Enabling users and groups

After configuring your application server to authenticate the users, you enable users and groups in the Decision Center database.

Decision Center uses groups for security access to the different branches (decision services, releases, and activities), and fine-grained permissions on the different types of rule artifacts (see Security). To use this security and permissions feature, you create or import groups in the Decision Center database, and assign users to one or more of these groups.

Note: Users must first be able to authenticate. Make sure the users that you add to the Decision Center database are also available in the authentication registry that is defined by your application server.

You define groups and roles

Groups

In Decision Center, you create groups to organize your users functionally. When you create a group or import a group through an LDAP connection, you map the group to a role, and then place users into the group. It is not possible to map a user to a role directly. By default, the standard role is rtsUser.

UI Roles

A role determines what portions of the Decision Center UI are available to a user. Decision Center has the following predefined roles:

Role	Description
Standard user (`rtsUser`)	The standard Decision Center user. Provides basic use.
Configuration manager (`rtsConfigManager`)	Has all the rights of the standard user, plus additional rights in the Business console to create and edit deployment configurations.
Administrator (`rtsAdministrator`)	Has all the rights of the standard and configuration manager users, plus additional rights in the Business console: Access the Administration tab to enable security and manage users. Take on the role of any governance framework participant.

The following image shows how roles, groups, and users interact:

Interaction between roles, groups, and users in Decision Center

In the above diagram:

The bottom of the diagram shows the groups and users present in your user registry.
The middle of the diagram shows that all the users must be members of one or more Decision Center groups. You create these Decision Center groups manually or by importing them from an LDAP.
The top part of the diagram shows how you map each Decision Center group to one of the predefined roles.

Permission profiles

In Decision Center, security defines which groups have access to the different branches of a decision service (see Security using authentication and permissions).

With security implemented, you specify, for each Decision Center group that can access the branch, what permissions they have to view, create, update, and delete which types of artifacts.

In the Business console, you can assign one of the following simplified permission profiles to the different Decision Center groups:

None: Groups assigned this permission profile have access to the branch, but cannot see its content.
Read Only: Groups assigned this permission profile can view the contents of the branch, but cannot create, update, or delete content.
Full Authoring: Groups assigned this permission profile can view, create, update, or delete all content in the branch.
Custom (defined by REST API): Groups are assigned custom permissions through the Decision Center REST API. Custom permissions cannot be applied to all the predefined roles (see Permission management).

Note: Permissions are computed when you log in, and are kept during the entire session. If permissions for a group change, or if an administrator adds a member in a group, you need to log out and log in again to view the changes.