User Tools
uls:usergroups
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
uls:usergroups [2014-12-16 08:15] uls created |
uls:usergroups [2023-03-13 17:22] (current) uls [Detail Access Attributes] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | == User Structure == | + | ===== Users and Groups ===== |
| - | + | ||
| - | + | ||
| - | ************** | + | |
| Description of the different users, user groups and their rights and duties in ULS. | Description of the different users, user groups and their rights and duties in ULS. | ||
| - | All users use the same web address. | + | All users use the same web address and start with the ULS interactive analysis as user interface. |
| - | The resulting user interface is derived from the username and its rights. | + | |
| - | The `ULS-Master-Admin`_ and the `ULS-Administrators`_ are forwarded to the | + | |
| - | + | ||
| - | * ULS administration application, | + | |
| - | + | ||
| - | the "normal" `ULS-User`_ is forwarded to the | + | |
| - | * ULS interactive analysis. | + | Users with advanced rights have an extended menu with additional functions. |
| - | System Administrators | + | ==== System Administrators ==== |
| - | ===================== | + | |
| System administrators do have access to the operating system of the servers | System administrators do have access to the operating system of the servers | ||
| Line 24: | Line 14: | ||
| The ULS-server consists mainly of the MySQL database | The ULS-server consists mainly of the MySQL database | ||
| - | and the unix2web webserver. The system administrators have complete | + | and the [[unix2web:|Unix2Web]] webserver. The system administrators have complete |
| access to the installed software and the MySQL database. | access to the installed software and the MySQL database. | ||
| But they do not use any ULS application as system administrator, | But they do not use any ULS application as system administrator, | ||
| Line 30: | Line 20: | ||
| - | ULS-Master-Admin | + | ==== ULS-Master-Admin ==== |
| - | ================ | + | |
| - | There is only **one** `ULS-Master-Admin`_. That account, username: 'admin', | + | There is only **one** ULS-Master-Admin. This account 'admin' |
| - | is used for the initial configuration of the domains, servers, | + | is used for the initial configuration of domains, servers, users and groups and more. |
| - | `ULS-Administrators`_, `ULS-Users`_ and more. | + | Users with administrative rights can accomplish further administrative actions. |
| - | Use `ULS-Administrators`_ accounts for further administrative actions. | + | |
| - | See the Administrator's Guide for more information. | + | <!-- See the Administrator's Guide for more information. --> |
| - | All changes made by the `ULS-Master-Admin`_ are logged, | + | All changes made by the users with administrative rights are logged. |
| - | but **NOT** the creation and deletion of ULS-Administrators, | + | |
| - | because that uses currently an underlying mechanic of the | + | |
| - | unix2web webserver, which is more on the operating system level. | + | |
| - | If your ULS-server is to be audited, define a two-man rule | ||
| - | (or 4-eye principle) for all actions as ULS-master-admin. | ||
| - | Divide its password into two parts, each only known to | ||
| - | one of the two men and put it into a closed envelope. | ||
| - | Access only by permission. | ||
| - | + | ==== ULS-Administrators ==== | |
| - | ULS-Administrators | + | |
| - | ================== | + | |
| These are user accounts used **only** for the administration of ULS. | These are user accounts used **only** for the administration of ULS. | ||
| Line 71: | Line 49: | ||
| - | ULS-Users | + | ==== ULS-Users ==== |
| - | ========= | + | |
| ULS-Users are accounts that use the web application for interactive analysis | ULS-Users are accounts that use the web application for interactive analysis | ||
| Line 81: | Line 58: | ||
| - | Rights | + | ==== Rights ==== |
| - | ====== | + | |
| Domain rights restrict ULS-Users to specific groups of sources or servers, | Domain rights restrict ULS-Users to specific groups of sources or servers, | ||
| Line 88: | Line 64: | ||
| details (values) within the detail hierarchy of a domain. | details (values) within the detail hierarchy of a domain. | ||
| - | ULS-Administrators can grant domain rights and detail access attributes | + | ULS-Administrators can grant domain rights and detail access attributes to ULS-Users. |
| - | to ULS-Users. | + | |
| - | Domain Rights | + | === Domain Rights === |
| - | ------------- | + | |
| Anyone source which sends values to the ULS-server belongs to only one domain, definetly. | Anyone source which sends values to the ULS-server belongs to only one domain, definetly. | ||
| Line 99: | Line 73: | ||
| ULS-Administrators grant domain rights to ULS-Users. The ULS-Users than | ULS-Administrators grant domain rights to ULS-Users. The ULS-Users than | ||
| - | can access by default all details with the detail access attributes 'all'. | + | can access by default all details with the detail access attributes 'all' (vertical access layer). |
| - | The following table lists the differences in standard and read-only | + | The following table lists the differences in standard and read-only domain rights. |
| - | domain rights. | + | |
| - | ============================== ======== =========== | + | {| |
| - | define, change, delete standard read-only | + | ! define, change, delete |
| - | domain domain | + | ! standard domain rights |
| - | rights rights | + | ! read-only domain rights |
| - | ============================== ======== =========== | + | |- |
| - | favorites x x | + | | favorites |
| - | reports x x | + | | x |
| - | mail-reports x x | + | | x |
| - | aggregations x | + | |- |
| - | limits x | + | | reports |
| - | combined limits x | + | | x |
| - | differential limits x | + | | x |
| - | isAlives x | + | |- |
| - | limits on aggregated values x | + | | mail-reports |
| - | monitoring pause x | + | | x |
| - | retention time of details x | + | | x |
| - | sort sequence of details x | + | |- |
| - | deletion of details x | + | | aggregations |
| - | source (server) documentations x | + | | x |
| - | ============================== ======== =========== | + | | |
| + | |- | ||
| + | | limits | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | combined limits | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | differential limits | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | isAlives | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | limits on aggregated values | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | monitoring pause | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | retention time of details | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | sort sequence of details | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | deletion of details | ||
| + | | x | ||
| + | | | ||
| + | |- | ||
| + | | source (server) documentations | ||
| + | | x | ||
| + | | | ||
| + | |} | ||
| - | Detail Access Attributes | ||
| - | ------------------------ | ||
| - | By default, ULS-Users can view **all** values of the | + | === Detail Access Attributes === |
| - | source-section-teststep-detail hierarchy of a domain, | + | |
| - | for which he got a domain right granted. | + | |
| - | Detail access attributes are used to prevent ULS-Users | + | Detail access attributes can be used to allow or prevent ULS-Users |
| from accessing specific details, which e.g. may contain | from accessing specific details, which e.g. may contain | ||
| - | security or other crucial information. | + | security or other crucial information. It is effective for all granted domains. |
| + | (horizontal access layer). | ||
| - | Detail access attributes are granted by ULS-Administrators to | + | By default: |
| - | ULS-Users. That is effective for all details within the domain. | + | * ULS-Users can view **all** values of the source-section-teststep-detail hierarchy of a domain, for which he got a domain right granted |
| + | * all values are transferred with the detail access attribute 'all', whether explicitly or implicitly if the detail access attribute is not set. | ||
| - | |TODO| | + | Detail access attributes are granted by ULS-Administrators to ULS-Users. That is effective for all details within the granted domain. |
| - | + | ||
| - | Standardmäßig werden alle Werte mit den Zugriffsattribut all (oder ohne Zugriffsattribut) übertragen, der Zugriff auf diese Werte ist uneingeschränkt für alle ULS-Benutzer möglich, die Zugriff auf das entsprechende Verfahren haben. | + | |
| - | + | ||
| - | ULS-Administratoren können beliebige zusätzliche Zugriffsattribute definieren, dies muss vor der ersten Benutzung bei der Übertragung von Werten erfolgen, | + | |
| - | ansonsten erfolgt die Einordnung der Werte unter dem Zugriffsattribut all für das entsprechende Detail. | + | |
| The detail access attributes are system-wide valid and can be used in | The detail access attributes are system-wide valid and can be used in | ||
| all domains. Here is the list of basically available detail access attributes: | all domains. Here is the list of basically available detail access attributes: | ||
| - | ============== ======================================================================= | + | {| |
| - | detail access description | + | ! detail access attribute |
| - | attribute | + | ! description |
| - | ============== ======================================================================= | + | |- |
| - | all General access attribute for all details which are stored | + | | all |
| - | in ULS without any access attribute or which are explicitly | + | | General access attribute for all details which are stored |
| - | marked with the 'all' access attribute. All ULS-Users can | + | in ULS without any access attribute or which are explicitly |
| - | view these detail values. | + | marked with the 'all' access attribute. All ULS-Users can |
| - | adm A ULS-User must have been granted the 'admin' access attribute | + | view these detail values. |
| - | to be able to access the values of the details that are | + | |- |
| - | marked with the 'adm' access attribute. This access attribute | + | | adm |
| - | is used by the ULS-client for Linux | + | | A ULS-User must have been granted the 'admin' access attribute |
| - | to hide crucial system information like firewall settings | + | to be able to access the values of the details that are |
| - | and LDAP configurations from 'normal' ULS-Users. | + | marked with the 'adm' access attribute. This access attribute |
| - | sec A ULS-User must have been granted the 'security' access attribute | + | is used by the ULS-client for Linux |
| - | to be able to access the values of the details that are | + | to hide crucial system information like firewall settings |
| - | marked with the 'sec' access attribute. This access attribute | + | and LDAP configurations from 'normal' ULS-Users. |
| - | is used by the ULS-client for Linux to hide the sudo2uls recordings | + | |- |
| - | of terminal- and user-based sessions from 'normal' ULS-Users. | + | | sec |
| - | prot A ULS-User must have been granted the 'protocol' access attribute | + | | A ULS-User must have been granted the 'security' access attribute |
| - | to be able to access the values of the details that are | + | to be able to access the values of the details that are |
| - | marked with the 'prot' access attribute. This access attribute | + | marked with the 'sec' access attribute. This access attribute |
| - | is used to mark any changes of the ULS-Master-Admin and the | + | is used by the ULS-client for Linux to hide e.g. the sudo2uls recordings |
| - | ULS-Administrators, as well as changes to | + | of terminal- and user-based sessions from 'normal' ULS-Users. |
| - | threshold definitions made by any ULS-Users. | + | |- |
| - | ============== ======================================================================= | + | | prot |
| + | | A ULS-User must have been granted the 'protocol' access attribute | ||
| + | to be able to access the values of the details that are | ||
| + | marked with the 'prot' access attribute. This access attribute | ||
| + | is used to mark any changes of the ULS-Master-Admin and the | ||
| + | ULS-Administrators, as well as changes to | ||
| + | threshold definitions made by any ULS-Users. | ||
| + | |} | ||
| + | |||
| + | ULS-Administrators can define additional detail access attributes. | ||
| + | This must occur before the first values using this detail access attribute is transferred to the ULS-server. | ||
uls/usergroups.1418714148.txt.gz · Last modified: 2014-12-16 08:15 by uls
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
