GR:Gravity/User Admin
User Admin
This section describes the Gravity User Admin.
User Admin Perspective
There is a special perspective with all views related to the user administration. You can open the perspective by clicking on the Open Perspective shortcut on the Perspective bar.
This perspective will open the User Admin view and the Authorities Customization view.
Concepts
The main elements of the Gravity user admin are User, Group, Role and authorities.
User
User is a person or an alias who uses the Gravity application. After the first start-up of Gravity, the admin user profile will be created.
A user belongs to one of the User Types that have been defined within Gravity. The default type used is User but more types can be added in the definitions. The User Type is just a classification. It does not affect the capabilities in any way.
When creating a user you also apply which login authentication scheme will be used. By default the Gravity Internal scheme is selected but if more schemes are available, for example LDAP, then these will also be made available in the 'User Authenticator' drop down box.
A user has initially the fields shown in the following figure and can be extended with more fields:
Any uppercase characters entered in the Account will be converted to lowercase when Finish is pressed.
How to Create a User
Open the User Admin view and open the context menu on the 'Users' node. Select the 'New User' menu option and the New User wizard will be displayed (see figures above). Fill the fields and click on 'Finish'.
Regarding passwords, the clear password is converted to a hash according to the PBKDF2 standard, using the HMAC/SHA1 hashing algorithm (in accordance with RFC 2898). The length of the salt is 160 bits, so that an attacker cannot use a pre-calculated password hash table (rainbow table). It is generated using a cryptographically secure random number generator and a high iteration value to counter brute force attacks. Note that a simple password plays into the hands of an attacker so make sure your password is sensibly random. Ideally the chosen password should consist of at least 8 characters (of course more is better) with mixed upper and lowercase characters, including 1 or more numbers and or special characters, for example GwtY1!dYz2.
How to Edit a User
Open the User Admin view and expand the 'Users' node until you find the relevant user. Open the context menu on the required user and select the 'Edit' option. Update the fields and click on 'Finish'.
Enable/Disable a User
Open the edition dialog as shown above, then click Next. Check the checkbox (on the top, saying Enabled) to enable the user you're editing. Un-check it to disable.
How to Delete a User
Right-click the user you want to delete from within the User Admin View then select Delete.
Group
A Group is a collection of users that can be used to minimize the amount of administration required. The group consists of member set where each user can be added to. It is also possible to add a group inside another group. To do that you have only to add a group to the member set of the target group.
A group belongs to one of the group types that have been defined within Gravity. The default type used is Group but more types can be added in the definitions.
The group has initially only the name field and can be extended with more fields.
How to Create a Group
Open the User Admin view and use a mouse right click on the 'Groups' node. Select the 'New Group' option and the "New Group" wizard will be displayed (see figure above). A new group can be automatically filled with the member information from another group by selecting a group in the "Copy from group" combo box. Fill the remaining fields and click on 'Finish'.
How to Edit Group
Open the User Admin view and expand the 'Groups' node. Select a group and mouse right click to choose the option 'Edit'. Update any of the fields and click on 'Finish'.
Role
Role is a collection of authorities (authorized entities) that can be assigned to (a) user(s) or group(s). After the first start-up of Gravity an administrator role will be created and assigned to the admin user. The users or the groups that are assigned to the administrator role have all rights to execute all actions of all entities.
How to Create a Role
Open the User Admin view -> mouse right click on the 'Roles' node -> click on the context menu 'New Role' -> the role wizard will be displayed (see figure above). A new role can be automatically filled from another role by selecting a role in the "Copy from role" combobox. The administrator role can not be selected to copy from. Fill the fields and click on 'Finish'.
How to Edit a Role
Open the User Admin view -> expand 'Roles' node -> select a role and mouse right click -> select the option 'Edit' -> update the fields and click on 'Finish'.
How to Assign a Role to User(s) or Group(s)
Open the User Admin view -> expand 'Roles' node -> select a role and mouse right click -> select the option 'Add User' or 'Add Group' -> select the users or groups and click on 'Ok'.
- User Rights Scenarios
- Scenario 1: no entity action is added
- If a user is assigned to a role and there is no action added to the authorities of this role, then the user has no right to perform any action of any entity.
- Scenario 2: only the entity global actions (actions on the entity type level) are added
- If a user is assigned to a role and there is one or more global action added to the authorities of this role, then the user has right to perform the associate actions of the appropriate entities.
- Scenario 3: only entity concrete actions (actions on the concrete entity level) are added
- If a user is assigned to a role and there is one or more concrete action added to the authorities of this role, then the user has right to perform only permitted actions of the appropriate concrete entities.
- Scenario 4: concrete or global entity actions are added and the role is connected to an authorized entity
- If a user is assigned to a role and there is one or more concrete or global action added to the authorities of this role and this role is connected to an entity, then the user has right to perform only permitted actions of this entity.
Authorities
Authorities are set of authorized entities associated with a role.
How to Add an Authority to a Role
Authorizing a user means giving that user the capability (Capabilities Overview) to perform a specified action on an entity.
1) Open the User Admin view and the Authorities Customization view.
2) Select a role from the User Admin view and the authorization content of this role will be displayed in the Authorities Customization view.
3) The tabs of the Authorization Customization view represent the authorities which are authorized entities. Select one of the tabs and the associated entity capabilities will be displayed.
4) Select one or more capabilities.
5) Save the view changes.
6) The result will be shown under the Authorities node of the User Admin view as shown in the following figure :
How to Disconnect an Authority from a Role
To disconnect the authority (entity) from a role, you have to deselect all actions (both concrete and global actions) of the connected entity from the Authorities Customization view and save the changes.
User Admin View
The above described elements are displayed in the user admin view as shown in the following figure:
Authorization Customization View
The above figure displays the authorized entities and their actions. The tabs represent the type of entities, and their content is represented as table.
The check boxes of the table header represent the global actions of the type entity. If one of these actions is selected, means that this action can be executed for every entity under this type entity.
The table items represent the concrete entities of the selected type (tab). The check boxes on the row represent the actions of the concrete entity and will be used to reduce the execution of the actions from global permissions to concrete permissions (a selected action can be executed only for the appropriate concrete entity).
How to Connect an Authorized Entity to a Role
There are two ways to connect an entity (concrete entity) to a role :
1- Open the Authorities Customization view -> select a role -> select an entity from 'Authorities Customization view' -> Select the relevant authorities and save the changes.
2- Open the Definitions view -> select an entity -> select the option 'Add Role' -> select a role from the roles dialog and click on 'Ok'.
How to Manage Members of Connected Role
If a role is connected to an entity, members of the role will be associated with this entity. In this case the members have rights to perform the actions of the entity that are permitted in the role.
A member (user or group) can be added or removed from the connected role using the Roles View as shown in the following figure.
Special Users Authorization
A special user is a marker that can be added to a Role to give more abstract authorizations. A special user must be corresponding to a user that must be related to an item with one of the following relations:
- Creator of the item
- Reporter of the item: Reporter can be user or group.
- Assignee of the item: Reporter can be user or group.
- Contributor of the item
If the gravity logged in user is one of the following item related specials user, then the user has rights to perform all role actions related to this item. If a special user is a group in the case of item reporting or item assignee, then the logged in user must be a member of that group in order to get the actions authorization.
Capabilities Overview
In Gravity, you need to be authorized to approach an entity. E.g., viewing an item, updating a filter, deleting a link and so on. So, being authorized to delete an item, means you have the item deletion capability. The following is an overview of capabilities per entity (Entities having only the common capabilities are not mentioned).
The words authority and capability may be used here interchangeably.
Common Capabilities - CRUD
This table shows capabilities that are common to most entities that are subject to capability/authority check.
| Common to Most Entities | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Create | Capability to create | ||||
| Read | Capability to read/see/view | ||||
| Update | Capability to update | ||||
| Delete | Capability to delete | ||||
| Role Addition | Capability to connect a role with an entity (The entity this capability is about. E.g, Application, Item, Link, Tag,...) | ||||
Access Token
| AccessToken | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Create All | Capability to create access tokens for everybody | ||||
| Create Own | Capability to create access tokens for yourself only | ||||
| Delete All | Capability to delete any access token | ||||
| Expand Any Token Authority | Capability to add new capabilities to any access token | ||||
| Expand Own Authority | Capability to add new capabilities to own access token only which leads to augmenting own access token(s) authority | ||||
| Narrow Any Token Authority | Capability to remove capabilities from any access token which leads to reducing that access token authority | ||||
| Narrow own Authority | Capability to remove capabilities from own access token(s) only which leads to reducing own access token(s) authority | ||||
| Read All | Capability to view/see/read any access token | ||||
| Read Own | Capability to view/see/read own access token(s) only | ||||
| Update All | Capability to update any access token | ||||
| Update Own | Capability to update own access token(s) only | ||||
Application
| Application | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| workflow Addition | Capability to add an application to a workflow | ||||
| Workflow Removal | Capability to remove an application from wokflow | ||||
| See Also Common CRUD Capabilities | |||||
Dependency
| Dependency | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Define | Capability to use dependency capabilities in the definitions | ||||
| See Also Common CRUD Capabilities | |||||
Filter
| EntityFilter | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Export | Capability to export a filter | ||||
| Import | Capability to import a filter | ||||
| See Also Common CRUD Capabilities | |||||
Entity Type
| EntityType | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Connect | Capability to connect an entity type to another | ||||
| Disconnect | Capability to disconnect an entity type from another | ||||
| Workflow | Capability to transfer an item with a specific type | ||||
| See Also Common CRUD Capabilities | |||||
Event Handler
| EventHandler | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Topics Addition | Capability to add topics to any event handler | ||||
| Topics Deletion | Capability to delete topics from any event handler | ||||
| See Also Common CRUD Capabilities | |||||
Event Template
| EventTemplate | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Share | Capability to share the event template | ||||
| See Also Common CRUD Capabilities | |||||
Work Item
| Item | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Change Name | Capability to change the name of an item | ||||
| Steal | Capability to assign an item to yourself even if it is now assigned to someone else | ||||
| Take | Capability to assign an item to yourself if it is currently assigned to a group (unassigned) | ||||
| Release | Capability to assign the item you are assigned, to one of the groups you are in | ||||
| Assign | Capability to assign the item to a person or a group | ||||
| Change Application | Capability to change the application of an item | ||||
| Change Workflow | Capability to change the workflow of an item | ||||
| Change Description | Capability to change the description of an item | ||||
| Add Comment | Capability to create comment(s) | ||||
| Read Comment | Capability to read comment(s) | ||||
| Change Comment | Capability to edit comments | ||||
| Delete Comment | Capability to delete the comment(s) | ||||
| Change Own Comment | Capability to update your own comment(s) | ||||
| Change Dates | Capability to change dates | ||||
| Change Reporter | Capability to change reporter | ||||
| Change Priority | Capability to change priority | ||||
| Change Severity | Capability to change severity | ||||
| Change Status | Capability to change status | ||||
| Change Subject | Capability to change subject | ||||
| Workflow | Capability to transfer an item | ||||
| Add Attachment | Capability to create attachment(s) | ||||
| Read Attachment | Capability to read attachment(s) | ||||
| Update Attachment | Capability to update attachment(s) | ||||
| Update own Attachment | Capability to update own attachment(s) | ||||
| Delete Attachment | Capability to delete attachment(s) | ||||
| Delete own Attachment | Capability to delete own attachment(s) | ||||
| Read Link | Capability to read link | ||||
| Add link | Capability to add link to item | ||||
| Change Link | Capability to change link | ||||
| Change Own Link | Capability to change own link | ||||
| Delete Link | Capability to delete link | ||||
| Delete Own Link | Capability to delete own link | ||||
| See Also Common CRUD Capabilities | |||||
Item TypeSpace
| ItemTypeSpace | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Type Addition | Capability to add a type to the item type-space | ||||
| Type Removal | Capability to remove a type from the item type-space | ||||
| See Also Common CRUD Capabilities | |||||
Workflow
| Workflow | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Application Addition | Capability to add an application to the workflow | ||||
| Application removal | Capability to remove an application from the workflow | ||||
| Stage Addition | Capability to add a stage to the workflow | ||||
| Stage removal | Capability to remove a stage from the workflow | ||||
| See Also Common CRUD Capabilities | |||||
Location
| Location | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Component Addition | Capability to add components to the location | ||||
| Component Removal | Capability to remove components from the location | ||||
| SubLocation Addition | Capability to add a sub-location to the location | ||||
| SubLocation Removal | Capability to remove a sub-location | ||||
| Route Addition | Capability to add a route to the location | ||||
| Route Removal | Capability to remove a route from the location | ||||
| See Also Common CRUD Capabilities | |||||
Route
| Route | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Location Addition | Capability to add location to the route | ||||
| Location Removal | Capability to remove a location from the route | ||||
| SubStage Addition | Capability to add a sub-stage to the route | ||||
| SubStage Removal | Capability to remove a sub-stage from the route | ||||
| See Also Common CRUD Capabilities | |||||
Stage
| Stage | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| SubStage Addition | Capability to add a sub-stage to the stage | ||||
| SubStage Removal | Capability to remove a sub-stage from the stage | ||||
| Workflow Addition | Capability to add a workflow to the stage | ||||
| Workflow Removal | Capability to remove a workflow from the stage | ||||
| See Also Common CRUD Capabilities | |||||
Sub-Stage
| SubStage | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Route Addition | Capability to add a route to the sub-stage | ||||
| Route Removal | Capability to remove a route from the sub-stage | ||||
| Stage Addition | Capability to add a stage to the sub-stage | ||||
| Stage Removal | Capability to remove a stage from the sub-stage | ||||
| See Also Common CRUD Capabilities | |||||
Tag
| Tag | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Tag Entities | Capability to tag an entity (add a tag, e.g, to an item) | ||||
| Untag Entities | Capability to untag an entity. (Remove the tag from an entity, e.g, item) | ||||
| Untag What I Tagged | Capability to untag an entity you previously tagged | ||||
| Read All | Capability to read/see/view any tag | ||||
| Read Own | Capability to read/see/view own tags only | ||||
| Delete All | Capability to delete any tag | ||||
| Delete Own | Capability to delete own tags only | ||||
| Update All | Capability to edit any tag | ||||
| Update Own | Capability to update own tags only | ||||
User
| User | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| Change Own User | Capability to change your own user profile | ||||
| See Also Common CRUD Capabilities | |||||
AuthorizableExtendedField
| AuthorizableExtendedField | |||||
|---|---|---|---|---|---|
| Capability | Description | ||||
| See Also Common CRUD Capabilities | |||||