Managing user access to data providers in Lifecycle Query Engine

Lifecycle Query Engine gathers information about project areas and membership from each application in IBM® Engineering Lifecycle Management. Lifecycle Query Engine uses this information to create data groups based on the access control settings from the project area of each tool. Data groups become part of the TRS feeds.

Before you begin

Before you can define access policies for Lifecycle Query Engine, you must add the data providers. See Connecting Lifecycle Query Engine to data providers to generate the index.

About this task

The LQE access control mechanism allows groups of users to run queries against the indexed data. When a user runs a report in Report Builder, the user sends queries to Lifecycle Query Engine to get the data for the report. Therefore, users running reports must have permission in Lifecycle Query Engine to access the data. Report Builder also queries Lifecycle Query Engine for the structure of the data. The type system model data is used when generating a report. The queries that retrieve type system model data from Lifecycle Query Engine run by using a Report Builder functional user, such as jrs_user. This functional user must be granted permission in Lifecycle Query Engine to run queries.

An automated access control synchronization process takes place at regular intervals; the default is every 15 minutes, but you can change this value on the Advanced Properties page.
Important: The synchronization works only with Engineering Lifecycle Management applications. Both the data and the process TRS feeds must be indexed.

As an administrator, you can control the read access to the Lifecycle Query Engine index by specifying local access policies to the data that Lifecycle Query Engine indexes. However, access to the actual lifecycle data, and the tools that provide the data, are subject to the access control defined in each lifecycle tool.

Data from the lifecycle tools (the data providers) is indexed in a single index that is maintained by Lifecycle Query Engine. All read access to the index is granted and controlled by Lifecycle Query Engine, not by the data providers. When you add a data provider, it automatically inherits the permissions that are defined for the Lifecycle Query Engine index root. You can use the data groups from the data providers as starting points or create new user groups with permission to access all or parts of the index. When you specify custom permissions to access the index, the project and team member permissions to access the data providers aren’t affected.

Lifecycle Query Engine also supports integration with enterprise directory servers, such as LDAP. You can choose users from the directory servers to add to the access control groups.

Remember: Access to the Lifecycle Query Engine index is entirely based on what the administrators specify on the Permissions page, regardless of the data groups from the lifecycle management tools.
This approach to Lifecycle Query Engine access control has several benefits:
  • Query and report consumers authenticate with Lifecycle Query Engine only once to use the indexed data.
  • The lifecycle management tools that you add as data providers don't have to be online or reachable when to run queries or reports.
  • Reports and queries that run against the Lifecycle Query Engine index don't consume licenses. However, access to the data in the lifecycle management tools (when you click a link in a report) is still subject to license checks.
  • Administrators can override instances where a user doesn’t have a license to a tool but wants to use artifacts in queries or reports.
The tasks in this topic help you manage user access:

If permission problems occur, messages show up on the Data Providers page at http://<host_name>:<port>/lqe/web/admin/data-sources. Click the message link to find details about the problem. If LQE can't reach the data provider to set permissions, check the logs for LQE and the data provider for HTTP errors or timeouts.

Note:
  • If there is a permission error on the LQE Data Sources page, one of the following error message is displayed:
    LQE cannot set the permissions due to an error while connecting to data source. It will retry after 15 minutes.
    
    LQE cannot set permission for 1 component, project area or team area. It will retry after 15 minutes.

Administrators can set up email notifications to find out when permission errors occur. For details, see Setting up email notification for Lifecycle Query Engine events.

Specifying user permissions

You can specify user groups and users who can view data in the entire Lifecycle Query Engine index or in specific data groups within the index. When you add a data provider, it automatically inherits the permissions that are defined for the Lifecycle Query Engine index root.

When you first start Lifecycle Query Engine, no permissions are defined. You must specify which user group or user has access to the entire Lifecycle Query Engine index, each data provider, or each access context that is defined in a data provider.

Access to the data groups within the index is inherited from the root Lifecycle Query Engine index; however, you can block the inheritance, change permissions, and grant access to specific groups and users. When you select a group on the Permissions page, local and inherited permissions are shown, and you can see which users and groups are defined. You can’t change inherited permissions; for example, if the permissions are inherited from the parent, you can’t delete a user. You can change the permissions for a particular user directly in the parent group.

If individual users, who don’t work with the data in the applications, need access to project area data in Lifecycle Query Engine to create reports, you can add them to specific project area data providers.

Tip: If you’re defining access control for the first time and plan to customize the permissions, you might consider setting up user groups and users first, and then specifying the custom permissions.

Procedure

  1. On the Lifecycle Query Engine Administration page, in the menu, under Access Control, click Permissions.
  2. On the Permissions page at http://<host_name>:<port>/lqe/web/admin/permissions, under Data Groups, select a group.
  3. To control access to the data group, choose one of the following options:
    • Inherit permissions from the parent
    • Only apply permissions assigned directly to this data group
    Note: You can specify whether you want project areas and team areas to inherit permissions from the data provider resource group. In this example, note that the permissions for the Business Recovery Matters team area inherit permissions from the Engineering Workflow Management Process Resources (TRS 2.0) data group and not the parent JKE Banking (Change Management) project area.
    In the Permissions page, within the Select a data group section, the highlighting of a data group follows the convention that is given here:
    • A data group that is listed with an asterisk (*) uses some permissions shared by another data group. When a data group with shared permissions is selected in the tree, the user group that contains shared permissions is indicated here.
      Screen capture of user group with shared permissions
    • A data group that is listed in bold has permissions different from its parent.
    • Individual users or user groups that are inherited from the parent are displayed in italic.
      User or user group that is inherited from the parent is displayed in italic
  4. To grant access to a user group, click Add groups and select the associated check boxes.
  5. To grant access to a user, click Add users and in the Select Users dialog box, search for the specific user IDs. Select the ID, click Add, and then close.

Defining and managing user groups

You can manage the user groups that have permission to access the Lifecycle Query Engine index: create new groups and assign users or modify existing groups.

Note: Many of the user groups are automatically created by Lifecycle Query Engine; these groups shouldn’t be modified. If you make changes to these groups, they are overwritten when the synchronization runs.

Procedure

  1. On the Lifecycle Query Engine Administration page navigation, under Access Control, click User Groups.
  2. To create a user group, click Add a new group.
    1. Optional: If you want to use an LDAP server to manage the user group, select the LDAP Group checkbox and provide the required LDAP server and Group DN information.
    2. Enter a unique name for the group and a description if you want, and click OK.
  3. To review, modify, or delete an existing user group, click a group name and take any action.

Adding LDAP connections

You can integrate LDAP servers with Lifecycle Query Engine and create user groups that are based on the LDAP groups from the data providers. When you create an LDAP-based group for LQE, you can select existing users from the integrated LDAP directory; however, you can’t add new users to an LDAP-based group.

Procedure

  1. In the Lifecycle Query Engine Administration page menu, under Access Control, click LDAP Connections.
  2. To create a new LDAP connection, click Add LDAP Connection.
    1. Enter the URL for the LDAP server.
    2. Enter a unique label for the connection. This label is displayed in the list of LDAP connections.
    3. Enter a description of the new LDAP connection.
    4. Choose an authentication method for the new connection. If you choose Simple, provide the required username and password.
    5. Click Next and provide the values for each of the connection parameters.
  3. To review, modify, or remove an existing LDAP connection, click the name in the list and take any action.
    Note: You can’t add members to the LDAP-based group; they must be added on the LDAP server.

Disabling access control

In certain situations, you might have to temporarily disable access control to the indexed data.

CAUTION:
Only disable LQE access control if absolutely necessary, and reverse it as soon as possible.

Procedure

  1. On the Lifecycle Query Engine Administration page, in the menu, under Configuration, click SPARQL Service.
  2. On the SPARQL Service page, click Edit.
  3. Select the Ignore data provider Access Controls checkbox, and click Save.
    Note: Disabling is applicable only for Lifecycle Query Engine, not applicable for LDX.