===== Users and Groups ===== Description of the different users, user groups and their rights and duties in ULS. All users use the same web address and start with the ULS interactive analysis as user interface. Users with advanced rights have an extended menu with additional functions. ==== System Administrators ==== System administrators do have access to the operating system of the servers on which the ULS-server is running. The ULS-server consists mainly of the MySQL database and the [[unix2web:|Unix2Web]] webserver. The system administrators have complete access to the installed software and the MySQL database. But they do not use any ULS application as system administrator, although they may use it as one of the ULS-users. ==== ULS-Master-Admin ==== There is only **one** ULS-Master-Admin. This account 'admin' is used for the initial configuration of domains, servers, users and groups and more. Users with administrative rights can accomplish further administrative actions. All changes made by the users with administrative rights are logged. ==== ULS-Administrators ==== These are user accounts used **only** for the administration of ULS. They can accomplish all administrative tasks through the administrative web application except the creation of new ULS-administrators. See the Administrator's Guide for more information. These accounts do the complete administration of domains, servers, ULS-users, notification destinations, units, detail access attributes and more. All changes are logged. To further limit the access, only defined ip addresses (or address ranges) are allowed to use the administrative web application. Only the ULS-Master-Admin can define these ip addresses. ==== ULS-Users ==== ULS-Users are accounts that use the web application for interactive analysis to access all values in all domains for which the have the access rights. All domain rights and admitted detail access attributes are configured by ULS-Administrators. ==== Rights ==== Domain rights restrict ULS-Users to specific groups of sources or servers, detail access attributes can be used to restrict access to specific details (values) within the detail hierarchy of a domain. ULS-Administrators can grant domain rights and detail access attributes to ULS-Users. === Domain Rights === Anyone source which sends values to the ULS-server belongs to only one domain, definetly. All values from that source, structured as section-teststep-detail hierarchy, are related to the domain. ULS-Administrators grant domain rights to ULS-Users. The ULS-Users than can access by default all details with the detail access attributes 'all' (vertical access layer). The following table lists the differences in standard and read-only domain rights. {| ! define, change, delete ! standard domain rights ! read-only domain rights |- | favorites | x | x |- | reports | x | x |- | mail-reports | x | x |- | aggregations | x | |- | limits | x | |- | combined limits | x | |- | differential limits | x | |- | isAlives | x | |- | limits on aggregated values | x | |- | monitoring pause | x | |- | retention time of details | x | |- | sort sequence of details | x | |- | deletion of details | x | |- | source (server) documentations | x | |} === Detail Access Attributes === Detail access attributes can be used to allow or prevent ULS-Users from accessing specific details, which e.g. may contain security or other crucial information. It is effective for all granted domains. (horizontal access layer). By default: * ULS-Users can view **all** values of the source-section-teststep-detail hierarchy of a domain, for which he got a domain right granted * all values are transferred with the detail access attribute 'all', whether explicitly or implicitly if the detail access attribute is not set. Detail access attributes are granted by ULS-Administrators to ULS-Users. That is effective for all details within the granted domain. The detail access attributes are system-wide valid and can be used in all domains. Here is the list of basically available detail access attributes: {| ! detail access attribute ! description |- | all | General access attribute for all details which are stored in ULS without any access attribute or which are explicitly marked with the 'all' access attribute. All ULS-Users can view these detail values. |- | adm | A ULS-User must have been granted the 'admin' access attribute to be able to access the values of the details that are marked with the 'adm' access attribute. This access attribute is used by the ULS-client for Linux to hide crucial system information like firewall settings and LDAP configurations from 'normal' ULS-Users. |- | sec | A ULS-User must have been granted the 'security' access attribute to be able to access the values of the details that are marked with the 'sec' access attribute. This access attribute is used by the ULS-client for Linux to hide e.g. the sudo2uls recordings of terminal- and user-based sessions from 'normal' ULS-Users. |- | prot | A ULS-User must have been granted the 'protocol' access attribute to be able to access the values of the details that are marked with the 'prot' access attribute. This access attribute is used to mark any changes of the ULS-Master-Admin and the ULS-Administrators, as well as changes to threshold definitions made by any ULS-Users. |} ULS-Administrators can define additional detail access attributes. This must occur before the first values using this detail access attribute is transferred to the ULS-server.