Access Manager : Hands-

On
- Ayan B.
Agenda
• Hands-on Exercise 1: Exercise for User/Role/Group under 1 Site
• Pre-requisite Data Understanding
• Problem Statement
• Execution

• Hands-on Exercise 2: Multisite exercise

• Pre-requisite Data Understanding
• Problem Statement
• Execution

2012 by AyanB 2
Hands-on Exercise 1: Pre-requisite

2012 by AyanB 3
Hands-on Exercise 1: Pre-requisite
Group Based Access
•Engineering group users cannot have read access to data owned by sales group
•Engineering group users can have read access to data owned by product definition group
•Sales group can have read access to data owned by engineering group & product definition group
•Sales group cannot have write access to data owned by engineering group & product definition group
•Product definition group can have read and write access to engineering group
•Product definition group can have read access to sales group

Role Based Access

•Shop floor guy can only have read access to designer data
•Shop floor guy cannot have write access to designer data
•Designer can have read and write privilege to shop floor data
•Functional architect can have read access to product manager’s data
•Functional architect can have read and write access to technical architect’s data
•Product manager can have read and write access to both technical architect and functional architect’s data
•Technical architect can have read access to product manager’s data
•Technical architect can have read access to functional architect’s data
•After sales guys cannot have read access to pre-sales data
•Core sales guys cannot have write privilege to data owned by pre-sales team

2012 by AyanB 4
Hands-on Exercise 1: Pre-requisite
User Based Access
•Ajay cannot have read access to data owned by sales and product definition group
•Sumi cannot have read access to data owned by Ajay
•Suraj can have write privilege to data owned by pre-sales team
•Suraj cannot have read access to data owned by core sales team
•Shivaji can have write access to data owned by designer role

2012 by AyanB 5
Hands-on Exercise 1: Problem Statement
Question 1: Can Ajay read there data owned by Suraj?

Question 2: Can Sumi read Ajay (as technical architect)’s data?

Question 3: Can Rajeev (as shop floor guy) modify his own data created as designer?

Question 4: Can Suraj view data owned by Aparna (as core sales member)?

Question 5: Can Suraj modify data owned by Aparna (as pre-sales member)?

Question 6: Can Aparna (as pre-sales member) modify data owned by herself in core sales?

Question 7: Can Aparna (as core sales member) modify data owned by herself in pre-sales?

Question 8: Can Raman access data owned by Aparna?

Question 9: Can Shivaji perform read and write access on data owned by Rajeev?

Question 10: Can Rohan access data owned by Aparna (as pre-sales member)?

2012 by AyanB 6
Hands-on Exercise 1: Execution

2012 by AyanB 7
Hands-on Exercise 2: Pre-requisite

2012 by AyanB 8
Hands-on Exercise 2:

• Step 1: Make sure user accounts are defined for “Smith” and “John” at Site1

• Step 2: Make sure user accounts are defined for “Smith” and “John” at Site2

• Step 3: Go to Access Manager application of Site1 where you can see below in OOTB product:
Has Class(POM_object) -> System Object
...
Has Class(POM_imc) -> Remote Import

• Step 4: Export the OOTB AM Rule Tree to some local file.

Note: This is a best practice so that if anything gets screwed, we can easily get back to original
stage

2012 by AyanB 9
Hands-on Exercise 2:

• Step 5: Select the “Has Class(POM_imc)” rule in rule tree

• Step 6: Remove the existing “Remote Import” ACL; Select Modify button to save

• Step 7: Add the following rule:

Condition: Has Attribute
Value: POM_imc:site_id=1234 #Site1’s site id

• Step 8: Create a new ACL for the above rule; Name it as “Site1_RemoteImport”

• Step 9: Verify that the rule tree will now look as below:
Has Class(POM_object) -> System Object
...
Has Class(POM_imc)
Has Attribute(POM_imc:site_id=1234) -> Site1_RemoteImport

2012 by AyanB 10
Hands-on Exercise 2:
• Step 10: Define ACL definitions
Type of Accessor ID of Accessor ACLs
User Smith Revoke; Import
User John Revoke; Transfer In
Site Site2 Grant; Import, Transfer In
World Grant; Import, Transfer In

Note: Leave all other ACL privileges blank except above

• Step 11: Set the following Site preference in Site1

TC_check_remote_user_priv_from_sites=Site2

• Step 12: Save Access Manager and restart tcserver of Site1; This is to get the AM Rule changes in effect

• Step 13: Launch portal of Site2 and login as “Smith”; Perform “Remote Export” on some object
Verification: What is expected??
Fails with message as below:
Unable to export.
Details
Attempted function idsm_export_status at site 4321 on host 134.244.163.173.
For user “Smith", exporting user has no IMPORT privilege granted at the importing site.

2012 by AyanB 11
Hands-on Exercise 2:
• Step 14: Launch portal of Site2 and login as “John”; Perform “Remote Export Transfer Ownership” on some
object
Verification: What is expected??
Fails with message as below:
Unable to export.
Details
Attempted function idsm_export_status at site 4321 on host 134.244.163.173.
For user “John", exporting user has no TRANSFER_IN privilege granted at the importing site.

• Step 15: Launch portal of Site2 and login as “John”; Perform “Remote Export as Replica” on some object
Verification: What is expected??
Pass (“John” should be able to Export as Replica, but not Export Transferring ownership):

2012 by AyanB 12
 Q&A

Email
ayan_b23@yahoo.co.in

2012 by AyanB 13