Access Control

1. Available Access Control Modes

Several modes of access control can be used for each repository on the server:

2. Notices when configuring Access Control mode

2.1. Switching between different access control modes

When switching between different access control modes, the server must be restarted. Otherwise, the configuration update will not be taken into account.

3. User Profiles

3.1. Configuration

In Team for Capella, when using the User Profiles feature, usernames and access rights are stored in the repository (i.e., in the database). Note that when passwords are stored in the user profiles model (when LDAP is not used), they are not encrypted. That’s why the usernames management part of this feature must be considered as a simple identification feature.

If the server has been started with user profile, the Importer needs to have write access to the whole repository (including the user profiles model). See Resource permission pattern examples section.

If this recommendation is not followed, the Importer might not be able to correctly prepare the model (proxies and dangling references cleaning, …). This may lead to a failed import.

To use the User Profiles feature in T4C, you first need to install the associated Team for Capella User Profiles UI feature from the Team for Capella update site.

11. Access Control (User Profiles) installfeature

After restarting your T4C client, go to Preferences > General > Capabilities to enable the User Profiles capability.

11. Access Control (User Profiles) t4cuserprofilecapability

3.2. Connection to the User Profiles Model

You can connect to the user profiles model of a repository thanks to the dedicated wizard:

11. Access Control (User Profiles) html m694f30d9
11. Access Control (User Profiles) html 46cce3b9

The accounts created by default in the user profiles model are those defined in the administrators file. Refer to Server Configuration/User Profile Configuration

To be able to change the user profiles model, the Administrator account should be used.

Here is the default user profiles model with its table opened:

11. Access Control (User Profiles) html m5c196f1c

By default, the userprofile resource is hidden. To make it appear under the userprofile project, the EMF Resources filter must be deactivated via the Customize View…​ dialog.

11. Access Control (User Profiles) EMFResourceFilter

3.3. Default configuration for Team for Capella

When the server is configured with the User Profiles functionality, the following roles are automatically created:

11. Access Control (User Profiles) DefaultRoles

These defaults roles are required :

  • EXPORT_PROJECT_ROLE: is needed to be authorized to export projects. The pattern is only "/" because each project will be exported in the server in a new folder with the name of the project. For exporting projects, the permission to create elements at the root of the repository is therefore needed.

  • CREATE_AND_MODIFY_REPRESENTATION_ROLE: is needed to be authorized to create and modify representations, but only graphically. This will not allow semantic modifications. This role contains three resource permissions with the following pattern:

    • ".*\.srm", with the lazy loading each representation are placed in a .srm file. This allows loading only the displayed representations to improve performance.

    • ".*\.aird", this remains the main file aggregating all representations and viewpoints information. Even if the representations are placed in separate files, modifying a representation still updates little information in the .aird file, such as timestamps.

    • ".*/\.representations", with the lazy loading mode, each representation is placed in a folder ".representations" (hidden by default). A permission is therefore needed to create or delete representations in this folder.

  • MODIFY_REPRESENTATION_ROLE: is needed to be authorized to modify representations but only graphically. This will not allow semantic modifications.

    • The permissions are the same as the previous role, but without the permission on the ".representations" folder to avoid allowing creating and deleting representations.

  • MODIFY_SEMANTIC_ROLE: is needed to be allowed to modify semantic model elements.

    • The extension files of the semantic resources that are listed as resource permission are provided by the User Profile properties file (by default userprofile-config.properties) referenced by the CDO server configuration file (cdo-server.xml). In this properties file, these file extensions are associated to the "permissions.role.semantic.file.extensions" key and separated by ",".

Note that as user created as administrators (in the administrator properties file as presented in the previous part) have full access and do not need to be assigned to any role. Trying to assign roles to administrators will be prevented and a dialog will appear to explain that the administrators already have full access.

3.3.1. Representation Creation/Move Special Case

If the user has only a read only right on the semantic element, he cannot create/clone/move a representation on it. If trying, a pop-up will be displayed telling that it failed. More information in Locks and Updates on Diagrams

3.4. User Creation

To add a user:

11. Access Control (User Profiles) html m6b0d378a

And complete login information

11. Access Control (User Profiles) html m30ec6b0c

3.5. Role Creation and Association with Users

Use the dedicated tool to add a role:

11. Access Control (User Profiles) html m5756fda

A name can be given to the created role using the Properties view (attribute ID).

Once the new role is created, right-click on it to add resource permission.

11. Access Control (User Profiles) html m79a39eb6

Complete the textbox with path of authorized resource

11. Access Control (User Profiles) html 5c8a4a1b

Finally, associate users to a role in the Properties View of the role:

11. Access Control (User Profiles) html m6fdf650d
11. Access Control (User Profiles) html m297df12e

  • By default, users have read access to all resources.

  • Administrator has a write access on all resources you don’t have to assign write permissions for each project for him.

  • You can give write or read access to a resource, but empty permission is not supported.

  • A user can export a project to a repository only if he has write access on "/".

Inaccessible elements for a user have a gray padlock.

11. Access Control (User Profiles) html 3d478f86

3.6. Resource Permission Pattern Examples

Since only resource permissions are currently available, to define fine grain permissions on a model, it has to be cut into several fragments.

Here is an example project:

11. Access Control (User Profiles) html m5eb581bb

Write access to the whole repository (including the user profiles model)

.* or /.*

Write access to the whole TestModel project

/TestModel/.*

Write access to OA fragments of TestModel

/TestModel/fragments/OA.* or /TestModel/.*OA.*

Write access to OA and SA fragments of TestModel

/TestModel/fragments/(OA|SA).* or /TestModel/.*(OA|SA).*

Write access to the semantic part of TestModel

/TestModel/.*(capella|melodyfragment)

Write access to the representation part of TestModel (diagrams and tables)

/TestModel/.*(aird|airdfragment|srm)

Write access to TestModel but not its fragments

/TestModel/.*(aird|capella|srm) or /TestModel/[^/]*

When dealing with aird and airfragment files, remember to give the same rights to srm files (files used to store the representations data when the lazy loading is enabled, the lazy loading is enabled by default).

Note that the project name in a resource permission pattern must be the name coming from the server repository. This is not necessarily the same name as the locally imported project (e.g., if TestModel.team is the name of the locally imported project, putting TestModel.team in the permission pattern will not work).

3.7. Promote a User to Super User

At startup, there is only one superuser: Administrator.

A basic user can be promoted to super user. To do that:

  • Connect to the user profiles model,

  • Switch to the "Modeling" perspective:

    • Open the "Open Perspective" dialog by clicking on Window > Open Perspective > Other …

    • Select the "Modeling" perspective.

  • Select an account in the "Model Explorer":

11. Access Control (User Profiles) html 66d87fc9

  • Set the "Default Access Override" to WRITE:

11. Access Control (User Profiles) html 66e4f05b

  • Save.

3.8. Import/Export User Profiles Model

You have the possibility to import a user profiles model; this is the same mechanism as for a Capella project.

In Team for Capella, you need to enable the Sirius Collaborative Mode – Default UI > User Profiles capability to access the import/export User Profiles functionalities.

11. Access Control (User Profiles) collabuserprofilescapability

Then, you need to create a general project which will contain the imported User Profile model.

Import User Profiles model:

11. Access Control (User Profiles) html m23785d51
11. Access Control (User Profiles) html 5c2410f8
11. Access Control (User Profiles) html ImportUserProfiles

Enter a local URI starting with platform:/resource/

Example: platform:/resource/LocalUserProfilesProject/users.userprofile

To export, we can create a general project (or reuse the general project created earlier) and put a User Profile model into it, then right-click on the User Profile model and choose Export:

11. Access Control (User Profiles) html 7b890b8
11. Access Control (User Profiles) html m1cd6bf96

How to reuse the user profiles model

It is recommended that you back up your user profiles model (Refer to Server Administration/Team for Capella Scheduler/Import user profiles model).

  • You can reuse the user profiles model using the export wizard. You can export it to another repository of either the same server or another server

  • In case of DB crash, start your server in standard configuration (Refer to Server Configuration/Not Authenticated Configuration), with a clean database. That configuration will not initialize the user profile model. Then export the user profiles model to the CDO repository. Now you can restart the server with user profile; as the user profile model is found, it will not be reinitialized.

  • The user profile model can be reused from a Team for Capella version to another. It does not need to be migrated.

3.9. How to change user login/password

User login/password can be modified via the Update User Information contextual menu. This contextual menu can be accessed by right-clicking on the column corresponding to the user being modified. Note that this action is done only by right-clicking on one of the cells of the column, clicking elsewhere (e.g. on the column title) should be avoided.

11. Access Control (User Profiles) UpdateUserMenu

Once the User Update dialog appears, we can modify either user login or password.

11. Access Control (User Profiles) UpdateUserWizard

  • A user cannot modify its own login (the field is read-only).

  • If the server is using an external system for authentication (like LDAP), the password field will be hidden as it is not managed by the server.

3.10. Troubleshooting

3.10.1. Administrator Password Forgotten

If the administrator password has been forgotten, it will no more be possible to change the user profiles model or export a model to the server.

To give a new password to the Administrator account:

  • Stop the server,

  • Edit the cdo-server.xml file and comment the line <securityManager type="collab" realmPath="userprofile-config.properties"/>. This will deactivate the secured access,

  • Start the server,

  • Connect to the user profiles model (no password is required),

  • Change the Administrator’s password,

  • Stop the server,

  • Uncomment the securityManager line,

  • Start the server.

3.11. Known issues

Please notice the following known issues:

Re-connection to a user profiles model raises error