Entitlements
Entitlements define and restrict user access to any permissible Control entity in KX Control.
They are an effective way of defining different views of the system for different user groups.
They can be integrated with LDAP for authentication, allowing enterprise-wide security to be enforced.
Entities and users can be grouped and entitled together. The entitlements can then be inherited or overridden for subgroup and/or users.
A password security policy can include password criteria and ageing.
Any attempted access to any process is logged.
When entitlements are changed they are automatically pushed to all processes, with no need for restarts.
Users
Users are the basis of all permissions within KX Control. Each user can have individual permissions set; and also be part of a User Group and inherit permissions from it. A user can have access restrictions set and be associated with a specific authentication control.
Create a user
From the top menu pick File > New > User. Choose the user authentication type (Default or SAML), for default users set a password, email address, and a package to include the user in, for SAML users the password field is not required.
Use the User Editor to record details for the user, then click Save.
User editor
The editor has five tabs.
| tab | description |
|---|---|
| User Details | Details of the user |
| User Groups | Define User Groups |
| User Entity Permissions | Entities permissioned to the user |
| Authentication & Access Control | User-specific authentication control policies |
| Revision History | Revision history of the entity |
Authentication and access control
This tab is only for use with the default user types. For SAML users the tab will be active but all of the fields will be disabled. For the default users, Users and User Groups can be configured to enforce a password policy for subscribed users. To enable the environment variable DELTADASHBOARD_PASSWORD_POLICY should be set to YES and the KX Delta Platform restarted. The available policy configuration meets OWASP recommendations for password complexity
| field | description |
|---|---|
| Inherit User Group Authentication | Inherit the policy from parent User Group |
| Apply Policy | Enable/disable policy |
| Minimum Length | Minimum length of password |
| Maximum Length | Maximum length of password |
| Password History | Number of passwords before one can be repeated |
| Password Max Duration | Maximum number of days before a password must be changed |
| Attempts Before Lock | Number of incorrect attempts a user will be allowed before locking user |
Available password policy requirements allow for configuring
- Min lowercase characters
- Min uppercase characters
- Min numeric characters
- Min special characters
Acceptable special characters are in line with OWASP guidelines
Change password
By the user
Change Password allows a user to change her own password. From the User Menu pick Change Password and set a new password. After you successfully change your password you will be logged out and you must enter your new password.
By the administrator
An administrative user with the correct privileges can reset a user’s password. The administrative user does not have to know the user’s current password.
Right-click the user in question and select Reset Password; set a new password.
Delete a user
An appropriately permissioned administrative user can delete users. Right-click on the user from the navigation view, select Delete and confirm
User groups
Users can be grouped to allow for group-level permissions. This section looks at
- Creating User Groups
- Access Restrictions
- Deleting User Groups
Create a user group
As an Administrative user, from the top menu, pick File > New > User Group.
Name the group, and assign it a package.
The User Group Editor will open. Use it, then save the new group.
User group editor
The editor has five tabs.
| tab | description |
|---|---|
| Members | Assign users to the group |
| User Group Entity Permissions | Assign entity permissions to the group |
| Access Restrictions | Assign access limitations to the group |
| Authentication & Access Control | Set group-specific authentication control policies |
| Revision History | Review revision history of the entity |
User group access restrictions
There are three types of access restriction available to groups:
| type | restriction |
|---|---|
| Dashboard Access URLs | limits the URLs a user can log in from. Can include 'all' to grant access to any URL |
| Dashboard Access IPs | limits the IP addresses from which a user will be able to log in |
| IP Access Affinity | lists IP addresses from which a user connection can be initialized. It allows us to prevent users from logging in via the UI, as it will be from a local IP, whereas Dashboards users will always login via the Delta App Server which has a dedicated IP address |
You can use the two configurations below to set the behavior of these restrictions.
| Option | Default Value | Details |
|---|---|---|
| DELTACONTROL_REQUIRE_URL_VALIDATION | NO | By default, URLs are only validated if the Access URL field is populated. If set to 'YES', then URLs are always validated for non-Administrators. |
| DELTACONTROL_REQUIRE_IP_VALIDATION | NO | By default, IPs are only validated if the Access IP field is populated. If set to 'YES', then IPs are always validated for non-Administrators. |
Delete a user group
An administrative user can delete a user group by right-clicking on the group in the Navigation View and selecting Delete.
Entity groups
Entity groups let you set permissions for groups of entities. Any entities in the group will inherit the user and group permissions set on the entity group.
For example an entity group can contain several entities
The three entities in this entity group will inherit the permissions set on the entity group.
In this case the fxeval user will have read permission on the three entities and the DeltaMonUsers group will have Read/Write permission on the three entities.
KX Control installs with some Entity Groups already defined.
| Entity group | Info |
|---|---|
| ActionTracker | Contains entities related to the operation of action tracker processes. The ActionTrackerUsers group has permission on this entity group |
| CxLogin | This entity group is used internally to allow users permission to connect to the KX Control process. Giving a user permission to this entity group will allow them to open a handle to the Control process. |
To see the details of an entity group, double-click its name listed in the Navigation Panel. The Entity Group Editor will open.
Create an entity group
Set up further entity groups to contain other subsets of entities. A group can include entities of different types.
From the top menu, pick File > New > Entity Group. Name it and assign a package if required. The Entity Group Editor will open.
Entity group editor
The editor has three tabs.
| tab | description |
|---|---|
| Member Entities | Assign entities (Process, Analytic, Schema) to a group |
| User and Group Permissions | Grant users and/or user groups access to the group |
| Revision History | See the revision history of the group |
Delete an entity group
An Administrative user can delete an entity group:
Select the group from the Navigation View, and pick Delete from the context menu. (Right click)
Set entity permissions
Entities can be permissioned individually; as part of an Entity Group; or through the User and User Group editors.
Available permission levels are
| level | description |
|---|---|
| Read/Write | Allow read and write access to the entity |
| Read | Allow read access to the entity |
| Read/Deny Write | Allow read access to the entity and deny write (see clarification below) |
| Deny All | Deny all access to the entity |
Deny overrides Grant
As a general rule Deny overrides Grant access. If you grant a User Group Read/Write access to an entity but give one of the group’s members Read/Deny Write access, that member will have only read access to the entity.
Setting via entity
Below, Read/Write permissions to the schema DxFiles has been given to the Administrator user and the ActionTrackerUsers user group; but only Read permission to the BSU user group.
Multiple items can be selected and the permissions changed for all selected items instead of performing actions on individual items.
Setting via user or user group
Below, the user group BSU has been granted Read/Write permissions to several entities and Read access to others. This view is useful for working on the specific permissions for a specific user or user group.
Import entity permissions
Each package has a dedicated <packageName>_permissions.xml file for recording entity permissions. If one user's permission on an entity is defined in multiple locations, the settings are cumulated. For instance, if one package allows select permission and another one allows update then importing these two packages grants a Read/Write access level in the Delta Control UI. If a third package denies update, then the cumulation of the three packages results in Read/DenyWrite access level.
Warning
“You cannot revoke existing Access or Deny permissions by importing packages in the Delta Control UI. To revoke permissions, you can use the entity panel on Delta Control UI or delete and reimport an entity to reset its permissions.“