With version 1.6.0 we are introducing a new security mechanism to the Vizlib Server called Security Rules Management. It's going to completely replace the current mechanism, so please read this article carefully.
Changes to Vizlib Server security
In previous versions of the Vizlib Server, security was based on custom properties. Considering streams (either Teamwork - previously known as Collaboration - or Finance) you had three levels of access: read, write and admin. Each of these was represented by a specific Custom Property value. In other words, if your write access custom property was named VZB_StreamAccess, user, in order to have access to the Stream 'My Stream' you had to set the value of that custom property equal to 'My Stream'. Of course, you did not have to set it up manually inside QMC - Vizlib Server allowed you to do that through the Vizlib Management Console (VMC).
There was one huge limitation to that solution - if you wanted to fully control your access, and your users changed frequently, then your admins had to continually update VMC as well. And that was the key factor leading to the introduction of Security Rules.
How to create new Security Rules
Security Rules can be defined in the VMC - there is a separate tab for it in the main menu.
In order to create new security rules, click on the 'New Rule' button. Security Rules consists of the following items:
Description - User-friendly information allowing you to distinguish one security rule from another
Resource Type - Either Stream or Workflow
Resource ID - ID corresponding to either Stream or a Workflow
Access Level - For Streams: Read, Write or Admin. For Workflows - Approver
Condition(s) - Logical condition describing when the security rule should be met
Each condition consists of:
- Attribute Type
Below, you can find a few examples of security rules:
Each Security Rule may contain one or more conditions. By default, the security rule is created with only one condition but you can easily add more. There are several actions you can perform on a condition to group them in unlimited ways.
Create Child Group - Creates condition group one level below. Imagine that you have condition A and B. Creating a child group on condition A would result in creating brackets around it (A) and B
Move to Child Group - Considering condition (A) and B, the operation performed on condition B would result in (A and B)
Move to parent group - Performing this operation while having (A and B) on condition A would result in A and (B)
Move group up - Considering conditions (A and B) or (C and D), performing this operation on C would result in (A and B and C) or (D)
Move group down - Works similar to the Move group up option, but in the other direction
What attributes are supported?
Conditions can be defined on following user attributes
- user id
- user directory
- custom property
- user attributes (stored within QRS)
User attributes which are dynamic and available only per session are not supported.
Where to inspect user access levels
Users with access to Vizlib Management Console can inspect user accesses as they did previously, inside either the Stream or Workflows tabs. One difference is that these screens are now read only - you can no longer assign access there.
Migration from previous versions of Vizlib Server
If you had an earlier version of the Vizlib Server installed, a migration will occur during the upgrade. The migration will automatically create certain security rules for you, based on existing custom properties. This will allow you to safely upgrade without the need to take instant action - at the end of the migration all user accesses will remain intact. These security rules will look like the example below.
You will most likely want to review your security policies and replace automatically generated security rules with more flexible ones that suit your setup.