Oracle Agile Engineering Data Management Security Guide Release e6.2.1.0 E69102-01 |
|
Previous |
Next |
The default installation assumes that the Agile e6 software is installed on dedicated servers where no other users have access to the installation.
User in table T_USER and T_GROUP and their group assignment:
User Name | Manager | Profile | Status | Assigned to Group | Description |
---|---|---|---|---|---|
EDBKERNEL | Yes | MANAGER-PROFIL | Locked | DATAVIEW
DEMOEP EDB |
Owner of e6 core objects in e6 dump |
EDBCUSTO | Yes | MANAGER-PROFIL | Locked | DATAVIEW
EDB |
Preconfigured user for customization |
DEMOEP | No | - | Locked | DEMOEP | Preconfigured run time user for demos without manager privileges |
DEMOEP_M | Yes | MANAGER-PROFIL | Locked | DATAVIEW
DEMOEP, EDB |
Preconfigured customizing/run time user for demos with manager privileges |
EDB-RESERVED | Yes | MANAGER-PROFIL | Locked | EDB | Internal user to define maximum I_IC for internal use |
DODEKERNEL | Yes | - | Locked | DODE-
DEVELOPER |
Owner of Dode Objects in the e6 dump |
EDB-EIP | Yes | MANAGER-PROFIL | Locked | EDB | Owner of e6 EIP objects |
EDB-SCM | Yes | MANAGER-PROFIL | Locked | EDB | Preconfigured user for customization |
MANAGER | Yes | - | Active | DATAVIEW | Preconfigured manager user |
The following example shows how a user can have several roles assigned that were defined in the so-called Job Functions. Details on Roles/Job Functions and Privileges are described in the Online Help Customizing Agile e6 > Roles
User Name | Role | Job Function | Privileges |
---|---|---|---|
EDBCUSTO | EDB-ORGANIZATION-MNG | DefaultOrgMng | EDB-ORG-CPY
Copy a company/department |
EDBCUSTO | EDB-PROJECT-MNG | DefaultProjectMng | EDB-POS-DEL
Delete a position or project team member |
The following table shows assigned Job Functions to the user EDBCUSTO.
Note: EDBCUSTO is the only user with assigned Job Functions. |
Job Function | Description | User |
---|---|---|
DefaultOrgMng | Enabling EDBCUSTO to initiate organizations | EDBCUSTO |
DefaultProjectMng | Enabling EDBCUSTO to initiate projects | EDBCUSTO |
DefaultRoleMng | Enabling EDBCUSTO to define roles, privileges and job functions | EDBCUSTO |
Txt-Manager-2 | Manager for Text Management | EDBCUSTO |
The installation requires an user with administration rights.
The Installation user, initially, requires administration rights to create other users and services
Note: After the installation, this user should no longer have Administration rights because the AdminClient service has to run under this account to modify the existing installation. This task will not require Administration rights. |
Depending on the installed components, there will be two users created during the installation:
The runtime user for the following services which requires no privileged permissions. This user will be referred to as the Runtime User:
FMS Java Daemon
Java Daemon
Portmapper
The user running the File Server. This user requires Administrative rights to secure its own data directories. This user will be referred to as the File Server User.
The installation on UNIX requires no special permissions during the installation and should be started as an unprivileged user.
Note: Should not be started by the root user. |
To secure the installation, there should be two user accounts created analog to the Windows users which will be created during the Agile e6 installation:
Runtime User
File Server User
This section describes the directory access permission after an installation.
Note: No other users or groups have access permissions to these directories. |
Directory | Access Type | Access Users/Groups |
---|---|---|
%ALLUSERSPROFILE%\agile\installer\6.2.0 | Full Access | Installation User
Administrators Group |
E6 Installation Destination (ep_root) | Full Access | Installation User
Administrators Group Runtime User |
File Server Destination | Full Access | Installation User
Administrators Group File Server User |
Enterprise Integration Platform Destination | Full Access | Installation User
Administrators Group |
Directory | Access Type | Access Users/Groups |
---|---|---|
${HOME}/.agile/installer/6.2.0 | Full Access | Installation User |
E6 Installation Destination (ep_root) | Full Access | Installation User |
File Server Destination | Full Access | Installation User |
Enterprise Integration Platform Destination | Full Access | Installation User |
This section describes the minimum access permissions for specific users and directories.
This user needs to have full access to the Agile e6 installation to administrate the installation, e.g. applying hot fixes, modifying or creating a new application.
Note: The Agile e6 installation includes here the native EDM Server (ep_root), the File Server, and the WebLogic user domains. |
This user needs to have exclusive full access to the following directories, too.
Note: No additional users should have access to the following directories. |
Windows
%ALLUSERSPROFILE%\agile
UNIX
${HOME}/.agile
This user requires read only and execute permissions for the native EDM Server or dedicated DFM installation directory.
In addition, this user requires write and delete permissions for the following directories:
Native EDM Server
<ep_root>/axalant/dmp
<ep_root>/tmp
<ep_root>/<application>/lck
DFM location
<tomat_server_root>/logs
<tomat_server_root>/webapps
<tomat_server_root>/work
<ep_root>/tmp
EIP Location
<eip_root>/logs
<eip_root>/tmp
This user only requires full access to the File Server root directory and below it.
The vaults directories with the stored files are located within the File Server directory.
UNIX
Directories for vaults of type "PUB" have permission 755 (drwxr-xr-x).
Directories for vaults of type "EIF" and "FMS" have permission 700 (drwx------)
Files within the vault of type "PUB" have permission 644 (-rw-r--r--).
Files within the vault of type "EIF" and "FMS" have permission 600 (-rw-¿---).
Windows
If files are copied during vault transfer from outside to a new vault, the owner of these copied files must be set to the File Server User.
Runas /noprofile /user:<File Server User> "takeown /F <full path to fileserver vault directory>\*"
This section describes how to remove the access permissions for other users, and remove unneeded permissions for the runtime user.
Note: This also applies to the Enterprise Integration Platform installation location. |
The Windows command icacls.exe can be used to add or remove access permissions to directories.
Execute the following commands in a command shell with the installation user.
Remove the administrator access.
Note: Replace <ep_root> with the path to the Agile e6 installation directory.icacls.exe <ep_root> /remove:g BUILTIN\Administratorsicacls.exe %ALLUSERSPROFILE%\agile\installer\6.2.1 /remove:g BUILTIN\Administrators |
Note: The above command requires changing the Log On Account for the AdminClient service. |
Start the Services Administration Configuration.
Open the properties of the Apache Tomcat AgileAdminClient service.
Switch to the tab Log On.
Change the local system account to this account, and fill in the data of your installation user.
Remove the Administrators group access for the File Server directory:
Note: Replace <fms_root> with the path to the File Server directory.icacls.exe <fms_root> /remove:g BUILTIN\Administrators |
Restrict the access permission for the runtime user.
Note: Replace <ep_root> with the path to the Agile e6 installation directory and replace <RUNTIME_USER> with the name of the runtime user. Replace <application> with the name of your Agile e6 application. |
Remove the access permission for the Runtime User (<RUNTIME_USER>) first.
icacls.exe <ep_root> /remove:g <RUNTIME_USER>
Add the default read and execute permissions for the runtime user:
icacls.exe <ep_root> /grant <RUNTIME_USER>:(RX) icacls.exe <ep_root> /grant <RUNTIME_USER>:(OI)(CI)(IO)(RX)
Add the full access permissions for the runtime user to a selected set of directories:
icacls.exe <ep_root>\axlant\dmp /grant <RUNTIME_USER>:(F) icacls.exe <ep_root>\axalant\dmp /grant <RUNTIME_USER>:(OI)(CI)(IO)(F) icacls.exe <ep_root>\tmp /grant <RUNTIME_USER>:(F) icacls.exe <ep_root>\tmp /grant <RUNTIME_USER>:(OI)(CI)(IO)(F) icacls.exe <ep_root>\<application>\lck /grant <RUNTIME_USER>:(F) icacls.exe <ep_root>\<application>\lck /grant <RUNTIME_USER>:(OI)(CI)(IO)(F)
Note: Permissions for additional applications which are created with the Administration Client or the batch installation need to be granted manually. |
There are different options to restrict the access, e.g. using ACL or UNIX groups. The following description is for UNIX groups.
Note: Replace <ep_root> with the path to the Agile e6 installation directory. |
Stop any Agile e6 daemons.
Clean up all files in the following directory before changing the process owner from the installation to the runtime user:
rm <ep_root>/axalant/dmp/* rm <ep_root>/tmp/* rm <ep_root>/<application>/lck/*
Create a UNIX group, e.g. plmgrp.
Add the installation user to the new group from above.
Create a new UNIX user, e.g. plmrun and add this user to the newly created group.
Change the default group file/directory access permission of <ep_root>:
chgrp -R plmgrp <ep_root> chmod -R g=rx <ep_root>
Add the full access permissions for the runtime user to a selected set of directories:
chmod -R g+w <ep_root>/axalant/dmp chmod -R g+w <ep_root>/tmp chmod -R g+w <ep_root>/<application>/lck
Now you can start the following daemons with the runtime user:
FMS Java Daemon (${ep_root}/axalant/scripts/fms_jade)
Java Daemon (${ep_root}/axalant/scripts/jade)