Task 4: Enforcing security on decision services

In this task you enforce security on decision services to give access to users based on their groups.

About this task

In the previous tasks, you created an LDAP environment, modified the security realm of the application server, and imported groups and users into the Decision Center database.

Importing your groups and users into the Decision Center database is necessary to enforce security on a decision service, which involves the following steps:
  • Establishing a permission profile for each group (Full Authoring, Read Only, and so on).
  • Enforce security on a decision service and specify which groups of users have access.

Step 1: Setting the permission profiles

In this step, you set the permission profiles by group.

Procedure

The following permission profiles are available in Decision Center:
Full Authoring
Groups assigned this permission profile can view, create, update, and delete all content.
Read Only
Groups assigned this permission profile can view the content but cannot create, update, or delete any artifacts.
None
Groups assigned this permission cannot view any content. This setting is seldom used.
Custom
Groups assigned custom permissions. This subject is not covered in this tutorial.
In the previous task, you assigned the BCAdmin group the permission profile None. You now assign:
  • The Read Only profile to the Checkers group.
  • The Full Authoring profile to the Scoring group

  1. In the Administration tab, on the Groups subtab, hover over the Checkers group, and click the Edit Group button.
  2. Select Read Only under Permissions, and click Done.

    Permission profile set to Read Only

  3. Now set the permission profile for the Scoring group. Hover over the Scoring group, and click the Edit Group button.
  4. Select Full Authoring under Permissions, and click Done.
    The Groups tab now displays the following information:
    Group Members Permissions
    BCAdmin 1 member (Bob) Full Authoring
    Checkers 1 member (Jim) Read Only
    Scoring 1 member (Sue Full Authoring

    Notice that the permission profile of the BCAdmin group automatically reverted to Full Authoring as soon as you mapped this group to the rtsAdministrator role. Administrators have all rights.

    Note: A permission profile that is given to a group is valid and remains unchanged across all the available decision services.

Step 2: Enforcing security on a simple decision service

In this step, you enforce security on two simple decision services and give access to different groups.

About this task

A decision service can be organized into one or several rule projects, depending on the quantity of decision points requested of the decision service. Furthermore, change management on a decision service over time is implemented through branching. The simplest case for a decision service is when it contains just one project and uses the main branch as a starting point for change management.

Procedure

  1. In the Administration tab, click the Project Security subtab.
    The sample server is populated with several decision services that are used in different tutorials. Security is not enforced on any decision service.
  2. Hover over Miniloan Service and click the Edit button.
  3. In the Security section, select Enforce security, and then choose both the Checkers and Scoring groups.
    Notice that groups that are mapped to the rtsAdministrator role are not available to be used in decision service security:

  4. Click Done.
    Security is now enforced on the decision service and both your groups have access:

    Miniloan Service security settings

  5. Hover over Value Editor Service and click the Edit button.
  6. In the Security section, select Enforce security, and this time give access to the Scoring group only.
    Your Project Security tab now looks as follows:

    Project security tab

  7. Click the Library tab.
    Because Bob has administrator rights, this user can access all decision services even though access was not given to his group.
  8. Log out, and then log in with the username/password combination Jim/Jim.
  9. Click the Library tab.
    You cannot see Value Editor Service, as expected.
  10. Click Miniloan Service, and then click the Branches subtab.
  11. Click the main branch.
    As a member of a group with Read Only permissions on the branch, you can see all the artifacts, but you cannot edit any of them.
  12. Log out, and then log in with the username/password combination Sue/Sue. Then, click the Library tab.
    You can see that users of the Scoring group can see both decision services where security was enforced. As a member of a group with Full Authoring permissions on these branches, Sue can edit all artifacts.

Step 3: Enforcing security on a multilayered decision service

In this step, you make the BOM project, called Loan Validation Base, visible to the Scoring group only.

Procedure

A decision service can also be organized into several rule projects to allow for complex decisions to be grouped as one entity. For example, Loan Validation Service is organized as follows:

Images shows the structure of the decision service.

When you enforce security, you might want a group to access a decision service but not all its projects. Typically, the BOM can be available to one group only. In this case, you enforce security in two steps:
  • First, enforce security for the entire decision service, and give access to all the groups to work on the decision service.
  • Then, restrict the BOM project to your chosen group.

Note:

Notice also, as you go through the steps, the presence of subbranches, called Initial Release and Spring Release. These branches were created for another tutorial on the decision governance framework, which is beyond the scope of this tutorial (see Change management). All branches originate from the main branch of the decision service. Consequently, when you enforce security on the main branch, security is inherited by all its subbranches, unless you specify otherwise. In other words, when you restrict access to Loan Validation Base, this restriction also applies in all subbranches.

  1. Log out, and then log in with the username/password combination Bob/Bob.
  2. In the Administration tab, click the Project Security subtab.
  3. Expand Loan Validation Service, and then expand the main branch.
    You can see that the main branch includes several projects:

    Expanded Loan Validation Service

  4. Hover over Loan Validation Service, select Enforce security, and then choose both the Checkers and Scoring groups. Then, click Done.

    Enforcing security on the decision service enforces security on all the projects that are contained in the main branch, and by inheritance to any subbranch:

    Security enforced on main

  5. Hover over Loan Validation Base and click the Edit button.
  6. Remove Checkers from the groups that can access Loan Validation Base:

    Removed Checkers

  7. Click Done.

    You see that Checkers are now restricted from accessing Loan Validation Base:

    Checkers restricted

  8. Log out and then log back in as Jim.
    Verify that Jim has access to all the projects of Loan Validation Service except Loan Validation Base.

Results

You have completed the tutorial, and learned the different aspects that are related to setting up user management in Decision Center. Now, you must do as follows:
  • Stop the ApacheDS server (on Windows, close the window).
  • Return the sample server to its initial state to ensure the proper running of other samples and tutorials. See Restoring the sample server.