Managing Permissions

A Permission is an association of a user or group to a set of roles and a protection group. The caCORE CSM v4.2 Programmer's Guide refers to permissions as Final Associations. From the guide, "The final association is the correlation between a User or Group, and their assigned Roles for a particular Protection Group." You may wish to refer to the CSM Administrator's Guide Overview for more information on permissions and how users, groups, roles and protection groups are linked together and used.

The Permissions tab of the Access Control Management interface allows CSM application administrators to search for, grant, revoke and modify permissions. To use the Permissions tab, launch the CSM administrative interface and search for the application whose permissions you wish to manage. Click on the application name to highlight it, click the View button and click the Permissions tab from the Access Control Management interface.


	Contents Administrative Access Searching for Permissions Granting Permissions Modifying Permissions Revoking Permissions

Administrative Access

In order to manage CSM applications and resources, you must be logged into a grid account that is configured to be a CSM administrator. During the installation process, it was recommended that at least one grid identity be added as a CSM administrator. If your account was not configured to be a CSM administrator, review step 7 of the Installation Guide.

If you have added your grid account as a CSM administrator but you are experiencing an error similar to the one pictured to the right, make sure that you specified the correct grid account in the Credential select box of the Application Access Control interface.

access denied message

Searching for Permissions

The Permissions search interface allows you to display permissions associated with a single user or group. Permissions are displayed as an association between a protection group and a set of one or more comma separated roles in the Permissions box located below the Search Criteria pane.

Search group permissions

To search for the permissions associated with a group, choose the Group from the Search Type select box located in the Search Criteria pane. Click the Find button to the right of the Group input box to launch the Select Group interface. Enter the name of the group you wish to search for in the Group Name input box and click the Search button. You may use the * character as a wildcard in your search criteria. All groups matching your search criteria will be displayed in the Groups box.


select group interface	group permission search

Click on the name of the group whose permissions you would like to display and click the Select button. This will populate the Group field in the Search Criteria pane of the Permissions tab. Click Search button to display all permissions associated with the specified group in the Permissions box.

group permission search results

The example screenshot shows all of the permissions associated with the group CSM Web Service Administrators. The protection group CSM Web Service is associated with the Administrator role.

Search user permissions

To search for the permissions associated with a user, choose User/Host from the Search Type select box located in the Search Criteria pane. The Find button will launch the User Search interface. However, only Dorian Administrators may use the User Search tool to locate users.

user/host permission search

If you are a Dorian Administrator, you can enter search criteria based on user id, name, email, grid identity, identity provider or user status. Click on the Search button to display all matching users. Click the name of the user you wish to associate with a permission and click the Select button. This will populate the User/Host search field on the Permissions tab with the grid identity of the user you selected.

user search interface

If you are not a Dorian Administrator, you will not be able to use the User Search interface. You will need to manually enter the full grid identity of the user you wish to create a permission for in the User/Host search field. Enter the grid identity of the user and click the Search button to load all of the permissions associated with the user in the Permissions box. Wildcard characters are not supported in user searches.

user/host permission search results

In the example screenshot, a search has been performed for permissions associated with the user "/O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=kgasper". One permission has been returned: the CSM Web Service protection group is associated with the Administrator role.

Granting Permissions

To grant a new permission, click on the Create button to launch the Create Permission interface. The Create Permission interface allows you to associate a user, host or group with a protection group and a set of roles.

grant new permission associated with group

Note that the Create Permission interface does not inherit the user/host or group name you may have searched for on the Permissions tab. You will need to re-enter the user/host or group name you wish to create a new permission for. To grant a new permission for a user or host, choose User/Host from the Permission Type select box. Enter the grid identity of the user/host in the User/Host input field. You may use the Find button to search for a user if you are a Dorian Administrator. To grant a new permission for a group, choose Group from the Permission Type select box, click the Find button and select the group name using the Select Group interface. Refer back to the Searching for Permissions section for more detailed instructions on selecting a user/host name or group name.

select group name to add to permission

Once you have chosen the user/host or group name, select the protection group you want to associate it with. Click on the Find button next to the Protection Group input box. This will launch the Select Protection Group interface. Enter the name of the protection group in the Protection Group Name field located in the Search Criteria pane. You may use the * character as a wildcard in your search criteria. Click the Search button to return the names of all protection groups that match your search. Click on the name of the protection group in the Protection Groups box and click the Select button to populate the Protection Group field on the Create Permission interface.


adding protection group to permission	group and protection group specified

In the example screenshots, a group permission is being granted. The Local Group group is being associated with the PatientData protection group.

Finally, add a set of one or more roles to the permission. All available roles are listed in the Available Roles box in the Roles pane located at the bottom of the Create Permission interface. Select a role that you would to add and click the << button. This moves the role from the Available Roles box to the Granted Roles box. You must add at least one role to the permission before creating it. Attempting to create the permission without any roles will result in the following error message:

failure to add roles error message

Once you have specified all of the roles you wish to add, click the Create button. This will add the new permission and close the Create Permission interface, but will not update the search results box on the permissions tab of the Access Control Management interface. To view your newly created permission, perform a search for the user/host or group that it is associated with.


add roles to a permission	search for newly created permission

Modifying Permissions

To modify an existing permission, perform a search for the user/host or group that the permission is associated with. Click on the permission in the Permissions search results box to hightlight it and click the Modify button. You may also double click the permission name. Either of these approaches will launch the Modify Permission interface.

modify existing permission

The Modify Permission interface allows you to add or remove roles to the permission. However, you may not change the protection group or the user/host or group values. These fields are read only and cannot be altered. To add an additional role, select the role name in the Available Roles box and click the << button. To remove a role, select the role name in the Granted Roles box and click the >> button. This will move the role back to the Available Roles box. When you are finished making changes, click the Close button to close the Modify Permission interface. There is no need to save your results before closing because the >> and << buttons immediately update the CSM system with your changes.

Revoking Permissions

Revoking a Permission will remove an existing association between a user/host or group, a protection group and a set of roles. There are two ways to revoke a permission. From the Modify Permission interface (see the Modifying Permissions section for instructions on launching this interface), click the Revoke All button. This will immediately disassociate the user/host or group from the specified protection group and roles.

The second way to revoke a permission is done in the Permissions tab of the Access Control Management interface. Perform a search on the user/host or group that the permission is associated with. Click the permission name in the Permissions search results box to highlight it. Click on the Revoke button to remove it from the system.

Use caution with this feature! Clicking Revoke or Revoke All does not prompt for confirmation and cannot be undone.

Next Steps

Learn about the Access Control Management's Instance Level tab using the Managing Instance Level Security Filters guide.