Access control list performs identification, authentication, and accountability of entities through login credentials including passwords. Access can be provided for data (Tier, Project, Sub-Project), features, favorites, and data density. These accesses can be defined as Capabilities, that can be assigned to a group of users.
Access control is a security technique that can be used to regulate who or what can view or use resources. Access control makes use of the following entities:
- User
- Group
- Capabilities
- Projects, Sub-Projects
Different Access Levels
- Access to First level of metric hierarchy (Mostly Tier).
- Access to Project/Sub-Project.
- Access to read/write features for advanced users.
User Management
To perform user management, follow the below-mentioned steps:
- On the Unified Dashboard, click the Access control option within the Admin The User Management window is displayed.
This window contains different tabs, such as User, Group, and Capabilities. Here, users with Admin capability can manage users, groups, capabilities, and projects. Other users can view this information but cannot change anything. Users with Admin capability can change the password of any user.
The system supports two kinds of users:
- Users created locally in the system.
- Users available in the LDAP server.
User
The user tab displays users, group(s), and capabilities assigned to that user. All the users created are displayed on the left-hand side of the window. In the adjoining column, it is displayed if these are local users or external users (i.e., LDAP) with DN for LDAP users. Users with Admin capability can view native and LDAP users. Native users are displayed automatically but LDAP users are displayed in a list on applying search. You cannot add/edit/delete any LDAP user but can add/edit/delete/change the password of native user. Other users can view their own details only. You can add more groups and capabilities to selected users. All the active users are displayed with a green icon. Users can also view the audit log by clicking the Audit log button
. The description of the Audit log has already been provided.
Add New User
One can add a new native user by providing user details, such as, the name, email, phone, and password. In addition, a user can be assigned to Group(s) and Capabilities. Other than admin, no other user can add a new user.
To add a new user, follow the below-mentioned steps:
- On the User Management window, click the button on the left. The User Details section is displayed where details of user, such as name, email, phone, and password need to be specified as shown in Figure 29.
2. Click the Save
3. Once a user is created, it is displayed in the list.
Import Users
Admin users can import a number of LDAP users at once from the specified LDAP server. Admin can select the LDAP server identifier as available in LDAP settings. Using the LDAP search user credentials, the system obtains a list of all the users available in the LDAP server and displays them. All user details corresponding to their relative distinguished name (RDN) is displayed. If the list provides a container, i.e., intermediate node in the Directory Information Tree, admin can select and this fetches a list of users under that intermediate node. This process can continue until all the entities are obtained at the leaf node level. Again, for each user, a check box selection is provided. From the given list of users, as obtained from the LDAP server, admin can select which users are to be imported.
Group
Users with Admin capability can add/edit/delete native groups. There are LDAP groups too, that can be imported from the LDAP server. On the Group Management window, the left-hand side displays the groups available. Right-hand side displays the list of users and capabilities assigned to that group. A group can have multiple users and multiple capabilities. By clicking on the respective ‘+’ button, you can assign more users and capabilities to the selected group.
The Group Details section is displayed where you need to provide the group details.
2. Enter the group name and description.
3. By clicking the Save button, group is created.
Note: You can assign users to the group at the time of group creation or after creating the group. In the subsequent section, how to assign a user to the group is described.
Assign Group to User
You can be associated with a new group or an existing group. In this section, an association of users with a group is defined. For association with capabilities, refer to the next section.
- Open the group by clicking over it, the group is displayed in the Group Details section along with the already attached users (if any).
2. Click the 
icon within the Users The Add Users window is displayed.
3. Select the user(s) from the list and click the Attach Users are attached to that group and displayed in the Users list. Then click on the Save button.
Capabilities
Capabilities are a list of access permissions, that can be assigned to a/the group(s). There are some predefined capabilities available in the system. You can create new capabilities also.
Read All
Users with this capability have read-only access for all tiers, all project/sub-projects, and all features. You cannot write anything like cannot add/update any favorite, cannot add rules, etc.
Read Write All
Users with this capability have access to read and write for all tiers, all project/sub-project, and all features except a few features, which have access for Admin only.
Custom
You can create new Capabilities also. You can give mixed read/write permissions to the first-level of the metric hierarchy (Mostly Tier). For example – users can give write permission to Tier1 but read-only permissions to Tier2. In addition, you need to assign a Project/Sub-Project to the capability. Few objects like scripts and scenarios are not associated with metric hierarchy but they belong to one project/sub-project. Objects under a project/sub-project are authorized to view/edit by that capability which has access to that project/sub-project. In addition, advanced users can give permissions to components and features.
Admin
Other than read-write, users with this capability have more access to do things like add/update/delete users/groups/projects/, Audit log for all users.
Business
Users with this capability have read-only permissions and many other features are disabled like a metric tree, compare, etc. You can configure features and favorites available to Business Users.
Developer
It will have the access to read and write Performance tool module.
Example of User Mapping
Let us take an example to understand user mapping with permissions:
- User 1 and User 2 have read-only access to all Tiers. These users are able to see everything (all favorites, all rules, all reports, all templates, etc.) but cannot add or update anything.
- User 3, User 4, and User 5 have read and write access to all tiers. These users are able to see and update everything (all favorites, all rules, all reports, all templates, etc.).
- User 6 has read and write access to all tiers. In addition, this user has access to anything in User management.
- User 7 and User 8 have read only access to all Tiers. In addition, they cannot see trees and other things.
- User 9 is part of multiple groups (G4, G5, and G6). This user has read-write access to Tier1, Tier2 and Read-only access to all other Tiers. It means, this user can view all objects but is able to edit objects, that only have metrics of Tier1 and Tier2.
- User 10 and User 11 have written access to Tier1 and Tier2. It means this user is not able to view those objects, that is having anything other than Tier1 and Tier2. This user can only be able to update those objects that have metrics of Tier1 or/and Tier2.
Note: Users with Admin Capability can add a New Capability: Edit Capability, and Delete Capability. On the Capabilities window, the left-hand side displays the Capabilities Available.
If you select ‘Read All’ then for this user, read-only access to all Tiers, Project/Sub-Project, and All Component/Features is provided. If you select ‘Read Write All’ then that user gets permission to read and write to all Tiers, Project/Sub-Project, and All Component/Features. If you select ‘Custom’ then custom permission is implemented for that user.
To add a capability of any type, open the add capability section by clicking the icon Then, provide the capability name and its description. Then, user need to select the permission from Read-only, Read-write, or custom. The process of creating capabilities with all the available options are provided in the subsequent sections.
Creating a Capability with Read Only Permission
In this case, the user is granted to have the read-only permission of the selected tiers. You cannot perform any operation apart from viewing the data of the selected tiers.
Only the data of the selected tier is displayed in the graph panel. If the data of other tiers were merged with the data of the selected tiers, then the user would not be able to view the data. It can be viewed if data is displayed on the selected tiers only.
Creating a Capability with Read Write Permission
In this case, the user is granted to have the read-write permission of the selected tiers.
Creating a Capability with Custom Permissions
This section allows an admin user to create custom permission for the user based on the different categories. On selecting the Custom option, the admin user can have the following categories to apply for permissions:
Tier
Select ‘Tier’ from the first level, then select the tier name from the list. You can select multiple tiers to which the permission needs to be applied. Post that, select the permission either ReadOnly or ReadWrite. Only the data of the specified tiers are displayed in the Dashboard with the permission applied. To add permissions to other categories or the same category i.e., Tier, click the 
icon.
Project
Select ‘Project’ from the first level, then select project name and sub-project name in the subsequent levels. Post that, select the permission either Read-only or Read Write. Only the data of the specified project and sub-project are displayed in the script/scenario with the permission applied. To add permissions to other categories or to the same category i.e., Project, click the icon.
Advanced
Next comes the Advanced section. Here, you can specify permissions for Dashboard features or Access Control.
Web Dashboard
It provides a restriction on the selected features, rest all other features behave normally and the user can perform operations on them. On selecting Web Dashboard as the second level, a list of Dashboard features is displayed at the third level, such as Favorites, Pattern Matching, Configuration, Reports, View by, and so on. You can select multiple features using the check box. Then, in the permission level, there are permissions, such as No Permission, Read Only, or Read Write. In case of No Permission, feature is not visible to the attached user. In the case of Read Only, the feature is visible but the user cannot perform any operation. In the Read-Write operation, the user can view that feature and can perform operations on that feature.
In case, if you select the Time Period feature from the list, then permissions, such as: No Permission, Low, Medium, and High are displayed.
- Low: In this case, only those View By values are available that are not producing more than 100 samples within the current time period.
- Medium: In this case, View By values are available that are not producing more than 300 samples within the current time period.
- High: All ‘View By’ values are available to apply.
Product UI
On selecting Product UI as the second level, Access Control is selected as the third level. Admin can apply permission, such as: No Permission, ReadOnly, or Read Write to the Access Control feature of the product UI.