Configuring designer group access

You can configure access to specific areas in Administration Console for Content Platform Engine by designating Class Designer and Application Designer groups through your directory server and in the console configuration.

About this task

The Administration Console for Content Platform Engine provides both high-level administrative capabilities and access to tools that you can use to customize your content management and workflow environment. In some cases, you might want to grant customized access to certain users who only need a subset of administration capabilities.

To grant custom access to designer groups, you first configure the groups in your directory server, or designate existing groups to use. You then add the group names to a configuration file that you save to a directory that is accessible to your environment. The file and location are specified by a JVM argument.

Custom access supports the following group types:

Class Designer: A Class Designer is responsible for creating and updating the data models for an application or applications. They use the tools in the administration console to create classes that are used by multiple applications. Class Designer tasks are focused at an application level. The Class Designer does not have more general capabilities, such as creating properties on the system, because changes at that level can impact other applications.
Application Designer: The Application Designer is responsible for the various components related to creating a Content Platform Engine application. In addition to the data model capabilities of the Class Designer, these users can also create properties that can affect a wider set of components. They can also create and maintain workflow related configuration for their application, including items like Rosters, Queues, Component Queues, and so on.

Neither of these groups have permissions to perform Administrator functions such as managing domains and object stores. These capabilities are limited to established P8 Admin users.

You can create one or both of these designer groups. This procedure assumes that you are creating both groups. If you assign the same LDAP group for both designer groups, the LDAP group is given Application Designer access. If no designer group access is configured, the default administrative access persists.

Procedure

To configure designer group access:

In your directory server, designate or create the groups to which you want to grant Class Designer or Application Designer access.
You can use groups that are already configured, however, you can only designate one directory server group for each designer access group. Make a note of the group names.

Create a file called restrictedGroups.properties with the following content:


==============
#Specify LDAP group names for ClassDesigner and ApplicationDesigner
ClassDesigner=Your_Designated_LDAP_Group
ApplicationDesigner=Your_Designated_LDAP_Group
=============

Save your file to a location that is accessible to the server.

Important: If Content Platform Engine is in a cluster environment, the file must be available to every node. In this scenario, a location on a shared network drive is recommended to keep access groups in synch.
Set the value of the -DrestrictedGroups JVM argument to correspond to the location of your restrictedGroups.properties file.
For example,
```
-DrestrictedGroups=C:/file_path/restrictedGroups.properties
```
For WebLogic, update the JVM argument in the WebLogic startup script, for example:
```
set JAVA_OPTIONS=%SAVE_JAVA_OPTIONS% "-DrestrictedGroups=C:/file_path/restrictedGroups.properties"
```

What to do next

Users can determine their group access by clicking the About button in the console.

To remove access restrictions from the groups, you can remove the group names from the file, or remove the file from the directory that is specified in the JVM argument.