User roles and groups

Configuring user access to Decision Center and Decision Server involves defining groups of users and mapping these groups to the predefined roles.

Roles

Decision Center has the following predefined roles, which are listed in increasing degree of rights:

Table 1. Decision Center user roles
Role	Use
`rtsUser`	Regular Decision Center business user.
`rtsConfigManager`	All the rights of the regular user, plus can, for example, create and edit deployment configurations.
`rtsAdministrator`	All the rights of the regular and configuration manager users, plus can, for example, enforce security on decision services.
`rtsInstaller`	Needed to manage some Business console DBAdmin REST API endpoints.

For more information, see Decision Center security.

Decision Server has the following predefined roles:

Table 2. Decision Server user roles
Role	Use
`resMonitors`	Can monitor (read-only) decision services in the Rule Execution Server console.
`resDeployers`	In addition to monitoring rights, can, for example, deploy decision services.
`resAdministrators`	Full control in the Rule Execution Server console and on deployed resources.
`resExecutors`	Can run decision services. Must be used with another role if you want to be able to run decision services from the Rule Execution Server console.

Authentication groups

Operational Decision Manager provides the following specific authentication groups for the predefined roles. Using the variables, you can define up to six groups with as many as six users per group.

Note: In the variables listed in the table, <number> can be an integer from 1 to 6.

Table 3. Operational Decision Manager authentication role mapping
Role	Variable
`rtsUser`	User: `odm.rtsUsers.user<number>` Group: `odm.rtsUsers.group<number>` Note: `<ALL_AUTHENTICATED_USERS>` or `rtsUsers` (if `odm_configuration.decisionCenter.disableAllAuthenticatedUser: true`
`rtsConfigManager`	User: `odm.rtsConfigManagers.user<number>` Group: `odm.rtsConfigManagers.group<number>`
`rtsAdministrator`	User: `odm.rtsAdministrators.user<number>` Group: `odm.rtsAdministrators.group<number>`
`rtsInstaller`	User: `odm.rtsInstallers.user<number>` Group: `odm.rtsInstallers.group<number>`
`resMonitors`	User: `odm.resMonitors.user<number>` Group: `odm.resMonitors.group<number>`
`resDeployers`	User: `odm.resDeployers.user<number>` Group: `odm.resDeployers.group<number>`
`resAdministrators`	User: `odm.resAdministrators.user<number>` Group: `odm.resAdministrators.group<number>`
`resExecutors`	User: `odm.resExecutors.user<number>` Group: `odm.resExecutors.group<number>`

To log in to Decision Center or Decision Server, all users must be declared in your authentication registry (basic registry or LDAP directory) as members of a group that corresponds to their role, except for Decision Center business users. Business users are all authenticated with the rtsUser role directly, without the need for a group. For more information, see Synchronizing users and groups in Decision Center.