Access Control

Available Access Control Modes

Several modes of access control can be used for each repository on the server:

Notices when configuring Access Control mode

Switching between different access control modes


When switching between different access control modes, the server must be restarted. Otherwise, the configuration update will not be taken into account.

User Profiles

Configuration

In Team for Capella, when using the User Profiles feature, user names and access rights are stored in the repository (i.e. in the database). Note, that, when passwords are stored in the user profiles model (when LDAP is not used), they are not encrypted. That’s why the user names management part of this feature must be considered as a simple identification feature.


If the server has been started with user profile, the Importer needs to have write access to the whole repository (including the user profiles model). See Resource permission pattern examples section.

If this recommendation is not followed, the Importer might not be able to correctly prepare the model (proxies and dangling references cleaning, ...). This may lead to a failed import.

Connection to the User Profiles Model

You can connect to the user profiles model of a repository thanks to the dedicated wizard:




The accounts created by default in the user profiles model are those defined in the administrators file. Refer to Server Configuration/User Profile Configuration

To be able to change the user profiles model, the Administrator account should be used.

Here the default user profiles model with its table opened:

By default, the userprofile resource is hidden. To make it appear under the userprofile project, the EMF Resources filter must be deactivated via the Customize View... dialog.



Default configuration for Team for Capella

When the server is configured with the User Profiles functionality, the following roles are automatically created:

These defaults roles are required :

Note that as user created as administrators (in the administrator properties file as presented in the previous part) have full access and do not need to be assigned to any role. Trying to assign roles to administrators will be prevented and a dialog will appear explaining that the administrators already have full access.

User Creation

To add a user:

And complete login information



Role Creation and Association with Users

Use the dedicated tool to add a role:

A name can be given to the created role using the Properties view (attribute ID).

Once the new role is created, right click on it to add resource permission.

Complete the textbox with path of authorized resource





Finally, associate users to a role in the Properties View of the role:



  • By default, users have read access on all resources
  • Administrator has a write access on all resources; you don’t have to assign write permissions for each project for him.
  • You can give write or read access on a resource but empty permission is not supported
  • An user can export a project on a repository only if he has write access on “ / ”



Inaccessible elements for a user have a gray padlock.

Resource Permission Pattern Examples

Since only resource permissions are currently available, to define fine grain permissions on a model, it has to be cut into several fragments.

Here is an example project:

Write access to the whole repository (including the user profiles model)

.* or /.*

Write access to the whole TestModel project

/TestModel/.*

Write access to OA fragments of TestModel

/TestModel/fragments/OA.* or /TestModel/.*OA.*

Write access to OA and SA fragments of TestModel

/TestModel/fragments/(OA|SA).* or /TestModel/.*(OA|SA).*

Write access to the semantic part of TestModel

/TestModel/.*(melodymodeller|melodyfragment)

Write access to the representation part of TestModel (diagrams and tables)

/TestModel/.*(aird|airdfragment|srm)

Write access to TestModel but not its fragments

/TestModel/.*(aird|melodymodeller|srm) or /TestModel/[^/]*



When dealing with aird and airfragment files do not forget to give the same rights to srm files (files used to store the representations data when the lazy loading is enabled, the lazy loading is enabled by default).

Note that the project name in a resource permission pattern must be the name coming from the server repository. This is not necessarily the same name than the locally imported project (e.g. if TestModel.team is the name of the locally imported project, putting TestModel.team in the permission pattern will not work).



Promote a User to Super User

At startup, there is only one superuser: Administrator.

A basic user can be promoted to super user. To do that:

Import/Export User Profiles Model

You have the possibility to import a user profiles model; this is the same mechanism as for a Capella project.

First, you need to create a general project which will contain the imported User Profile model.

Import User Profiles model:

Enter a local URI starting with platform:/resource/

Example: platform:/resource/LocalUserProfilesProject/users.userprofile


To export, we can create a general project (or reuse the general project created earlier) and put a User Profile model into it, then right click on the User Profile model and choose Export:

How to reuse the user profiles model

It is recommended that you backup your user profiles model (Refer to Server Administration/Team for Capella Scheduler/Import user profiles model).

  • You can reuse the user profiles model using the export wizard. You can export it to another repository of either the same server or another server
  • In case of DB crash, start your server in standard configuration (Refer to Server Configuration/Not Authenticated Configuration), with a clean database. That configuration will not initialize the user profile model. Then export the user profiles model to the CDO repository. Now you can restart the server with user profile; as the user profile model is found it will not be reinitialized.
  • The user profile model can be reused from a Team for Capella version to another. It does not need to be migrated.

How to change user login/password

User login/password can be modified via the Update User Information contextual menu. This contextual menu can be accessed by right-clicking on the column corresponding to the user being modified. Note that this action is done only by right-clicking on one of the cells of the column, clicking elsewhere (e.g. on the column title) should be avoided.

Once the User Update dialog appears, we can modify either user login or password.

Notes:

Troubleshooting

Administrator Password Forgotten

If the administrator password has been forgotten, it will no more be possible to change the user profiles model or export a model to the server.

To give a new password to the Administrator account:



Known issues

Please notice the following known issues:

Re-connection to a user profiles model raises error