Managing user access to data providers in Lifecycle Query Engine
Before you begin
About this task
The LQE access control mechanism allows groups of users to run queries against the indexed data. When a user runs a report in Report Builder, the user sends queries to LQE to get the data for the report. Therefore, users running reports must have permission in LQE to access the data. Report Builder also queries LQE for the structure of the data. The type system model data is used when generating a report. The queries that retrieve type system model data from LQE run by using a Report Builder functional user, such as jrs_user. This functional user must be granted permission in LQE to run queries.
As an administrator, you can control the read access to the LQE index by specifying local access policies to the data that LQE indexes. However, access to the actual lifecycle data, and the tools that provide the data, are subject to the access control defined in each lifecycle tool.
Data from the lifecycle tools (the data providers) is indexed in a single index that is maintained by LQE. All read access to the index is granted and controlled by LQE, not by the data providers. When you add a data provider, it automatically inherits the permissions that are defined for the LQE index root. You can use the data groups from the data providers as starting points or create new user groups with permission to access all or parts of the index. When you specify custom permissions to access the index, the project and team member permissions to access the data providers aren’t affected.
LQE also supports integration with enterprise directory servers, such as LDAP. You can choose users from the directory servers to add to the access control groups.
- Query and report consumers authenticate with LQE only once to use the indexed data.
- The lifecycle management tools that you add as data providers don't have to be online or reachable when to run queries or reports.
- Reports and queries that run against the LQE index don't consume licenses. However, access to the data in the lifecycle management tools (when you click a link in a report) is still subject to license checks.
- Administrators can override instances where a user doesn’t have a license to a tool but wants to use artifacts in queries or reports.
If permission problems occur, messages show up on the Data Providers page at http://<host_name>:<port>/lqe/web/admin/data-sources. Click the message link to find details about the problem. If LQE can't reach the data provider to set permissions, check the logs for LQE and the data provider for HTTP errors or timeouts.
- If there is a permission error on the LQE Data Sources page, one of the
following error message is displayed:
Error: LQE cannot set the permissions due to an error while connecting to data source. It will retry after 15 minutes.
Error: LQE cannot set permission for 1 component, project area or team area. It will retry after 15 minutes.
Administrators can set up email notifications to find out when permission errors occur. For details, see Setting up email notification for Lifecycle Query Engine events.
Specifying user permissions
You can specify user groups and users who can view data in the entire LQE index or in specific data groups within the index. When you add a data provider, it automatically inherits the permissions that are defined for the LQE index root.
When you first start LQE, no permissions are defined. You must specify which user group or user has access to the entire LQE index, each data provider, or each access context that is defined in a data provider.
Access to the data groups within the index is inherited from the root LQE index; however, you can block the inheritance, change permissions, and grant access to specific groups and users. When you select a group on the Permissions page, local and inherited permissions are shown, and you can see which users and groups are defined. You can’t change inherited permissions; for example, if the permissions are inherited from the parent, you can’t delete a user. You can change the permissions for a particular user directly in the parent group.
If individual users, who don’t work with the data in the applications, need access to project area data in LQE to create reports, you can add them to specific project area data providers.
- On the LQE Administration page, in the menu, under Access Control, click Permissions.
- On the Permissions page at http://<host_name>:<port>/lqe/web/admin/permissions, under Data Groups, select a group.
- To control access to the data group, choose one of the following options:
Note: You can specify whether you want project areas and team areas to inherit permissions from the data provider resource group. In this example, note that the permissions for the Business Recovery Matters team area inherit permissions from the EWM Process Resources (TRS 2.0) data group and not the parent JKE Banking (Change Management) project area.In the Permissions page, within the Select a data group section, the highlighting of a data group follows the convention that is given here:
- Inherit permissions from the parent
- Only apply permissions assigned directly to this data group
- A data group that is listed with an asterisk (*) uses some permissions shared by another data
group. When a data group with shared permissions is selected in the tree, the user group that
contains shared permissions is indicated here.
- A data group that is listed in bold has permissions different from its parent.
- Individual users or user groups that are inherited from the parent are displayed in
- To grant access to a user group, click Add groups and select the associated check boxes.
- To grant access to a user, click Add users and in the Select Users dialog box, search for the specific user IDs. Select the ID, click Add, and then close.
Defining and managing user groups
You can manage the user groups that have permission to access the LQE index: create new groups and assign users or modify existing groups.
- On the LQE Administration page navigation, under Access Control, click User Groups.
To create a user group, click Add a new group.
- Optional: If you want to use an LDAP server to manage the user group, select the LDAP Group checkbox and provide the required LDAP server and Group DN information.
- Enter a unique name for the group and a description if you want, and click OK.
- To review, modify, or delete an existing user group, click a group name and take any action.
Adding LDAP connections
- In the LQE Administration page menu, under Access Control, click LDAP Connections.
- To create a new LDAP connection, click Add LDAP Connection.
- Enter the URL for the LDAP server.
- Enter a unique label for the connection. This label is displayed in the list of LDAP connections.
- Enter a description of the new LDAP connection.
- Choose an authentication method for the new connection. If you choose Simple, provide the required username and password.
- Click Next and provide the values for each of the connection parameters.
To review, modify, or remove an existing LDAP connection, click the name in the list and take
Note: You can’t add members to the LDAP-based group; they must be added on the LDAP server.
Disabling access control
In certain situations, you might have to temporarily disable access control to the indexed data.
- On the Lifecycle Query Engine Administration page, in the menu, under Configuration, click SPARQL Service.
- On the SPARQL Service page, click Edit.
- Select the Ignore data provider Access Controls checkbox, and
click Save. Note: Disabling is applicable only for LQE, not applicable for LDX.