Administration
Managing Protection Groups
"A Protection Group is a collection of application specific Protection Elements. By combining Protection Elements into a Protection Group, it becomes easier to associate Users and Groups with rights to a particular data set." (excerpt from the caCORE CSM v4.2 Programmer's Guide
)
 |
 |
 |
 |
Contents |
 |
 |
 |
 |
Overview
The use of protection groups makes it possible to authorize users to perform operations on protection elements. The CSM authorization model allows users to be authorized to perform operations on a protection group. Protection groups may contain protection elements and other protection groups. If a user is authorized to perform an operation on a protection group, then the user is authorized to perform the operation on all of the protection elements that are direct or indirect members of the protection group.
The Protection Groups tab of the Access Control Management interface allows CSM application administrators to search for, add, remove and modify protection groups. Administrators may use the modify interface to add and remove protection elements from a protection group. To use the Protection Groups tab, launch the CSM administrative interface and search for the application whose protection groups you wish to manage. Click on the application name to highlight it, click the View button and click the Protection Groups tab from the Access Control Management interface.
Administrative Access
|
In order to manage CSM applications and resources, you must be logged into a grid account that is configured to be a CSM administrator. During the installation process, it was recommended that at least one grid identity be added as a CSM administrator. If your account was not configured to be a CSM administrator, review step 7 of the Installation Guide. If you have added your grid account as a CSM administrator but you are experiencing an error similar to the one pictured to the right, make sure that you specified the correct grid account in the Credential select box of the Application Access Control interface. |
|
Searching for Protection Groups
To search for existing protection groups, use the Protection Group Search pane located on the left side of the Protection Groups tab. Enter the name of the protection group you would like to search for in the Name input box. You can use the * character as a wildcard in your search criteria. Click on the Search button and the CSM administrative interface will display all matching protection groups in the Protection Groups box. Clicking the Search button when the Name input box is empty will return all existing protectino groups that are associated with the specified CSM application.
|
|
|
search for all protection groups
|
wildcard protection group search
|
|
|
|
nested protection groups
|
search results for nested protection groups
|
For more information about nesting protection groups, refer to the Managing Parent Protection Groups section.
Creating Protection Groups
To create a new protection group, click on the Create button located below the Protection Groups pane on the left side of the interface. This will launch the Create Protection Group interface. Enter a name for the new protection group and optionally add a short description. The name value must be unique among protection groups associated with each CSM application. If you attempt to create a protection group using a name that is already in use, you will receive the following error message:
|
|
duplicate protection group error message
|
Once you have entered a name and a description for the new protection group, click the Create button. The protection group will be created, the Protection Groups box should be refreshed and your new protection group should be displayed.
|
|
|
creating a protection group
|
protection group box refreshed
|
Modifying Protection Groups
It is possible to modify an existing protection group's name and description. Perform a protection group search whose results contain the protection group you wish to modify. Click on the protection group name in the search results to highlight it. Click on the Modify button to launch the Edit Protection Group interface.
|
|
modify existing protection group
|
You may change the value of the Name field and the Description field. The Id field and Last Updated fields are read only. The Large Element Count field is a boolean value used to indicate whether or not the protection group has a large number of protection element associated with it. Set this value to true if the protection group is associated with many protection elements. Once you have finished making changes to the protection group, click the Modify button to submit your changes. The Protection Groups search results will refresh to show any changes you made.
Removing Protection Groups
To remove a protection group, perform a search whose results include the protection group you wish to delete. Click on the protection group name in the search results to highlight it. Click the Remove button to delete the protection group from the system.
 | Use caution with this feature! Clicking Remove does not prompt for confirmation and cannot be undone. |
If you attempt to remove a protection group that is configured to be the parent of another protection group, you will receive the following error message:
|
|
parent protection group removal error message
|
Before you remove a protection group, first verify that it has no child protection groups. Select the protection group name and click the Load Children button to view its children. Disassociate each child before removing the protection group. Refer to the Managing Parent Protection Groups section for more information on disassociating protection groups.
Adding Protection Elements to a Protection Group
Once a protection group has been created, you can associate protection elements with it. To add protection elements to a protection group, first perform a search whose results include the protection group you wish to modify. Click on the protection group in the search results to highlight it. Clicking the name of the protection group should populate the Protection Elements in Protection Group table located in the upper right area of the interface. Any protection elements that have been previously added to the protection group should appear in the table.
|
|
view previously added protection elements
|
Notice in the screenshot that there are no protection elements visible in the Protection Elements in Protection Group table. This is expected because the protection group is newly created and no protection elements have been added to it yet. Also notice that the Available Protection Elements box is empty. A protection element search must be executed to populate this box. Enter search criteria in the Search for Protection Elements input fields and click the Search button. You may use the * character as a wildcard in your search criteria. Any matching protection elements will be displayed in the Available Protection Elements Box. Clicking Search without entering values in any of the search criteria fields will return all available protection elements.
|
|
search for all protection elements
|
|
To add a protection element listed in the Available Protection Elements box to your protection group, click it to highlight it. Then click the blue up arrow button to move it from the Available Protection Elements box to the Protection Elements in Protection Group box. |
|
In the following screenshot, the DoctorName and DoctorAddress protection elements have been added to the DoctorData protection group. Notice that those protection elements are no longer listed in the Available Protection Elements table.
|
|
adding protection elements to a protection group
|
Removing Protection Elements from a Protection Group
To remove a protection element from a protection group, perform a protection group search whose results include the protection group you wish to edit. Click on the protection group name in the search results to load its protection elements in the Protection Elements in Protection Group pane. Click on the protection element you wish to remove to highlight it.
|
Use the blue down arrow button to move it from the Protection Elements in Protection Group box to the Available Protection Elements box. Protection elements that have been removed may always be re-added by following the steps outlined in the Adding Protection Elements to a Protection Group section. |
|
Managing Parent Protection Groups
Protection groups may be assigned a Parent Protection Group. "Assigning a parent for a protection group is a way of adding another layer of grouping for your Protection Groups, to assist you in managing access to the Protection Elements contained within the groups." (excerpt from the caCORE CSM v4.2 Programmer's Guide)
Assignment of a parent to a protection group can be accomplished using drag and drop functionality within the Protection Groups search result box. Perform a search whose results contain the proposed parent protection group and the child protection group. Click on the name of the child protection group to highlight it. Drag and drop the highlighted child protection group onto the name of the parent protection group. The protection groups search box should refresh, displaying the child protection group nested under the parent protection group.
|
|
nested protection groups
|
As was mentioned in the Searching for Protection Groups section, protection group search results are always displayed flat rather than as a nested tree of parents and children. To view the protection groups as a tree, click on a parent protection group and click the Load Children button. This will update the protection groups search result box, showing each of the parent protection group's children. However, this will not load the child protection groups' children. To load a child protection group's children you must click the child and click Load Children button again.
Child protection groups may be disassociated from a parent protection group. Click on a child protection group and then drag and drop it onto the name of the Protection Groups root group ( 
). This will disassociate the child protection group from its parent. Before you remove a protection group, make sure you disassociate all of its child protection groups. Failing to do so will cause the removal to fail and an error message will be displayed.
Next Steps
Learn how to administrate roles and groups using the Managing Roles and Managing Groups guides.