to at least one user or to one permission condition.

  1. Open the User Management tab.
  2. In the Users panel, select a role from the list.
  3. Click Delete.
  1. Open the Privileges tab.

  2. Select a Group that is associated at least to one role of those listed in the column User role.

    The group lists all the permissions associated to the Group.

  3. Select a permission Permission-Name from the list.

    A panel Permission-Name opens.

  4. In the Privileges editor area, click on theUser role row.
  5. Add the necessary roles.
  6. Click Save
  7. Repeat steps 3, 4, and 5 to update all necessary permissions associated to the group selected in step 2.
  8. Repeat steps 2 to 7 for all the necessary groups.

In order to identify and authenticate a user through AD or OpenLDAP™, Optima needs to be provided with some attributes matching the user information, as shown in the following table:

Attributes

Modality

Description

memberOf

Mandatory

It lists the details of all the groups that the user belongs to.
displayName Optional The real name of the user.
mail Optional The email address of the user.