Decision Center groups of users
After configuring your application server to authenticate the users, you enable users and groups in the Decision Center database.
Decision Center uses groups for security access to the different branches (decision services, releases, and activities) and fine-grained permissions on the different types of rule artifacts (see Decision Center security). To use this security and permissions feature, you create or import groups in the Decision Center database, and assign users to one or more of these groups.
- Decision Center Groups
- You create in Decision Center as many groups as you need to organize your users functionally. When you create a group, or import a group using an LDAP connection, you must map the group to a role, and then place users in the groups. It is not possible to map a user to a role directly.
- UI Roles
- A role determines what portions of the Decision
Center UI are available to a user. Decision
Center has the following predefined roles:
Role Description Business console Enterprise console Standard user (rtsUser) The standard Decision Center user. Basic use. Basic use. Configuration manager (rtsConfigManager) Has all the rights of the standard user, plus additional rights in the Business and Enterprise consoles. Create and edit deployment configurations. Manage RuleApps, servers, ruleset extractors, and other features described in Groups. Administrator (rtsAdministrator) Has all the rights of the standard and configuration manager users, plus additional rights in the Business and Enterprise consoles. - Access the Administration tab to enable security and manage users.
- Take on the role of any governance framework participant.
- Set security.
- Administer the Decision Center database.
- Release locks.
The following image shows how roles, groups, and users interact:
- The bottom of the diagram shows the groups and users present in your user registry.
- The middle of the diagram shows that all users must be members of one or more Decision Center groups. You create these Decision Center groups manually or by importing them from an LDAP.
- The top part of the diagram shows how you map each Decision Center group to one of the predefined roles.
Permission profiles
In Decision Center, security defines which groups have access to the different branches of a decision service (see Decision Center security).
With security implemented, you specify, for each Decision Center group that can access the branch, what permissions they have to view, create, update, and delete which types of artifacts.
- None
- Groups assigned this permission profile have access to the branch, but cannot see its content.
- Read Only
- Groups assigned this permission profile can view the contents of the branch, but cannot create, update, or delete content.
- Full Authoring
- Groups assigned this permission profile can view, create, update, or delete all content in the branch.
- Custom
- Assigning this permission profile requires you to use the Enterprise console to manually create a permissions table for that group (see Permissions.)
The permission profile that you assign in the Business console is automatically switched to Custom if you make changes to the permission table in the Enterprise console.