Cisco Cisco Process Orchestrator 3.0 User Guide
4-17
Cisco Process Orchestrator User Guide
OL-30196-01
Chapter 4 Administration
Configuring Security
Role-Based Access Control (RBAC)
In Process Orchestrator, authorization is performed using a Role-Based Access Control System. Roles
are a collection of permissions. Each permission pairs a set of operations that can be performed over
some set of objects. A user assignment gives end users the ability to perform the role.
are a collection of permissions. Each permission pairs a set of operations that can be performed over
some set of objects. A user assignment gives end users the ability to perform the role.
Typically, roles are defined according to a standardized job function within IT. Examples might include
“Level 1 Helpdesk,” “Level 2 Helpdesk,” “Human Resources,” “Network Configuration,” “SAP Basis
Expert,” and so on. Security groups already in the directory for the users in these job functions are then
typically assigned to the roles.
“Level 1 Helpdesk,” “Level 2 Helpdesk,” “Human Resources,” “Network Configuration,” “SAP Basis
Expert,” and so on. Security groups already in the directory for the users in these job functions are then
typically assigned to the roles.
Figure 4-7
Process Orchestrator Role-Based Access Control
Permissions define what operations can be performed over what objects. This defines the rights and
associates them with set of Process Orchestrator objects. This is similar to file permissions (such as read
or update).
associates them with set of Process Orchestrator objects. This is similar to file permissions (such as read
or update).
•
Operations are things such as Cancel, Change Owner, Create, Delete, Read, Start, Update, and Use.
Most other Operations automatically allow Read. Change Owner automatically allows Update and
Read.
Most other Operations automatically allow Read. Change Owner automatically allows Update and
Read.
•
Objects specify rules that match elements from the functional model, such as Processes, Targets, and
Runtime Users. Specifically, several types of object rules are supported:
Runtime Users. Specifically, several types of object rules are supported:
–
Object List—Allows rights only to specified objects in the list.
–
Object Type—Allows rights to all objects of that type (for example, all targets or all processes).
–
Owner Security—Allows rights to all objects of a specified type that are owned by a specific
principal (user or group in Active Directory).
principal (user or group in Active Directory).
A User Assignment is a link to a security principal. The user assignment is the thing that is defined in
Process Orchestrator, since it defines the rule for who is in the Role. The Principal is actually in an
external directory, so the user assignment is a reference to the directory.
Process Orchestrator, since it defines the rule for who is in the Role. The Principal is actually in an
external directory, so the user assignment is a reference to the directory.