Contents

The Fiorano Platform security policy enables administration and management of Groups and Users across the entire Fiorano Network. This section describes management of Users and Groups by assigning appropriate rights to them on the Fiorano Network.
The Fiorano Platform users and groups can operate from all available nodes in the Fiorano Network. A User Group is identified by a unique name and contains a list of users who inherit all rights assigned to that group. Every User is assigned a unique User Name, Password, and a User Group Membership. Information pertaining to Users and User Groups is utilized during authentication and determines the resources that a User or a User Group is allowed to access.

Managing Users

Fiorano eStudio can be used to manage all users in the Fiorano Network. The management tasks that can be performed are:

  • Creating User Accounts
  • Deleting User Accounts
  • Changing the Password of a User

To view the list of Users, log onto the Enterprise Server and click the Users node in the security section. A list of Users is displayed as shown in Figure 15.


Figure 1: Users in the Fiorano Network

Icon

Logged in users are shown in bold letters.

Creating a New User Account

You can create a new user account by logging onto the Enterprise Server with the administrator's privileges.

Configuration Steps

  1. Login to Enterprise Server through Fiorano eStudio.

  2. Select security node from the Enterprise Server tree.
  3. Right-click on the User and click New User. A dialog box is displayed with a prompt to enter the name of the User. Enter the new User Name and click the OK button.

    Icon

    The Password created for the New User, by default, is the same as the User Name assigned to the User.


    Figure 2: New User creation dialog box
     

  4. To change the password, right-click on the user whose password is to be changed. A dialog box is displayed with a prompt for the Current Password and the New Password. Enter the new password and click the Yes button to complete the process.
     

    Figure 3: Change User Password

    Icon

    To change password for admin or any user account that requires server authentication or used to perform look ups for some components refer to the below section Steps to modify user accounts.

  5. To delete a User Account, right-click on the user to be deleted and select Delete option. A dialog box is displayed with a prompt for confirmation. Click the Yes button to complete the process. To delete anonymous user, refer the below section.


    Figure 4: Confirmation of Deletion of User Account

 

Steps to modify user accounts

Important

Icon

Make sure Peer Server is not running.

  1. Start FES and Login to eStudio.
  2. Perform necessary changes to users.
    Example: Delete anonymous user and change Admin password.
  3. Log out from eStudio and stop FES server.
Icon

The steps below are also relevant when migrating from earlier version that consists of modified user accounts like changing password for admin or deleting anonymous user and so on.


Changes to FES profile

  1. Load FES profile in eStudio Profile Management perspective.
  2. Navigate to Fiorano > Esb > Transport > FESTransportManager > MQProvider
  3. Change the password corresponding to admin user as shown in the figure.


    Figure 5: Changes to reflect password change for Admin user

Changes to Peer Profile

  1. Load FPS profile in eStudio Profile Management perspective.
  2. Navigate to Fiorano > Esb > Peer > Transport > FPSTransportManager > EnterpriseServer
  3. Change the username and password to use admin user credentials replacing the anonymous user credentials which is present by default.


    Figure 6: Changes corresponding to anonymous user deletion in Peer Profile
     
  4. Save the profiles, start FES and login to Fiorano eStudio with the new password.


Changes to Components' Configuration
Few components use Anonymous user credentials to perform look ups and creating admin connections. These credentials must be changed to reflect the changes to admin/anonymous users, if any.

Examples:

  • Stub components: Open CPS, go to FES Connection Configuration, under Component Configuration, change the username and password accordingly and run the component. Using named configuration will avoid changes in many places.
  • Exception Listener: Open cps, change JNDI User Name and Password, Admin User Name and Password, then click on FES Connection Configuration ellipsis, under Component Configuration, change the username and password accordingly.
  • JMS Components: Open cps under JNDI settings, change JNDI User Name and Password accordingly.

Managing Groups

The Fiorano Platform by default creates a Group named EVERYONE. All Users are automatically included in this Group. When 'Groups' is selected from the security section, all groups are displayed in the right-hand side panel, as shown in the Figure 21.


Figure 7: Groups in the Fiorano Network

The information pertaining to each group is organized under the following columns:

  • Group Name: This column contains the names of the Groups
  • Members: This column contains a list of Users who belong to that particular Group.

Creating New Group

Any User with administrative privileges can create a New Group by logging onto the Enterprise Server.

Configuration Steps
  1. Choose the Enterprise Server under Explorer after logging onto Fiorano eStudio.
  2. Select the security node from the Enterprise Server tree.
  3. Right-click on the Groups and select the Add Groups option. A dialog box is displayed with a prompt to enter the Name of the Group. Enter the Group Name and click the OK button.

    Figure 8: Adding Group

Adding a User to a Group

You can add one or more users to a group as follows:

  1. Select the Group to which the User is to be added.
  2. Right-click on the group name and select its members.
  3. Select the User that is to be added to the Group from the pop-up window. Multiple selections can be made by holding down the CTRL key.
  4. Click the OK button.

    Figure 9: User List

Deleting a User from a Group

You can delete one or more User from a Group by:

  1. Select the Group from which the User is to be deleted.
  2. Right-click on the Group Name and select its members.
  3. Select the User from the popup window and click the Remove button to remove the User from the Group.
  4. Click the OK button to save the settings.


    Figure 10: User List of a particular group

Deleting a Group

Any user with administrative privileges can delete a Group by logging onto the Enterprise Server.

To Delete a Group
  1. Choose Enterprise Server under Explorer after logging onto Fiorano eStudio
  2. Select the security node from the Enterprise Server tree.
  3. Select the Group to be deleted from the Groups. Right-click on the Group and select the Delete option from the pop-up menu.
Icon

The deletion of ADMIN, ANONYMOUS, EVERYONE, ADMINISTRATORS, FPS, and EVERYNODE is not allowed. If an attempt is made to delete these accounts, a warning is displayed.



Figure 11: Menu to delete a Group/s

Setting Access Controls

Users connecting to the Fiorano Network are required to furnish their credentials which are then authenticated by the network. The authentication is performed by the Enterprise Server via the underlying Realm Component. This Realm Component is responsible for maintaining all User and User Group information as well as for authenticating any connection requests. The network administrator can choose from a collection of Realm Components, differing in storage and authentication mechanism.

This security architecture allows the administrator to set up ACLs for various resources. For example, ACLs for an Event Process can specify Users who have the privilege to launch an Event Process on the network. This allows the administrator to exercise control over the privileges available to each Users.

The following permissions can be given to a User or a User Group:

  • Permission to create or delete a Principal (User and User Groups)
  • Permission to compose an Event Process
  • Permission to change properties of an Event Process
  • Permission to terminate an Event Process
  • Permission to view running and saved Event Processes
  • Permission to configure an FPS
  • Permission to create, update, and delete a Business Service
  • Permission to create an ACL
  • Permission to create, edit, and delete a Business Service ACL
  • Permission to launch an Event Process

All actions that check for one or more of the above-mentioned permissions generate a security event. Permissions can be requested by any principal registered on the Fiorano Network. The Fiorano eStudio allows the administrator to set access rights for individual Users.

The security module in the Fiorano Network resides within the Enterprise Server. The security architecture allows this module to be plugged, which in turn allows the enterprise administrator to choose a Realm Module from a list of modules provided by the Fiorano Platform.

Assigning Rights

The FSSM (Fiorano Services and Security Manager) tool is used to assign rights to Users and to User Groups. Rights may be understood as rules associated with the Fiorano Network that are granted to Users and User Groups. They allow Users and User Groups to perform specific tasks on the Fiorano Network. The Fiorano Platform has a well-defined security policy to protect the network against data loss or corruption due to malicious or accidental access. This policy is implemented by assigning appropriate permissions to Users and User Groups thereby preventing illegal access to the Fiorano Network.

When the Access Rights Assignment in the left-hand-side panel is selected, a list of all available permissions is displayed in the right side panel, as shown in the figure below.

Figure 12: Realms Description

The right panel displays the following Network Rights:

  • Permission to create or delete a principal: This permission allows a User or a User Group to create, edit, and delete Users and User Groups. Users and/or User Groups with this permission have the right to change passwords.
  • Permission to compose an Event Process: This permission allows a User and/or a User Group to create new Event Processes using Fiorano eStudio.
  • Permission to change properties of an Event Process: This permission allows a User and/or a User Group to change the basic and advanced properties of the Event Process from the Event Process property sheet in Fiorano eStudio.
  • Permission to view running and saved Event Processes: This permission allows a User and/or a User Group to run Event Processes in the Fiorano Event Manager.
  • Permission to terminate an Event Process: This permission allows a User and/or a User Group to terminate Event Processes from the Fiorano eStudio.
  • Permission to configure a FPS: This permission allows a User and/or a User Group to create, edit, and delete a Fiorano Peer Server using the Fiorano Network Administration tool.
  • Permission to create, update, and delete a Business Service: This permission allows a User and/or a User Group to create, update, and delete Business Services using Fiorano eStudio.
  • Permission to create an ACL: This permission allows a User and/or a User Group to set access control on Fiorano Components.
  • Permission to create, edit and delete Business Service ACL: This permission allows a User to set access control for Fiorano Components. With this permission, the User can specify the nodes on which a Fiorano component can run.
  • Permission to launch an Event Process: This permission allows a User and/or a User Group to launch Event Processes.
To Assign Rights

FSSM can be used to assign rights to both Users and User Groups. To assign rights to a User, perform the following steps:

  1. In the right-hand side of the panel, right-click on the field corresponding to the PERMISSION TO KILL AN APPLICATION option.
  2. Click the Properties option. The Access Control dialog box is displayed, as shown in the Figure 27.
  3. Click the Add button, select the User and click the OK button. The user is assigned the permission to kill an Event Process.


Figure 13: Access Control Dialog Box

Removing Network Rights

FSSM can be used to revoke permissions assigned to Users and User Groups. To do this, the User or User Group to whom the permission has been assigned should be deleted, as follows:

  1. In the right-hand side panel, right-click the field corresponding to the PERMISSION TO CLEAR USER EVENTS option.
  2. Click the Properties option. The Access Control dialog box is displayed.
  3. Select the User and click the Remove button to delete the User from the list of Users assigned the permission to clear User Events.
  4. Click theOK button to register the deletion of the user from the list of users assigned the permission to clear user events.

Clearing ESB Server Database

To clear the FES server database of the default profile (that is profile1), run or double-click the script clearDBServer.bat/.sh –mode fes available under <fiorano_installation_dir>\esb\server\bin directory.

To clear the FES server database of a profile other than the default profile, run the script clearDBServer.bat/.sh available under <fiorano_installation_dir>\esb\server\bin folder with the profile option as shown below:


The following operations are available when this script is executed.

Select the datastore to clear:

  • File Based Datastore – Clears the local cache of the Enterprise Server including stored logs.
  • Admin Datastore – Clears the admin objects, that is, JMS Connection factories, queue and topic destinations, status of running Event Processes and component instances.
  • Peer Repository – Clears all the fetched peer server profiles from Enterprise Server runtimedata.
  • Events Database – Clears the Events Database using the configurations provided in eventsdb.cfg file present under: <fiorano_installation_dir>/esb/server/profiles/<profilename>/FES/conf directory.
  • SBW Database – Clears the SBW database using the configurations provided in the sbwdb.cfg file present under: <fiorano_installation_dir>/esb/server/profiles/<profilename>/FES/conf directory.

The Enterprise Server processes System events, SBW events and Backlog events and takes appropriate actions. System events and SBW events are queued up to be inserted into an external database while Backlog events are queued up to be handled by various alert handlers. Before this processing happens, events are temporarily stored in persistent database that are created during runtime data of the Enterprise Server. After an event has been processed, it gets deleted from the temporary store. If these events are not able to be processed, the temporary datastore may grow to occupy a large amount of disk-space. Option 7, 8, and 9 can be used to delete the temporary persistent datastore of different events.

  • Events Persistent Database – Clears the temporary persistent datastore of system events.
  • SBW Persistent Database – Clears the temporary persistent datastore of SBW events.
  • Backlog Persistent Database – Clears the temporary persistent datastore of backlog events.
  • All – Clears all nine of the above.

This script can be executed in Quiet Mode as follows.

  • -mode - to clear fps or fes runtimedata
  • -dbPath - runtime data directory for the profile
  • -profile - profile name for which runtimedata is to be cleared
  • -q - to run the script in quiet mode.

Example:

Icon

Provide comma separated option values to this argument. Absence of any argument will lead to the default option; option 10, 'ALL'.

Adaptavist ThemeBuilder EngineAtlassian Confluence