Managing user access to data providers in Lifecycle Query Engine
Before you begin
About this task
The LQE access control mechanism allows groups of users to run queries against the indexed data. When a user runs a report in Report Builder, the user sends queries to Lifecycle Query Engine to get the data for the report. Therefore, users running reports must have permission in Lifecycle Query Engine to access the data. Report Builder also queries Lifecycle Query Engine for the structure of the data. The type system model data is used when generating a report. The queries that retrieve type system model data from Lifecycle Query Engine run by using a Report Builder functional user, such as jrs_user. This functional user must be granted permission in Lifecycle Query Engine to run queries.
As an administrator, you can control the read access to the Lifecycle Query Engine index by specifying local access policies to the data that Lifecycle Query Engine indexes. However, access to the actual lifecycle data, and the tools that provide the data, are subject to the access control defined in each lifecycle tool.
Data from the lifecycle tools (the data providers) is indexed in a single index that is maintained by Lifecycle Query Engine. All read access to the index is granted and controlled by Lifecycle Query Engine, not by the data providers. When you add a data provider, it automatically inherits the permissions that are defined for the Lifecycle Query Engine index root. You can use the data groups from the data providers as starting points or create new user groups with permission to access all or parts of the index. When you specify custom permissions to access the index, the project and team member permissions to access the data providers aren’t affected.
Lifecycle Query Engine also supports integration with enterprise directory servers, such as LDAP. You can choose users from the directory servers to add to the access control groups.
- Query and report consumers authenticate with Lifecycle Query Engine only once to use the indexed data.
- The lifecycle management tools that you add as data providers don't have to be online or reachable when to run queries or reports.
- Reports and queries that run against the Lifecycle Query Engine index don't consume licenses. However, access to the data in the lifecycle management tools (when you click a link in a report) is still subject to license checks.
- Administrators can override instances where a user doesn’t have a license to a tool but wants to use artifacts in queries or reports.
If permission problems occur, messages show up on the Data Providers page at http://<host_name>:<port>/lqe/web/admin/data-sources. Click the message link to find details about the problem. If LQE can't reach the data provider to set permissions, check the logs for LQE and the data provider for HTTP errors or timeouts.
- If there is a permission error on the LQE Data Sources page, one of the
following error message is
displayed:
LQE cannot set the permissions due to an error while connecting to data source. It will retry after 15 minutes.
LQE cannot set permission for 1 component, project area or team area. It will retry after 15 minutes.
Administrators can set up email notifications to find out when permission errors occur. For details, see Setting up email notification for Lifecycle Query Engine events.
Specifying user permissions
You can specify user groups and users who can view data in the entire Lifecycle Query Engine index or in specific data groups within the index. When you add a data provider, it automatically inherits the permissions that are defined for the Lifecycle Query Engine index root.
When you first start Lifecycle Query Engine, no permissions are defined. You must specify which user group or user has access to the entire Lifecycle Query Engine index, each data provider, or each access context that is defined in a data provider.
Access to the data groups within the index is inherited from the root Lifecycle Query Engine index; however, you can block the inheritance, change permissions, and grant access to specific groups and users. When you select a group on the Permissions page, local and inherited permissions are shown, and you can see which users and groups are defined. You can’t change inherited permissions; for example, if the permissions are inherited from the parent, you can’t delete a user. You can change the permissions for a particular user directly in the parent group.
If individual users, who don’t work with the data in the applications, need access to project area data in Lifecycle Query Engine to create reports, you can add them to specific project area data providers.
Procedure
Defining and managing user groups
You can manage the user groups that have permission to access the Lifecycle Query Engine index: create new groups and assign users or modify existing groups.
Procedure
Adding LDAP connections
Procedure
Disabling access control
In certain situations, you might have to temporarily disable access control to the indexed data.