Difference between revisions of "UAM - User Access Management"
From All n One's bxp software Wixi
Philip Lacey (talk | contribs) |
Philip Lacey (talk | contribs) |
||
| Line 9: | Line 9: | ||
| − | = Basic concept - User types = | + | = Basic Concepts = |
| + | |||
| + | |||
| + | == Basic concept - User types == | ||
| Line 22: | Line 25: | ||
| − | = Basic concept - Function Vs. Content = | + | == Basic concept - Function Vs. Content == |
| Line 49: | Line 52: | ||
| − | = Basic concept - Department, Role and Security Groups = | + | == Basic concept - Department, Role and Security Groups == |
Revision as of 17:18, 1 February 2017
1 Overview
UAM or User Access Management is the process of controlling user access to resources through the application of company policies and guidelines. Every company has a different set of UAM controls. bxp provides a very detailed suite of capabilities to allow for very controlled UAM. The challenge is understanding which this wixi provides background for.
Understanding the concepts and security of bxp is covered in CC-2-1_Security_and_Custom_Interface_configuration
2 Basic Concepts
2.1 Basic concept - User types
The most basic concept in bxp is that of a user. A user has a status. The most common status is Live.
There are a number of user statuses possible
2.2 Basic concept - Function Vs. Content
In bxp we separate function and content. Function_Vs._Content
If we're mapping this functionality to something more well known such as Active Directory. Function would be as simple as specifying Read, Read|Write, type access control. Content control is "which folders can you perform these functions on".
Each module in bxp has a two digit code. These can be see when you're renaming modules. Module_Names
Within each of these modules are grouped functionality called Sections. Bxp_-_Logical_Structure
Each Section has a four digit code, which is not readily visible in the system, but is available through the Security - Functional Access Matrix report. Security_-_Functional_Access_Matrix
Once a user can access the correct functions in a module, for example, read in eCourse, they must then be given access to the content, i.e. which books can they read? This is called Content Access and is also controlled from the System Access Management module.
In Main Menu > System Access Management >
- Functional access is controlled from the User Administration section
- Content access is controlled from the Security - Content Access section
2.3 Basic concept - Department, Role and Security Groups
For each user in the system they can have a number of settings applied to their account at a security level.
Department, is the primary mechanism for billing reporting. A user can only belong to one department at a time. System_Access_Management_-_Departments
Within the organisation, you might have many Basic, or Agent accounts. They can belong to the Contact Centre department which isn't very clear for security reporting. The next useful field is called Role. System_Access_Management_-_Role
It is suggested by All n One for UAM, that role comprises two words. Basic - Program 1, Basic - Program 2, etc. This allows security administrators to easily see not only Functional access level (Basic) but also Content level access (Program 1). Whilst this is a guideline it can make reporting and UAM significantly easier to control.
The third item belongs to the Organogram Security Groups. Organogram_with_Group_Profiling. A user can belong to many security groups, as the focus of this engine is for team reporting. i.e. John works in Team A in the mornings and in Team B in the afternoon. It doesn't make sense to have to keep changing the one team John is in. Security Groups allow for John to be in two teams at the same time.
3 UAM Setup
3.1 Creating functional template users
The first step in UAM is to define Roles. Basic, Team Lead or Manager, Reporter and Administrator and the four roles we often see business apply to their UAM. These roles will also need "general" content titles.
Create a template user for each role. Using ZZTemplate as the first name and the role name as the surname.
For each of these roles you define which functional access the users have and apply them to the template users. Log in as each of the users and verify that the functional access is correct for the type.
3.2 Applying content access to template users
For each of the template users, you can now grant them access to the specific forms, eCourses and other material they need to perform their jobs. This security change can be closely controlled and limited to users with System Access Management access only.
Log in as each of the template users to ensure they have the access they need to do their jobs.
3.3 Group user management
The next step of the process is for existing users or new users, is to copy permissions from the template user onto the new / edited user.
There are two mechanisms available.
3.3.1 Single User replace permissions
Where one user is being added, the single process easiest to use is :
- Main Menu > System Access Management > User Administration > Edit User - Replace permissions >
- Select your new user
- Select the template user from the drop down list
- Ensure all permissions are replace and not added.
3.3.2 Group User replace permissions
3.4 Summary
At this point you have template users and all your users fit into "buckets" which is easier to security control and audit in the system. Next we look at ongoing management of the system.
4 Ongoing Management
Now that we have performed the exercise of getting the system in hand, we next look to ensuring that UAM is consistently applied going forward.
