Security profiles

Administration PageApplication/ContractSyracuse/CollaborationClasssecurityProfilesRepresentationSecurityProfile

A security profile defines a set of restrictions and authorizations for the platform administration. To be effective, security profiles must be associated with roles. If a role has no security profile, the user connected with this role will not have restrictions on the administration operations. It is important to set up security profiles to ensure the security of the platform administration.

The information entered while defining a security profile is as follows:

Code

Identifies the security profile.

Description

Describes the security profile.

Personalization level

Defines the level of personalization a user can perform on pages:
* None: no personalization is allowed.
* User: personalization is allowed, but only on a page that is dedicated to the user.
* Administrator: the user can modify authored page shared by several users.

Allow Office document upload

Defines whether the user can upload Office documents or not. By default, it is deactivated to protect against malicious Office documents. It has to be activated so that the user can upload Office documents.

Security Level

Defines a numeric level associated with each profile. Profile levels range from 0 to 99. A user can only create/modify security profiles that are higher than the Security profile he is associated with. In other words a user with Security level 1 can only view /maintain Security profiles with security level 2 and above.

Authorizations

In this grid, a list of predefined codes is displayed with an associated description. Every code identifies the corresponding controlled entities with filters.

For example, the users code controls the access to the users, groups, and roles entities. The myProfile code controls the access to the user profile for the connected user. A user may have the right to change its own profile, but not the profile of other users. The detailed list of the codes and associated entities is given in the Appendix section.

For every code, you can select the check boxes to define the access rights granted by the security profile. When a check box is cleared, the access right is denied. A user cannot provide access to codes for which he doen't have rights. If it is the case,the corresponding check boxes are disabled.

The access rights are the usual CRUD access (Creation, Read, Update, and Delete), plus an additional Execution right. The execution right controls dedicated operations as described in the Appendix section.

Associated roles

This section defines the list of roles where the security profile applies. The assignment can be done here or on the roles management.
A role cannot be associated with several security profiles. If the role has no security profile, there is no restriction set on the role.

Factory

This check box defines if the record is supplied as a factory record. When this happens, a factory code is also displayed and can be entered if you are a factory provider. This features allows to prevent some modifications on records supplied by defaut by Sage or by a vertical solution provider. More information about this feature is given in the following document.

Appendix: definition of security profile codes

The list of codes and their corresponding entities are defined in the following table:

CodeEntityFilter on...CRUD filterProperties access restriction (empty if no field restriction)Execution right
myProfileusersconnected userread and updatelogin, title, firstName, lastName, fullName, password, photo, email can be modified only
Classic client sessionsconnected userlists only the sessions owned by the userUser login, Solution, Folder, User, Language code, Last Access, Time out, Reused, Open, Creation Date
Session infosconnected userlists only the sessions owned by the userSession ID, User name, Badges, Client ID, Last URL
rolesonly the roles the user has access toread-only accessdescription can only be viewed
endpointsonly the endpoints the user has access toread-onlycode, description, application, contract can be viewed only
Soap Classic poolsonly the pools associated to endpoints the user has access toread-only
localePreferencesall the locale preferencesread-only access
Host tracesonly traces created by sessions assigned to the userread-only access
usersusersyes
BO servers and BO profilesread-only access
navigation pagesread-only access
mobile applicationsread-only access
groupsyes
rolesyes
EndpointsRead-only accessDescription
Applicationsread-only accessDescription
security profilesonly the security profiles having a security level with a greater value than the one associated to the user's security level.yes (CRUD on header and lines)
teamsyes
Badges, and license related dataread-only access
technicalSettingsldapyes
Oauth2yes
Clients reused listyes
Technical information (about...)yes
updatesyes
Notification Serversyes
Batch controllerList, interrupt, delete tasks Start and stop the server
RolesRead only access
GroupsRead only access
Badges, and license related datayes
BO servers and BO profilesyes
HRM web servers and HRM sitesyes
Trace recordsyes
Session infosyes
saml2yes
scheduleryesyes
Applicationsyes
EndPointsyes
badgeyes
settingsyes
x3serveryes
localePreferenceyes
friendServeryes
licenseyes
patchyes
apatchyes
hostyes
license datayes
caCertificateyes
certificateyes
proxyConfigurationyes
storageVolumeyes
X3 solutionsyes
authoring (personalization)Applicationsread-only access
pageDatayes
dashboardDefyes
Customized pagesyes
pagesportletyes
menuItemyes
menuCategoryyes
navigationPageyes
landingPageyes
menuModuleyes
menuBlocks and sub-blocksyes
Mobile applicationsyes
Mobile dashboardsyes
Mobile gadgetsyes
ApplicationsRead only access
EndpointsRead only access
Mobile dashboards upgradeyes
collaborationAreateamon the teams the user administratesyesonly on the properties description, isPublic, explorer, tags, administrator, authors, members, documents, templateDocuments
on the teams the user is administrator, author, or member of.read-only
documenton documents not assigned to a team, or assigned to a team the user administrates, or assigned to a team the user is authorcreation accessonly on the properties description, documentType, documentDate, fileName, content, expiration, uri, isReadOnly, className, x3Keys, representationName, volume, teams, owner, tags, endpoint
on documents a user owns, or documents not assigned to a team, or documents assigned to a team on which the user has the administration, author, or reader role.read access
on documents not assigned to a team, or documents assigned to a team on which the user has the administration role, or documents a user owns and that are assigned to a team on which the user has the author role.update / delete access
storageVolumeread only
documentTagyes
documentTagCategoryyes
documentInternalTagyes
msoWordTemplateDocumentyes
UsersRead only access
Notification eventsyes
Notification themesyes
Mail templatesyes
Notification serversyes
ApplicationsRead-only access
StatusAndUsagesessionInfoonly deletion is possible
cvgReuseClientyes
cvgSessionyes
Endpointsyes
server logsyes
textTranslationyesyes
searchAdminyesyes
X3 solutionsRead-only access
Classic SOAP web servicesyes
Rest web servicesyes
scheduleryes
Groupsread-only access
Applicationsread-only access
License viewread-only access
server logsyes
Batch controllerList, interrupt, delete tasks Start and stop the server
importDataimportSessionyes
Endpointsread-only accessyes
importToolyesyes
x3UserImportexecution only
MenuProfleImportexecution only
exportDataexportProfileyesyes
Personalization managementyesyes
Resource packsyes
Endpointsread-only accessexecution only
Applicationsread-only accessexecution only
DevelopmentUsing the Eclipse Editoryes
Using the Eclipse Debuggeryes
PrintingUsing the Print Server (Reports, Prints/group)yesyes