Decision Center security
Decision Center provides a security feature to control access to branches of decision services, and enable permissions on the different rule artifacts.
The feature is based on Decision Center groups. Any user who signs in to the Business or Enterprise console must be a member of a group that is mapped to one of the predefined Decision Center roles. The predefined roles determine which features users can access in the consoles:
Role | Description | Business console | Enterprise console |
---|---|---|---|
Standard user (rtsUser) | The standard Decision Center user. | Basic use. | Basic use. |
Configuration manager (rtsConfigManager) | Has all the rights of the standard user, plus additional rights in the Business and Enterprise consoles. | Create and edit deployment configurations. | Manage RuleApps, servers, ruleset extractors, and other features described in Groups. |
Administrator (rtsAdministrator) | Has all the rights of the standard and configuration manager users, plus additional rights in the Business and Enterprise consoles. |
|
|
Installer (rtsInstaller) | Only required for the initial installation of Decision Center. | - | Access the Installations Settings Wizard. |
You can enable security so that branches of decision services are only visible to certain groups of users. You can enable security in the Business console (see Setting security), but security applies to both consoles.
When you have enabled security, you must specify, for each group that can access the branch, what permissions they have to create, update, view, and delete which types of artifacts. This can be done in the Enterprise console, or from the Business console Administration tab, which lets you set simplified permission profiles (see Administering security).
Branch security and decision governance
To use the decision governance framework (see Governance principles) with the Decision Center security feature, you must understand how both work and how they interact.
Releases and activities are types of branches, and as such are subject to the Decision Center security and permissions feature. You can enable security on individual branches to define which groups of users have access to them. When security is enabled on a branch, you specify the permissions of groups of users to create, view, update, and delete the different artifacts that are contained in the branch.
Releases, change activities, and validation activities inherit artifacts from their parent branch, and are subject to permissions. You can, for example, give a group of users security access to a release but restrict their permission to view the change activities of the release.
You can also give or restrict the permissions of a group of users to update the following properties of releases and activities:
Property | Used to give or restrict permission to... |
---|---|
owner | Change the owner |
targetDate | Change the due date |
description | Change the goals |
Name | Rename |
Status | Proceed to approval, cancel, and reopen |
approvers | Add or remove approvers and change their working status |
authors | Add or remove authors in change activities or testers in validation activities, and change their working status |
- The states of releases and activities (for example, In Progress and Complete).
- The current user’s governance role as a participant in the release or activity (owner, author, tester, approver).
A user who has administrator privileges can do the operations of all the different governance roles. Similarly, users with these privileges have access to all the branches and have all the permissions on all artifacts. However, administrators cannot force state transitions that are not allowed by the decision governance framework.
- The state of the release is not Complete.
- You are the owner of the release.
- You have the Update/Release/Name permission on the release, or security on the release is not enforced.