Defining Master Index Data Manager Security
Oracle Java CAPS Master Index supports security for the Master Index Data Manager
(MIDM) at the user and function level and also supports Secure Sockets Layer
(SSL) authentication. Security is defined at two levels, the EJB level and the
presentation level. EJB security provides access at the user and function level to
the methods of the master controller (com.sun.mdm.index.ejb.master). Presentation level security provides access at the
function and user level for the actions that can be performed from the
MIDM.
A secure user name and password needs to be defined for each master index
application user to connect to the database and to log on to the
MIDM. For each user account you define, you must specify one or more
roles in order for that user to be able to perform any
functions in the MIDM. You define roles in midm-security.xml in the master index project.
This is the presentation layer security. In addition, each user must also be
assigned at least one EJB security role. EJB security roles are defined in
security.xml. A default role that grant access to all functions of the master
controller is predefined, but is not included in the file. The role is
named MasterIndex.Admin.
User permissions for master index applications are granted using the Admin Console. You
can also define security using a Lightweight Directory Access Protocol (LDAP) server, using the
roles you define in Define Master Index Data Manager User Roles.
Perform the following tasks to configure security for the master index application:
These topics provide additional information to help you perform the above tasks:
Define Master Index Data Manager User Roles
Oracle Java CAPS Master Index provides sample user roles for giving multiple permissions
to a user at one time. You can define additional user roles and
assign combinations of access permissions to each role. This way you can assign
a user account to one or two user roles instead of assigning them
several access permissions.
To Define a User Role
- In the NetBeans Project window, expand the master index project and then expand
Configuration.
- Open midm-security.xml in an XML editor.
- Define user groups and their permissions using the elements described in Master Index Data Manager User Role Properties.
The permissions you can assign are listed and described in Master Index Data Manager User Permissions.
- Save and close the file.
You can use these roles when you create the user accounts, as described
in Create Master Index Data Manager User Accounts.
- Continue to Define EJB User Roles.
Define EJB User Roles
EJB user roles control access at the master controller level. Oracle Java
CAPS Master Index provides a sample role for granting multiple permissions at one
time without giving access to all functions. An additional role is predefined, MasterIndex.Admin, that
provides access to all functions. You can define additional roles and assign combinations
of functional permissions to each role. This way you can assign a user
account to one or two roles instead of assigning them several permissions.
Note - This step is optional. You can use the MasterIndex.Admin role for MIDM users
if you only need to restrict access at the presentation level.
To Define an EJB User Role
- In the NetBeans Projects window, expand the master index project and then expand
Configuration.
- Open security.xml in an XML editor.
- Define user roles and the permissions that belong to each using the elements
described in EJB User Role Properties.
The permissions you can assign are listed and described in EJB Security Functions.
- Save and close the file.
You can use these roles when you create the user accounts.
- Continue to Create Master Index Data Manager User Accounts.
Create Master Index Data Manager User Accounts
You create user accounts for MIDM access using the GlassFish Admin Console.
Tip - Make sure you give users access to the initial page that appears when
a user logs in to the MIDM. This page is defined in
midm.xml. Also verify that the EJB privileges you assign allow the user to
perform all of the MIDM functions to which they have access.
To Create a User Account
Before You Begin
Make sure you have created all the user roles and, optionally, EJB user
roles that need to be assigned to the user account.
- Log on to the GlassFish Admin Console.
- In the left portion of the page, expand Configuration, expand Security, and then
expand Realms.
- Select File.
- On the Edit Realm page, select Manage Users.
- On the File Users page, select New.
- In the User ID field, enter a name for the user.
- In the Group List field, enter the following. Separate roles with a comma.
- After you have added all required user roles and EJB user roles, enter
a password for the user in the New Password field.
- In the Confirm New Password field, enter the password again.
- Click OK.
Master Index Data Manager User Role Properties
You can define user roles for the MIDM in order to assign
multiple security permissions to a user account at once. Roles are defined in
an XML file, midm-security.xml. The following table describes the elements of the security configuration
file.
Table 1 MIDM User Role Configuration Elements
|
|
role |
A definition for one user role. Each role element contains a name
for the user role, a list of security permissions, and, optionally, a user
role from which permissions are inherited along with any exceptions to the inheritance. |
role-name |
The
name of the user role, such as Administrator. |
inheritance |
A definition of how permissions
are inherited from another user role. The definition includes the parent user role
and any permissions that should not be inherited. This group of elements is
optional, and a role can inherit from multiple user roles.
Note - The role from which
permissions are inherited must be defined earlier in the XML file than the
role that inherits the permissions.
|
inherits-from |
The name of the user role from which
the current role inherits permissions. If permissions are added to this user role
at any time, the new permissions are also inherited by the current role. |
excluded-operations |
A
list of permissions assigned to the parent role that the current role should
not have access to. Any permissions assigned to the parent role that are
not listed here are assigned to the current role.
Note - If a role inherits
from multiple parent roles and each parent is assigned an excluded permission, you
need to specify that the permission be excluded for each parent role.
|
excluded-operations/name |
|
operation |
A list of security permissions to assign
to the user role. If the role inherits permissions from another role, the
permissions listed here are in addition to the inherited permissions. |
operation/name |
|
|
Master Index Data Manager User Permissions
The following table lists and describes each user permission for the MIDM. The
user permission names are case-sensitive.
Table 2 MIDM User Permissions and Descriptions
|
|
AssumedMatch_Print |
Gives access permission to print the
results of an assumed match search. |
|
Gives access permission to search for and
view records that were automatically matched by the master index application. This permission
is needed to perform any assumed match functions. |
AssumedMatch_Undo |
Give access permission to reverse an
assumed match, separating the two records. |
AuditLog_Print |
Gives access permission to print an audit log
search results report. This permission also requires AuditLog_SearchView. |
AuditLog_SearchView |
Gives access permission to search for
and view audit log entries. |
EO_Activate |
Gives access permission to activate enterprise records. |
EO_Compare |
Gives access
permission to compare enterprise records. |
EO_Create |
Gives access permission to create new enterprise records. |
EO_Deactivate |
Gives
access permission to deactivate enterprise records. |
EO_Edit |
Gives access permission to modify the SBR
in enterprise records. |
EO_LinkSBRFields |
Gives access permission to link a field in a system
record with a field in the enterprise record's SBR so the value of
the SBR field is the same value as the system object field. |
EO_LockSBRFields |
Give access
permission to modify the SBR directly and to lock SBR fields for overwrite. |
EO_Merge |
Gives
access permission to merge enterprise records. |
EO_OverwriteSBR |
Gives access permission to choose an SBR
field to retain during a merge. After the merge transaction, the field is
locked for editing. |
EO_PrintComparison |
Reserved for future functionality. |
EO_PrintSBR |
Reserved for future functionality. |
EO_SearchViewSBR |
Gives access permission to
search for and view single best records, and to generate and print the
search results report. This permission is needed to perform any functions on the
details page. |
EO_UnlinkSBRFields |
Gives access permission to unlink an SBR field and system record
field that were previously linked. |
EO_UnlockSBRFields |
Gives access permission to unlock an SBR field that
was previously locked for editing. |
EO_Unmerge |
Gives access permission to unmerge enterprise records. |
EO_ViewMergeTree |
Gives access permission
to view a merge history of an enterprise object. |
Field_VIP |
Gives permission to view
fields masked by any custom masking logic specified by midm.xml. |
PotDup_Print |
Gives permission to print
the results of a potential duplicate search. |
PotDup_ResolvePermanently |
Gives access permission to permanently resolve
potential duplicate records. |
PotDup_ResolveUntilRecalc |
Gives access permission to resolve potential duplicate records. |
PotDup_SearchView |
Gives
access permission to search for and view potential duplicate records. This permission is
needed in order to perform any functions on the Duplicate Records page. |
PotDup_Unresolve |
Gives access
permission to unresolve potential duplicate records that were previously resolved. |
Reports_Activity |
Gives access permission to
run an activity report. |
Reports_AssumedMatches |
Gives access permission to run an assumed match report. |
Reports_DeactivatedEUIDs |
Gives
access permission to run a deactivated record report. |
Reports_Duplicates |
Gives access permission to run
a potential duplicate report. |
Reports_MergedRecords |
Gives access permission to run a merge transaction report. |
Reports_UnmergedRecords |
Gives
access permission to run an unmerge transaction report. |
Reports_Updates |
Gives access permission to run
an update report. |
Reports_View |
Gives access permission to the reports page. This permission is
needed in order to run any of the production or activity reports. |
SO_Activate |
Gives access
permission to reactivate a deactivated system record. |
SO_Add |
Gives access permission to add system
records. |
SO_Compare |
Gives access permission to compare system records. |
SO_Edit |
Gives access permission to modify system
records. |
SO_Deactivate |
Gives access permission to deactivate system records. |
SO_Merge |
Gives access permission to merge system
records. |
SO_Print |
Gives access permission to print the results of a system record search. |
SO_Remove |
Gives
access permission to delete system records. |
SO_SearchView |
Gives access permission to search for and
view system records. |
SO_Unmerge |
Gives access permission to unmerge system records. |
TransLog_Print |
Gives permission to print
the results of a transaction history search. |
TransLog_SearchView |
Gives access permission to search for
and view the transaction history of enterprise records and to view merged records. |
|
EJB User Role Properties
You can define access roles for the EJB layer in order to
assign multiple security permissions to a user or web client at once. EJB
roles can be used to secure MIDM users and other clients accessing the
master index application, such as web services. Roles are defined in an XML
file, security.xml. The following table describes the elements of the security configuration file. The
default user, MasterIndex.Admin, is not defined in this file, but it gives access
to all functions.
Table 3 EJB User Role Configuration Elements
|
|
ejbSecurity |
An indicator of whether EJB security is enabled. Enter ON
to enable web service security; enter OFF to disable web service security. |
role |
A definition for
one EJB user role. Each role element contains a name for the user
role and a list of security permissions. |
role-name |
The name of the EJB user
role, such as DataProcessor. |
operation |
A list of master controller functions to assign to
the user role. |
name |
The name of a master controller function to add
to the current user role. Functions are listed under EJB Security Functions. |
|
EJB Security Functions
The following table lists and describes each security function in the master controller.
The permission names are case-sensitive. For more information about these functions, see the
Javadocs provided with Oracle Java CAPS Master Index. These functions are defined in
com.sun.mdm.index.ejb.master.MasterController.
Table 4 EJB Security Functions and Descriptions
|
|
activateEnterpriseObject |
Gives access permission to change the status of a deactivated enterprise object
back to active. |
activateSystemObject |
Gives access permission to change the status of a deactivated system
object back to active. |
addSystemObject |
Give access permission to add a system object to
an enterprise object. |
calculatePotentialDuplicates |
Gives access permission to calculate potential duplicates for a transaction. |
calculateSBR |
Gives access permission
to calculate a new single best record (SBR) for an enterprise object that
has been updated. |
createEnterpriseObject |
Gives access permission to create a new enterprise object in the
master index application. |
deactivateEnterpriseObject |
Gives access permission to change the status of an enterprise object
to inactive. |
deactivateSystemObject |
Gives access permission to change the status of a system object to
inactive. |
deleteSystemObject |
Gives access permission to delete a system object from an enterprise object. |
executeMatch |
Gives access
permission to process a system object using the standardization and matching logic defined
for the master index application. |
executeMatchDupRecalc |
Gives access permission to process a system object
using the standardization and matching logic defined for the master index application and allows
you to defer potential duplicate processing. |
executeMatchGui |
Gives access permission to process a system
object using the standardization and matching logic defined for the master index application. |
executeMatchUpdate |
Gives
access permission to process a system object using the standardization and matching logic
defined for the master index application. |
executeMatchUpdateDupRecalc |
Gives access permission to process a
system object using the standardization and matching logic defined for the master index
application and allows you to defer potential duplicate processing. |
getConfigurationValue |
Gives access permission to retrieve
the configuration of a master controller parameter. |
getDatabaseStatus |
Give access permission to retrieve the status
of the master index database. |
getEnterpriseObject |
Gives access permission to retrieve an enterprise object. |
getEUID |
Gives access
permission to retrieve the EUID associated with a system and local ID. |
getMergeHistory |
Gives access
permission to retrieve a tree structure of the merge transactions associated with a
specific enterprise object. |
getRevisionNumber |
Gives access permission to retrieve the SBR revision number for an
enterprise object. |
getSBR |
Gives access permission to retrieve the SBR for an enterprise object. |
getSystemObject |
Gives access
permission to retrieve a system object based on the system and local ID
information. |
insertAuditLog |
Gives access permission to add an audit log record to the master index
database. |
lookupAssumedMatches |
Gives access permission to retrieve a list of assumed matches based on the
search criteria specified. |
lookupAuditLog |
Gives access permission to retrieve an audit log record. |
lookupPotentialDuplicates |
Gives permission
to retrieve a list of potential duplicate records. |
lookupSystemDefinition |
Gives permission to retrieve the
attributes of a source system in the master index database. |
lookupSystemDefinitions |
Gives access permission retrieve
the attributes of multiple source systems in the master index database. |
lookupSystemObjectPKs |
Gives access permission
to retrieve an array of system object keys. |
lookupSystemObjects |
Gives access permission to retrieve the
active system objects in an enterprise object. |
lookupTransaction |
Gives access permission to retrieve a transaction
summary. |
lookupTransactions |
Gives access permission to retrieve an array of transaction summaries. |
mergeEnterpriseObject |
Gives access permission to
merge two or more enterprise objects. |
mergeSystemObject |
Gives access permission to merge two or
more system objects. |
ResolvePotentialDuplicates |
Gives access permission to flag a potential duplicate pair as resolved. |
searchEnterpriseObject |
Gives
access permission to retrieve an iterator of enterprise objects based on the specified
search criteria. |
transferSystemObject |
Gives access permission to transfer a system object from its current enterprise
object to a different enterprise object. |
UndoAssumedMatch |
Gives access permission to reverse an assumed
match transaction, unmerging the two objects that were matched and creating a new
enterprise object. |
unmergeEnterpriseObject |
Gives access permission to unmerge two previously merged enterprise objects. |
unmergeSystemObject |
Gives access permission to
unmerge two previously merged system objects. |
unresolvePotentialDuplicate |
Gives access permission to mark as unresolved two
potential duplicate records that were previously flagged as resolved. |
updateEnterpriseDupRecalc |
Gives access permission to update
the master index database to reflect new values for an enterprise object and
optionally to defer potential duplicate processing. |
updateEnterpriseObject |
Gives access permission to modify enterprise objects. |
updateSystemObject |
Gives access
permission to modify system objects |
|