Maintaining Sun Master Indexes

Defining Master Index Data Manager Security

Sun Master Index supports security for the Master Index Data Manager (MIDM) at the user and function level and also supports Secure Sockets Layer (SSL) authentication. Security is defined at two levels, the EJB level and the presentation level. EJB security provides access at the user and function level to the methods of the master controller (com.sun.mdm.index.ejb.master). Presentation level security provides access at the function and user level for the actions that can be performed from the MIDM.

A secure user name and password needs to be defined for each master index application user to connect to the database and to log on to the MIDM. For each user account you define, you must specify one or more roles in order for that user to be able to perform any functions in the MIDM. You define roles in midm-security.xml in the master index project. This is the presentation layer security. In addition, each user must also be assigned at least one EJB security role. EJB security roles are defined in security.xml. A default role that grant access to all functions of the master controller is predefined, but is not included in the file. The role is named MasterIndex.Admin.

User permissions for master index applications are granted using the Admin Console. You can also define security using a Lightweight Directory Access Protocol (LDAP) server, using the roles you define in Define Master Index Data Manager User Roles.

Perform the following tasks to configure security for the master index application:

These topics provide additional information to help you perform the above tasks:

Define Master Index Data Manager User Roles

Sun Master Index provides sample user roles for giving multiple permissions to a user at one time. You can define additional user roles and assign combinations of access permissions to each role. This way you can assign a user account to one or two user roles instead of assigning them several access permissions.

To Define a User Role

In the NetBeans Project window, expand the master index project and then expand Configuration.

Open midm-security.xml in an XML editor.

Define user groups and their permissions using the elements described in Master Index Data Manager User Role Properties.

The permissions you can assign are listed and described in Master Index Data Manager User Permissions.

Save and close the file.

You can use these roles when you create the user accounts, as described in Create Master Index Data Manager User Accounts.

Continue to Define EJB User Roles.

Define EJB User Roles

EJB user roles control access at the master controller level. Sun Master Index provides a sample role for granting multiple permissions at one time without giving access to all functions. An additional role is predefined, MasterIndex.Admin, that provides access to all functions. You can define additional roles and assign combinations of functional permissions to each role. This way you can assign a user account to one or two roles instead of assigning them several permissions.

Note –

This step is optional. You can use the MasterIndex.Admin role for MIDM users if you only need to restrict access at the presentation level.

To Define an EJB User Role

In the NetBeans Projects window, expand the master index project and then expand Configuration.

Open security.xml in an XML editor.

Define user roles and the permissions that belong to each using the elements described in EJB User Role Properties.

The permissions you can assign are listed and described in EJB Security Functions.

Save and close the file.

You can use these roles when you create the user accounts.

Continue to Create Master Index Data Manager User Accounts.

Create Master Index Data Manager User Accounts

You create user accounts for MIDM access using the Sun Java System Application Server Admin Console.

Tip –

Make sure you give users access to the initial page that appears when a user logs in to the MIDM. This page is defined in midm.xml. Also verify that the EJB privileges you assign allow the user to perform all of the MIDM functions to which they have access.

To Create a User Account

Before You Begin

Make sure you have created all the user roles and, optionally, EJB user roles that need to be assigned to the user account.

Log on to the Sun Java System Application Server Admin Console.

In the left portion of the page, expand Configuration, expand Security, and then expand Realms.

Select File.

On the Edit Realm page, select Manage Users.

On the File Users page, select New.

In the User ID field, enter a name for the user.

In the Group List field, enter the following. Separate roles with a comma.
- MasterIndex.Admin or one or more of the EJB user roles you defined in Define EJB User Roles.
- One or more of the user roles you defined in Define Master Index Data Manager User Roles.

After you have added all required user roles and EJB user roles, enter a password for the user in the New Password field.

In the Confirm New Password field, enter the password again.

Click OK.

Master Index Data Manager User Role Properties

You can define user roles for the MIDM in order to assign multiple security permissions to a user account at once. Roles are defined in an XML file, midm-security.xml. The following table describes the elements of the security configuration file.

Table 1 MIDM User Role Configuration Elements


Element	Description
role	A definition for one user role. Each role element contains a name for the user role, a list of security permissions, and, optionally, a user role from which permissions are inherited along with any exceptions to the inheritance.
role-name	The name of the user role, such as Administrator.
inheritance	A definition of how permissions are inherited from another user role. The definition includes the parent user role and any permissions that should not be inherited. This group of elements is optional, and a role can inherit from multiple user roles. Note – The role from which permissions are inherited must be defined earlier in the XML file than the role that inherits the permissions.
inherits-from	The name of the user role from which the current role inherits permissions. If permissions are added to this user role at any time, the new permissions are also inherited by the current role.
excluded-operations	A list of permissions assigned to the parent role that the current role should not have access to. Any permissions assigned to the parent role that are not listed here are assigned to the current role. Note – If a role inherits from multiple parent roles and each parent is assigned an excluded permission, you need to specify that the permission be excluded for each parent role.
excluded-operations/name	The name of a security permission that is not inherited from the parent user role. Security permissions are listed under Master Index Data Manager User Permissions.
operation	A list of security permissions to assign to the user role. If the role inherits permissions from another role, the permissions listed here are in addition to the inherited permissions.
operation/name	The name of a security permission to add to the current user role. Security permissions are listed under Master Index Data Manager User Permissions.

Master Index Data Manager User Permissions

The following table lists and describes each user permission for the MIDM. The user permission names are case-sensitive.

Table 2 MIDM User Permissions and Descriptions


User Permission	Description
AssumedMatch_Print	Gives access permission to print the results of an assumed match search.
AssumedMatch_SearchView	Gives access permission to search for and view records that were automatically matched by the master index application. This permission is needed to perform any assumed match functions.
AssumedMatch_Undo	Give access permission to reverse an assumed match, separating the two records.
AuditLog_Print	Gives access permission to print an audit log search results report. This permission also requires AuditLog_SearchView.
AuditLog_SearchView	Gives access permission to search for and view audit log entries.
EO_Activate	Gives access permission to activate enterprise records.
EO_Compare	Gives access permission to compare enterprise records.
EO_Create	Gives access permission to create new enterprise records.
EO_Deactivate	Gives access permission to deactivate enterprise records.
EO_Edit	Gives access permission to modify the SBR in enterprise records.
EO_LinkSBRFields	Gives access permission to link a field in a system record with a field in the enterprise record's SBR so the value of the SBR field is the same value as the system object field.
EO_LockSBRFields	Give access permission to modify the SBR directly and to lock SBR fields for overwrite.
EO_Merge	Gives access permission to merge enterprise records.
EO_OverwriteSBR	Gives access permission to choose an SBR field to retain during a merge. After the merge transaction, the field is locked for editing.
EO_PrintComparison	Reserved for future functionality.
EO_PrintSBR	Reserved for future functionality.
EO_SearchViewSBR	Gives access permission to search for and view single best records, and to generate and print the search results report. This permission is needed to perform any functions on the details page.
EO_UnlinkSBRFields	Gives access permission to unlink an SBR field and system record field that were previously linked.
EO_UnlockSBRFields	Gives access permission to unlock an SBR field that was previously locked for editing.
EO_Unmerge	Gives access permission to unmerge enterprise records.
EO_ViewMergeTree	Gives access permission to view a merge history of an enterprise object.
Field_VIP	Gives permission to view fields masked by any custom masking logic specified by midm.xml.
PotDup_Print	Gives permission to print the results of a potential duplicate search.
PotDup_ResolvePermanently	Gives access permission to permanently resolve potential duplicate records.
PotDup_ResolveUntilRecalc	Gives access permission to resolve potential duplicate records.
PotDup_SearchView	Gives access permission to search for and view potential duplicate records. This permission is needed in order to perform any functions on the Duplicate Records page.
PotDup_Unresolve	Gives access permission to unresolve potential duplicate records that were previously resolved.
Reports_Activity	Gives access permission to run an activity report.
Reports_AssumedMatches	Gives access permission to run an assumed match report.
Reports_DeactivatedEUIDs	Gives access permission to run a deactivated record report.
Reports_Duplicates	Gives access permission to run a potential duplicate report.
Reports_MergedRecords	Gives access permission to run a merge transaction report.
Reports_UnmergedRecords	Gives access permission to run an unmerge transaction report.
Reports_Updates	Gives access permission to run an update report.
Reports_View	Gives access permission to the reports page. This permission is needed in order to run any of the production or activity reports.
SO_Activate	Gives access permission to reactivate a deactivated system record.
SO_Add	Gives access permission to add system records.
SO_Compare	Gives access permission to compare system records.
SO_Edit	Gives access permission to modify system records.
SO_Deactivate	Gives access permission to deactivate system records.
SO_Merge	Gives access permission to merge system records.
SO_Print	Gives access permission to print the results of a system record search.
SO_Remove	Gives access permission to delete system records.
SO_SearchView	Gives access permission to search for and view system records.
SO_Unmerge	Gives access permission to unmerge system records.
TransLog_Print	Gives permission to print the results of a transaction history search.
TransLog_SearchView	Gives access permission to search for and view the transaction history of enterprise records and to view merged records.

EJB User Role Properties

You can define access roles for the EJB layer in order to assign multiple security permissions to a user or web client at once. EJB roles can be used to secure MIDM users and other clients accessing the master index application, such as web services. Roles are defined in an XML file, security.xml. The following table describes the elements of the security configuration file. The default user, MasterIndex.Admin, is not defined in this file, but it gives access to all functions.

Table 3 EJB User Role Configuration Elements


Element	Description
ejbSecurity	An indicator of whether EJB security is enabled. Enter `ON` to enable web service security; enter `OFF` to disable web service security.
role	A definition for one EJB user role. Each role element contains a name for the user role and a list of security permissions.
role-name	The name of the EJB user role, such as DataProcessor.
operation	A list of master controller functions to assign to the user role.
name	The name of a master controller function to add to the current user role. Functions are listed under EJB Security Functions.

EJB Security Functions

The following table lists and describes each security function in the master controller. The permission names are case-sensitive. For more information about these functions, see the Javadocs provided with Sun Master Index. These functions are defined in com.sun.mdm.index.ejb.master.MasterController.

Table 4 EJB Security Functions and Descriptions


User Permission	Description
activateEnterpriseObject	Gives access permission to change the status of a deactivated enterprise object back to active.
activateSystemObject	Gives access permission to change the status of a deactivated system object back to active.
addSystemObject	Give access permission to add a system object to an enterprise object.
calculatePotentialDuplicates	Gives access permission to calculate potential duplicates for a transaction.
calculateSBR	Gives access permission to calculate a new single best record (SBR) for an enterprise object that has been updated.
createEnterpriseObject	Gives access permission to create a new enterprise object in the master index application.
deactivateEnterpriseObject	Gives access permission to change the status of an enterprise object to inactive.
deactivateSystemObject	Gives access permission to change the status of a system object to inactive.
deleteSystemObject	Gives access permission to delete a system object from an enterprise object.
executeMatch	Gives access permission to process a system object using the standardization and matching logic defined for the master index application.
executeMatchDupRecalc	Gives access permission to process a system object using the standardization and matching logic defined for the master index application and allows you to defer potential duplicate processing.
executeMatchGui	Gives access permission to process a system object using the standardization and matching logic defined for the master index application.
executeMatchUpdate	Gives access permission to process a system object using the standardization and matching logic defined for the master index application.
executeMatchUpdateDupRecalc	Gives access permission to process a system object using the standardization and matching logic defined for the master index application and allows you to defer potential duplicate processing.
getConfigurationValue	Gives access permission to retrieve the configuration of a master controller parameter.
getDatabaseStatus	Give access permission to retrieve the status of the master index database.
getEnterpriseObject	Gives access permission to retrieve an enterprise object.
getEUID	Gives access permission to retrieve the EUID associated with a system and local ID.
getMergeHistory	Gives access permission to retrieve a tree structure of the merge transactions associated with a specific enterprise object.
getRevisionNumber	Gives access permission to retrieve the SBR revision number for an enterprise object.
getSBR	Gives access permission to retrieve the SBR for an enterprise object.
getSystemObject	Gives access permission to retrieve a system object based on the system and local ID information.
insertAuditLog	Gives access permission to add an audit log record to the master index database.
lookupAssumedMatches	Gives access permission to retrieve a list of assumed matches based on the search criteria specified.
lookupAuditLog	Gives access permission to retrieve an audit log record.
lookupPotentialDuplicates	Gives permission to retrieve a list of potential duplicate records.
lookupSystemDefinition	Gives permission to retrieve the attributes of a source system in the master index database.
lookupSystemDefinitions	Gives access permission retrieve the attributes of multiple source systems in the master index database.
lookupSystemObjectPKs	Gives access permission to retrieve an array of system object keys.
lookupSystemObjects	Gives access permission to retrieve the active system objects in an enterprise object.
lookupTransaction	Gives access permission to retrieve a transaction summary.
lookupTransactions	Gives access permission to retrieve an array of transaction summaries.
mergeEnterpriseObject	Gives access permission to merge two or more enterprise objects.
mergeSystemObject	Gives access permission to merge two or more system objects.
ResolvePotentialDuplicates	Gives access permission to flag a potential duplicate pair as resolved.
searchEnterpriseObject	Gives access permission to retrieve an iterator of enterprise objects based on the specified search criteria.
transferSystemObject	Gives access permission to transfer a system object from its current enterprise object to a different enterprise object.
UndoAssumedMatch	Gives access permission to reverse an assumed match transaction, unmerging the two objects that were matched and creating a new enterprise object.
unmergeEnterpriseObject	Gives access permission to unmerge two previously merged enterprise objects.
unmergeSystemObject	Gives access permission to unmerge two previously merged system objects.
unresolvePotentialDuplicate	Gives access permission to mark as unresolved two potential duplicate records that were previously flagged as resolved.
updateEnterpriseDupRecalc	Gives access permission to update the master index database to reflect new values for an enterprise object and optionally to defer potential duplicate processing.
updateEnterpriseObject	Gives access permission to modify enterprise objects.
updateSystemObject	Gives access permission to modify system objects