iteraplan provides a system of access control with which permissions can be defined and restricted by using roles.
Assignment of roles to users
The assignments of roles to users is not managed in iteraplan! Your organisation's identity management system takes care of this.
However, for a quick start you may use iTURM for managing role assignments, a very simple user and role management application that comes with iteraplan.
There are three different types of permissions handled via roles:
- Functional permissions
- Building Block Type-specific permissions
- Read and write permissions for attribute groups
When selecting a certain role on the Roles and Permissions page, the effective permissions of this role are shown. Roles in the iteraplan permission system might inherit their settings to another role: They are then called subordinate roles. The resulting access rights based on this hierarchical role structure are displayed as blue checkboxes.
The assignments of roles to users is not done in iteraplan. You should use your company's identity management system, typically an LDAP directory service, or iTurm. The following picture shows how users and roles are related in iteraplan and iTurm.
The labels outside the boxes are database table names in iTurm, given just for reference.
Key points of iteraplan and Identity Management (like iTurm or LDAP)
- The role names in iteraplan must exactly match the role/group names in your identity management system (iTurm or LDAP). This means their names must be equal taking into account case sensitivity.
- In the identity management system roles (LDAP: groups) are used to map users to roles.
- In iteraplan roles are used to assign specific permissions to a user.
- If a user is in multiple LDAP groups and these groups match to roles in iteraplan, all of the matching roles will be effective for that user: The resulting rights are combined from all matching roles.
- Users should be created in the identity management system. Passwords are also stored in the identity management system respectively checked agaist it.
- When a user logs into iteraplan for the first time, the necessery iteraplan user entry will be created (LDAP: and/or updated) automatically.
- The only static and unmodifiable role is "iteraplan_Supervisor" for the iteraplan superuser. Users with this role assigned (directly or by hierarchical role) have all privileges in iteraplan, independent of the configuration in the role entry.
- Any superordinate role is "composed" of the subordinate roles, it inherits all their privileges. You might create your own superuser role in iteraplan by configuring "iteraplan_Supervisor" as subordinate role.