| Oracle Agile Engineering Data Management Security Guide Release e6.2.0.0 E52560-02 |
|
 Previous |
 Next |
| Oracle Agile Engineering Data Management Security Guide Release e6.2.0.0 E52560-02 |
|
Previous |
Next |
The default installation assumes that the Agile e6 software is installed on dedicated servers where no other users have access to the installation.
User in table T_USER and T_GROUP and their group assignment:
| User Name | Manager | Profile | Status | Assigned to Group |
|---|---|---|---|---|
| EDBKERNEL | Yes | MANAGER-PROFIL | Locked | DATAVIEW, DEMOEP, EDB |
| EDBCUSTO | Yes | MANAGER-PROFIL | Locked | DATAVIEW, EDB |
| DEMOEP | No | - | Locked | DEMOEP |
| DEMOEP_M | Yes | MANAGER-PROFIL | Locked | DATAVIEW, DEMOEP, EDB |
| EDB-RESERVED | Yes | MANAGER-PROFIL | Locked | EDB |
| DODEKERNEL | Yes | - | Locked | DODE-DEVELOPER |
| EDB-EIP | Yes | MANAGER-PROFIL | Locked | EDB |
| MANAGER | Yes | - | Active | DATAVIEW |
The following example shows how a user can have several roles assigned that were defined in the so-called Job Functions.
| User Name | Role | Job Function | Privileges |
|---|---|---|---|
| EDBCUSTO | EDB-ORGANIZATION-MNG | DefaultOrgMng | EDB-ORG-CPY
Copy a company/department |
| EDBCUSTO | EDB-PROJECT-MNG | DefaultProjectMng | EDB-POS-DEL
Delete a position or project team member |
The following table shows assigned Job Functions to the user EDBCUSTO.
|
Note: EDBCUSTO is the only user with assigned Job Functions. |
| Job Function | Description |
|---|---|
| DefaultOrgMng | Enabling EDBCUSTO to initiate organizations |
| DefaultProjectMng | Enabling EDBCUSTO to initiate projects |
| DefaultRoleMng | Enabling EDBCUSTO to define roles, privileges and job functions |
| Txt-Manager-2 | Manager for Txt-Management |
The installation has to be started with a user who has Administration rights to create users and services. This user will be later referred to as the Installation User.
|
Note: After the installation is done, this user should no longer have Administration rights because the AdminClient service has to run under this account to modify the existing installation. This task will not require Administration rights. |
Depending on the installed components, there will be two users which will be created during the installation:
The runtime user for the following services which requires no privileged permissions. This user will be referred to as the Runtime User:
FMS Java Daemon
Java Daemon
Portmapper
The user running the File Server. This user requires Administrative rights to secure its own data directories. This user will be referred to as the File Server User.
The installation on UNIX requires no special permissions during the installation and should be started as an unprivileged user.
|
Note: Should not be started by the root user. |
To secure the installation, there should be two user accounts created analog to the Windows users which will be created during the Agile e6 installation:
Runtime User
File Server User
This section describes the directory access permission after an installation.
|
Note: No other users or groups have access permissions to these directories. |
| Directory | Access Type | Access Users/Groups |
|---|---|---|
| %ALLUSERSPROFILE%\agile\installer\6.2.0 | Full Access | Installation User
Administrators Group |
| E6 Installation Destination (ep_root) | Full Access | Installation User
Administrators Group Runtime User |
| File Server Destination | Full Access | Installation User
Administrators Group File Server User |
| Enterprise Integration Platform Destination | Full Access | Installation User
Administrators Group File Server User |
| Directory | Access Type | Access Users/Groups |
|---|---|---|
| ${HOME}/.agile/installer/6.2.0 | Full Access | Installation User |
| E6 Installation Destination (ep_root) | Full Access | Installation User |
| File Server Destination | Full Access | Installation User |
| Enterprise Integration Platform Destination | Full Access | Installation User |
This section describes the minimum access permissions for specific users and directories.
This user needs to have full access to the Agile e6 installation to administrate the installation, e.g. applying hot fixes, modifying or creating a new application.
|
Note: The Agile e6 installation includes here the native EDM Server (ep_root), the File Server, and the WebLogic user domains. |
This user needs to have exclusive full access to the following directories, too.
|
Note: No additional users should have access to the following directories. |
Windows
%ALLUSERSPROFILE%\agile
UNIX
${HOME}/.agile
This user requires read only and execute permissions for the native EDM Server or dedicated DFM installation directory.
In addition, this user requires write and delete permissions for the following directories:
Native EDM Server
ep_root/axalant/dmp
ep_root/tmp
ep_root/<application>/lck
DFM location
<tomat_server_root>/logs
<tomat_server_root>/webapps
<tomat_server_root>/work
ep_root/tmp
EIP Location
– <eip_root>/logs
– <eip_root>/tmp
This section describes how to remove the access permissions for other users, and remove unneeded permissions for the runtime user.
|
Note: This also applies to the Enterprise Integration Platform installation location. |
The Windows command icacls.exe can be used to add or remove access permissions to directories.
Execute the following commands in a command shell with the installation user.
Remove the administrator access.
|
Note: Replace <ep_root> with the path to the Agile e6 installation directory.icacls.exe <ep_root> /remove:g BUILTIN\Administratorsicacls.exe %ALLUSERSPROFILE%\agile\installer\6.2.0 /remove:g BUILTIN\Administrators |
|
Note: The above command requires changing the Log On Account for the AdminClient service. |
Start the Services Administration Configuration.
Open the properties of the Apache Tomcat AgileAdminClient service.
Switch to the tab Log On.
Change the local system account to this account, and fill in the data of your installation user.
Remove the Administrators group access for the File Server directory:
|
Note: Replace <fms_root> with the path to the File Server directory.icacls.exe <fms_root> /remove:g BUILTIN\Administrators |
Restrict the access permission for the runtime user.
|
Note: Replace <ep_root> with the path to the Agile e6 installation directory and replace <RUNTIME_USER> with the name of the runtime user. Replace <application> with the name of your Agile e6 application. |
Remove the access permission for the Runtime User (<RUNTIME_USER>) first.
icacls.exe <ep_root> /remove:g <RUNTIME_USER>
Add the default read and execute permissions for the runtime user:
icacls.exe <ep_root> /grant <RUNTIME_USER>:(RX) icacls.exe <ep_root> /grant <RUNTIME_USER>:(OI)(CI)(IO)(RX)
Add the full access permissions for the runtime user to a selected set of directories:
icacls.exe <ep_root>\axlant\dmp /grant <RUNTIME_USER>:(F) icacls.exe <ep_root>\axalant\dmp /grant <RUNTIME_USER>:(OI)(CI)(IO)(F) icacls.exe <ep_root>\tmp /grant <RUNTIME_USER>:(F) icacls.exe <ep_root>\tmp /grant <RUNTIME_USER>:(OI)(CI)(IO)(F) icacls.exe <ep_root>\<application>\lck /grant <RUNTIME_USER>:(F) icacls.exe <ep_root>\<application>\lck /grant <RUNTIME_USER>:(OI)(CI)(IO)(F)
|
Note: Permissions for additional applications which are created with the Administration Client or the batch installation need to be granted manually. |
There are different options to restrict the access, e.g. using ACL or UNIX groups. The following description is for UNIX groups.
|
Note: Replace <ep_root> with the path to the Agile e6 installation directory. |
Stop any Agile e6 daemons.
Clean up all files in the following directory before changing the process owner from the installation to the runtime user:
rm <ep_root>/axalant/dmp/* rm <ep_root>/tmp/* rm <ep_root>/<application>/lck/*
Create a UNIX group, e.g. plmgrp.
Add the installation user to the new group from above.
Create a new UNIX user, e.g. plmrun and add this user to the newly created group.
Change the default group file/directory access permission of ep_root:
chgrp -R plmgrp <ep_root> chmod -R g=rx <ep_root>
Add the full access permissions for the runtime user to a selected set of directories:
chmod -R g+w <ep_root>/axalant/dmp chmod -R g+w <ep_root>/tmp chmod -R g+w <ep_root>/<application>/lck
Now you can start the following daemons with the runtime user:
FMS Java Daemon (${ep_root}/axalant/scripts/fms_jade)
Java Daemon (${ep_root}/axalant/scripts/jade)
