| Panel |
|---|
On This Page: Related Pages: |
All clients of ServiceOptimizer are authenticated before access is allowed to the system. The method of user authentication is as follows and applies to all ServiceScheduling Clients:
- The Username is compared with those stored in sp085_users
.user_id, if the user does not exist the login is rejected. - If the user exists then the field sp085_users
.auth_typeis used to determine further authentication. If this value is set to “LDAP” then the LDAP Server is requested to validate the supplied password. Any LDAP Server problems (Server down etc) result in an authentication failure. The success/failure of the LDAP authentication is returned to the user. - If the sp085_users
.auth_typefield is set to anything other than “LDAP” (default “INTERNAL”), then the following method of authentication is invoked.- If the sp085_users
.passwordis not NULL then a comparison is done and a result returned accordingly. - If the sp085_users
.passwordfield is NULL, then we proceed to client type authentication. The client type and password are validated against sp430_client_types. - If the appropriate sp430_client_types
.passwordis NULL then the final authentication is to compare the supplied password with the password used for ServiceOptimizer connection to the Database.
- If the sp085_users
| Warning | ||
|---|---|---|
| ||
N.B. It is not possible to user passwords that contain commas – this will result in a failed authentication. |
| Note | ||
|---|---|---|
| ||
It is possible to support different authentication methods for different users as the |
| Note | ||
|---|---|---|
| ||
Configuration of the LDAP Server is defined via the sp083_system_parameters |
Adding a new user
A list of users who can use ServiceManager and the Gantt is held in the ServiceScheduling database table sp085_users.
To create an entry for a new user use ServiceManager, or use an appropriate script. Entries are required in both Database sp085_users and Database sp088_user_units, the latter to tell the system which units (BRU,DRU, FRU) the user is to have access to.
ServiceGANTT Access Controls
ServiceGANTT access control centres on the setting up of profiles. Each profile defines which operations can be performed. Each user is assigned to one of the available profiles (which define a set of permissions) and either a responsibility unit or a set of teams to which that set of permissions apply. Profiles are defined in the ServiceScheduling database tables Database sp214_application_permissions and Database sp084_user_profiles.
It is possible to change the permissions that apply to each profile, including the default permissions that they have to entities outside their home domain. The permissions described here are the default ones, and the ones which are probably the most sensible for most sites. ServicePower consultants might change these permissions as part of system set-up.
ServiceGANTT allows access to other ServiceScheduling Web applications if appropriately configured. This is done as follows:
| Panel | ||
|---|---|---|
| ||
To enable access to the interactive map a profile must have: - ‘M’ privilege for the operation - ‘M’ privilege for - ‘M’ privilege for
|
ServiceScheduling Passwords
| Panel | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| |||||||||
By default, the Client Password is simply the part of the database connection string defined to be the password (and is database specific). However, this can be overridden by setting up the database table Database sp430_client_types, thus allowing you to set up a different password for each of the different client types. To enable individual users to each have their own distinct password, set up the Database sp085_users table appropriately. There is an entry here for each user, and the password field will initially be NULL. This means that the password required will default to the client type password as set up in Database sp430_client_types. To override this setting for individual users:
In summary, the password system for the each client type acts as a hierarchy with each level defaulting to the value of the next level :
|
| Tip | ||
|---|---|---|
| ||
To enable all users of a given client type to use the same single password (other than the default), alter the value for the entry for that client type via SQL e.g, for ServiceGantt the SQL would be |
| Panel | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
This means that all client types use the database schema password. |
HP-UX
HPUX can associate a group with a list of privileges, thus providing access to certain system capabilities for members of a particular group or groups. The privileges can be displayed with the "getprivgrp" command.
Implicitly, the super-user has ALL privileges. This allows some (slight) relaxing of UNIX's 'all or nothing' approach to distributing privileged capabilities. Privileged groups are an HP-UX-specific feature.
| Note | ||
|---|---|---|
| ||
Note that, by default, CHOWN is granted globally, but it is recommended that CHOWN be disabled globally! |
| Warning |
|---|
ServiceOptimizer must have the privilege RTSCHED (see "man 1M setprivgrp" for a list of available privileges). |
| Info |
|---|
RTSCHED can be granted globally to all users of the machine or to just a specific group or groups. To grant privileges the file "/etc/privgroup" needs to be created or edited. To disable CHOWN globally and to grant RTSCHED globally then /etc/privgroup should contain the 2 lines:
|