Provide secure storage password
Enter here the Master password that $ProductAbbrevName uses to encrypt its secure storage (e.g., for database passwords). This is an alternative to storing the Master password in plain text in the server's web.xml file.
Rights (group) management is the basic access control subsystem for a few items in EDG:
- Changing “Any_Role (all users) are administrators” to a specified tomcat role having administrator rights.
- Selecting the security role(s) that can create new asset collections by checking the Create box for that tomcat role.
- Making selected graphs OTHER THAN EDG asset collections publicly readable. This option is typically applied to files uploaded from TBC to the server.
This page DOES NOT control the read/write access for any asset collections created in EDG.
Rights management consists of two kinds of activities:
- defining rights groups, and
- assigning user security roles to various rights groups.
Each rights group represents specific access rights (i.e., Create, Read, Update, Delete and Execute) on the group's selected workspace resources (or their generic "wildcard" types). For example, a file can be specified with CRUD access, whereas a SPARQLMotion script should have CRUD+E, and an exposed web service should only have E access. Users are then assigned to rights groups according to their security roles.
Prerequisite: Users' Security Roles
The users' side of rights management consists of knowing their security roles, which are configured during $ProductAbbrevName's installation and initial setup. A user security role must:
- be defined in a Tomcat/Realm, such as LDAP or
- it must appear in the permitted security roles setup of the TopBraid (which define entries for security-constraint tags in the application’s web.xml).
See Server Installation and Integration for details.
$ProductAbbrevName also has one special, pre-defined (pseudo-) security role: ANY_ROLE, which automatically represents every user. This role can be used to assign access rights universally.
Defining Rights Groups
$ProductAbbrevName has a special, pre-defined rights group: AdministratorGroup, which conveys full access to all $ProductAbbrevName resources (including asset collections in EDG).
The AdministratorGroup must always be assigned to at least one users security role that has at least one accessible login.
On initial $ProductAbbrevName installation, the AdministratorGroup is assigned to ANY_ROLE. This assignment should be moved to one or more proper security roles as part of the initial application setup (by first assigning the AdministratorGroup to a proper role, then deleting it from ANY_ROLE).
Defining new groups
To define a new rights group: select an existing role > click Add Group > choose the –New Group– option > enter a name for the new group > click Create Group.
Rights groups cover one or more resources in the $ProductAbbrevName's workspace, including projects (directories/folders) and various types of files. The selected group's workspace resources are listed in the Resource Rights section. Resources can be added or deleted, and each resource's access rights can be enabled or disabled. To add particular workspace resources, click the Add Resources button. To add generic resource types, click the Add Wildcard button. The defined ANY_ resource types are as follows.
- ANY_RESOURCE: Any resource defined by TopBraid.
- ANY_SDB_RESOURCE: Any SDB data connector (.sdb file).
- ANY_TDB_RESOURCE: Any TDB data connector (.tdb file).
- ANY_GRAPH_RESOURCE: Any named graph in the TopBraid workspace. This is a superset of ANY_SDB_RESOURCE and ANY_TDB_RESOURCE.
- ANY_FOLDER_RESOURCE: Any folder in the TopBraid workspace.
- ANY_FILE_RESOURCE: Any file that is not a graph, such a text, Excel, XML, etc.
- ANY_PROJECT_RESOURCE: Any project in the TopBraid workspace. This differs from the PROJECT resource type in that this refers to all Eclipse/Equinox project in the workspace.
Then for each resource item, select which specific CRUD+E access rights are enabled or disabled for the group. The access types are as follows:
- Create: Group members can create new resources.
- Read: Group members can read resources.
- Update: Group members can update/modify resources.
- Delete: Group members can delete resources.
- Execute: Group members can execute server-side scripts.
When you want to 'remove' a group from a particular role – use the X icon next to the group name.
When you want to 'delete' a group completely – use the trashcan icon. (note that this will remove the group from all roles that were associated with it.
Project names should contain no spaces - if they do, you will get an error trying to expand them. Please correct the source Project name and re-upload it with no spaces.
Users with privileges to view the Password Management page can add, delete, or edit the password entry in the secure storage. The "Add Password" button lets users add the password, and when the entry is selected, the user then can change the password for that entry or click the x to delete that entry.
The Password Management page manages the contents of Equinox secure storage, which defines an encrypted file indexed by a URL and user id and storing a password encrypted by the secure storage password and the key. This means in particular that if the user id or URL changes for a given entry, the password must be re-entered using this page or any other sources for secure storage entries.
There are two sources for secure storage passwords:
- Checking the "Send necessary connection credentials" in TopBraid Composer's Export > Deploy project to TopBraid Live Server. This sends the contents of the Composer user's local secure storage to the server's secure storage. This is necessary when one is deploying a project from the IDE (Composer) that may contain passwords for connector files, SPARQLMotion scripts, etc. Note that to transfer the data form Composer's secure storage to the server's secure storage requires unencrypting Composer's secure storage and sending the content in plain text. For full security, use https when performing a deploy that includes "Send necessary connection credentials",
- Using this page.