In this Lesson
You will be introduced to Soiree security groups.
Soiree utilizes group based security.
- A group defines what is allowed to be accessed
- Multiple groups may be granted to a user
A user is allowed to do anything permitted by the groups they are associated with.
So, what is contained in a group definition? Two things
Groups specify which scenes are allowed
Groups specify which rights are allowed
A group may also be defined as a Full Access group. This type of group does not list the scenes and rights which are allowed, instead it specifies all scenes and rights for the product are allowed.
Groups can be nested
Groups may contain other groups. A group provides access to the aggregate set of scenes and rights contained in the group and all of it’s child groups.
Groups are a filter
Groups act like a filter which determines the scenes and rights available to a class of users.
Groups may be tenant specific
All groups are associated with a tenant. Groups belonging to the generic tenant (tenant 0) are available to any user – regardless of which tenant the user belongs to. Groups belonging to a specific tenant (tenants other than tenant 0) are only available for users in the specified tenant.
Here is an example of how groups are assigned to users from two different tenants
All group definitions are stored in the following Soiree system tables.
Contains the tenant and high level descriptors for the group.
Contains the scenes authorized by the group.
Contains the rights authorized by the group.
Contains the child groups contained within a parent group.
The security groups in these tables are used by the Pump at runtime to control a user’s access to scenes and rights.
Granting Access to Scenes
Soiree does not allow a user to access scenes unless they have been granted access to them. Thi is true even if you do not authenticate users.
There are 3 ways to grant access to scenes
- Assign groups to users
This option may be used if you are requiring people to sign on when using the solution. You will be using this option in the user provisioning lesson.
- Assign a public group to a solution
This option allows you to grant access to scenes anonymously. By specifying a Public access group on the solution you are granting everyone the right to use the scenes specified by the group.
- The initial scene for a solution
The solution’s initial scene is a public scene – everyone may access it.
You have already used options 2 and 3 in the Party Pool solution. The PartyPool solution contains the following definition
The com.example.party.group.PublicGroup group grants access to all scenes and rights in the product as shown here.
Defining a group
There are two ways to define a security group
- Soiree Items
Soiree provides a wizard and editor in Eclipse for creating groups just like any other Soiree item. These groups are installed into the system tables as tenant 0 groups when SxServer is started.
You would use the Soiree group editor to create the initial set of security groups delivered as part of the solution.
- Server Console Solution
The server console solution provides a scene for managing groups contained in the system tables. It can be used to create additional groups which are needed after the solution is deployed.
You may choose to provide your customer with a Soiree client configured to run the server console so their administrator can manage their own groups.
NoticeGroups created by Soiree’s group item editor can be viewed by the server console but they cannot be modified.
The Group Item Definition
All groups belong to a product as shown in this example of the group wizard.
Each group specifies the scenes, rights, and child groups it contains
Authorized Scenes Section
The Authorized Scenes section displays all the scenes for the group’s product. The editor inspects all solutions for the product and displays the scenes allowed by those solutions. So, the list may contain scenes for all supported platforms.
You may enter a partial scene name or solution ID to filter the list of displayed scene names. (the scene name filter is not case sensitive).
You grant scenes and rights by enabling the checkbox next to them.
The rights section shows the rights which are granted by the group. You may add or remove rights from the list by right clicking in the list and selecting Modify Group Right List from the context menu.
If a right is used by a scene you have the option of seeing which scenes contain agents which subscribe to the right.
The group section shows the child groups. You may add or remove groups from the group list by right clicking in the list and selecting Modify Group List
The Server Console’s Group Management Scene
The server console provides a scene for creating or modify groups in the system tables.
Here is an example of the scene displaying a group created using the group item editor (which means it cannot be changed by the server console),
Here is an example of a group created via the server console (which means it can be deleted or modified).
The scene does not allow tenant selection if the user administrator has been restricted to manage only a single tenant. You will learn how to set up users in the user provisioning lesson.
Create a group using the item editor
In this exercise you will be using the item editor to create a group which authorizes the ability to delete parties.
- Click on the com.example.party.group package to select it
- Press Command>+N (OSX) or Control+N (Windows) and select the Group wizard.
- Enter the following definition
- Grant the following scene and right
- Save the item
Create a group using the server console
In this exercise you will be using the item editor to create a group which authorizes the ability to edit parties.
- Start derby if it is not already running
- Start SxServer if it is not already running
- Sign on with tenant zero, user id admin, and password admin
- Select Manage Security Groups
- Select New Group
- Create the com.example.party.group.EditParty group as shown here
- Select the Edit Scenes link
- Grant the scene and right shown here
Start the server console
The groups you have created will be used in a future lesson to grant access to users.
You have completed this lesson.