Authorization
Control Center provides fine-grained authorization checks to allow or deny access to pages, individual sensitive data fields, and user actions.
Overview
The authorization model is stored in database tables representing permissions, users, groups, and their relationships. Users are assigned membership in one or more groups, and permissions are granted to the groups. An individual user inherits all permissions that are associated with all groups of which they are a member. Any single permission may be granted to zero or more groups. Web Services also use the same authorization model to control access to individual APIs.
Enterprise registries are not used directly. Customers can bridge their registries to the Control Center authorization model by mapping registry roles to Control Center groups and registry users to Control Center users via the OIDC login user exit. For more information, see OIDC login user exit.
Users represent authenticated individuals or service accounts within the FTM Control Center. For more information, see Users.
Groups contain users and are granted permissions. For more information, see Groups.
Permissions are defined by the FTM product and are created during deployment. They are closely tied to the pages within the Control Center user interface. Each page is associated with one or more permissions to provide access to functions on that page. When a user is not in a group that has the permissions for a page, they cannot see that page in the navigation tree. For more information on permissions, see Permissions.
Entitlements provide the ability to further enforce access restrictions on data. For more information on entitlements, see Entitlements.
Users
Users represent authenticated individuals or service accounts within the FTM Control Center. A user represents an authenticated individual or service account within the FTFTM Control Center that:
- Can be assigned to one or more groups to inherit collective permissions.
- Serves as the principal subject in all authorization decisions.
- Has an identity tracked for audit logging.
The key user attributes are shown in the following list.
- Unique identifier (email)
- Profile information (name, contact details)
- Account status (locked)
- Group memberships
- Time zone
The steps to add a user account are shown in the following list.
- Log on to the Control Center with a user ID that has the authority to add users.
- Go to the users page. The users page lists the users that are defined.
- Click Create.
- Enter the information for the user account.
- Click Save to save the changes.
The steps to edit a user account are shown in the following list.
- Log on to the Control Center with a user ID that has authority to update users.
- Go to the users page. The users page lists the users that are defined.
- Select the user account to edit in the list of users. A read-only view of the details is displayed.
- Click Edit to change the dialog to edit mode.
- Update the information for the user account.
- Click Save to save the changes.
The steps to delete a user account are shown in the following list.
- Log on to the Control Center with a user ID that has authority to delete users.
- Go to the users page. The users page lists the users that are defined.
- Locate the account to delete in the list of user accounts.
- Click the Delete action on the row in the list for the user.