Skip to main content
System StatusContact Support
VersionOne Community

Access Control

Overview

In Continuum there are two mechanisms for access control - Roles and Tags:

  • Roles are used for enabling features and functions and allowing configuration changes.

  • Tags are used for controlling access to objects and data.

Roles

There are three Roles in Continuum. Every user is assigned exactly one Role.

  • Administrator - A User with the Administrator role has full access to every feature, function and setting. An Administrator is the only Role that can manage other User accounts and Tags.

  • Developer - A Developer can manage Tasks and Assets but cannot change system settings or security.

  • User - The User role has very limited access in the UI, and is primarily intended for access to Continuum UI.

Roles enable certain features. 'Tasks' and 'Assets' are Continuum objects. Roles also enable functions. The ability to create/edit/delete objects is a function.

Role permissions are broad stroke assignments. A User CANNOT create/edit/delete any objects. A Developer CAN create/edit/delete Tasks and Assets. An Administrator can do anything.

A User's Role can be changed by editing the User.

Tags

Continuum does not have a concept of individual user permissions. In Continuum, object 'permissions' are managed with Tags.

A Tag is simply a label defined by an Administrator. 'Objects' can be associated with one or more Tags.

What is an 'object'? An object is simply a data element that serves a purpose. Examples of objects are: Users, Tasks, Assets, Deployed Application, Pipelines and Manual Decision Gates.

How Tagging Works

Conceptually, tagging is quite simple - a User has access to any objects with which they share one or more Tags. Users can edit and even delete objects if they have sufficient Role privileges.

The Continuum security model is based on the principle that individual users don't often (and arguably shouldn't) have exclusive permissions. That's why everything is managed by Tags - so one or more users can be granted access to a group of objects.

Consider the following scenario:

  • John and Mark are two users with the Developer role. (Developers can edit and run Tasks.)

  • User John has a tag 'PeoplesoftAdmin'

  • User Mark has a tag 'OracleAdmin'

  • Task Backup Peoplesoft Logfiles has the 'PeoplesoftAdmin' tag

  • Task Rebuild Indexes has the 'OracleAdmin' tag

Since Tags control access to an object, John will see the Backup Peoplesoft Logfiles Task, but he cannot see the Rebuild Indexes Task.

Since John has the Developer Role, he will be able to edit, run, (and even delete!) the Tasks he can see via his Tag associations. However, even though John is a Developer, he cannot edit or run the Rebuild Indexes Task because he cannot see it.

Tag Naming Conventions

Automate is an Automation Platform, and the security model follows this metaphor. Everything is designed around automation - the Developer Role exists solely to develop and manage the automation library.

Regarding Tag naming, it's best to select names based on the functional purpose of a thing, and not the traditional Users and Groups metaphor. For example, MySqlAdmins (plural) suggests the only purpose of the Tag is to contain MySql administrators. This is not the case, as Tasks and Assets will also carry this Tag. A better name would be MySqlAdmin (singular), which more appropriately groups all the objects, not just the Users.

When designing a security model for your purposes, selecting smart and intuitive Tag names is essential. Names such as JohnsStuff are restrictive and not reusable. Again, think in terms of the functional purpose of a group of many things, and create names like PeoplesoftDev.

Tag names are limited to 32 alphanumeric characters, and cannot contain spaces or special characters.

Tags have a description property which is very helpful in determining what the Tag actually means. Here are a couple of good examples:

  • MySqlAdmin - MySQL DBAs and Servers.

  • BillingOperations - People and things associated with the nightly billing operations.

Creating a Tag

Tags can be created by an Administrator in the UI, via the API or command line tools.

From the UI:

Select Administration from the right menu, then Tags from the top menu.

Command Line:

ctm-create-tag -nOracleAdmin -d"Oracle servers and Tasks for managing them."

Associating Objects with Tags

The following objects can be associated with Tags: Users, Tasks and Assets.

All Continuum tools can make use of Tags.

User

To associate a User with one or more Tags, select elect Administration from the right menu, then Users from the top menu.. Select a User from the list. Click the Groups (Tags) tab to see this User's Tags.

Click the Add button to add a new Tag.


Click the x on any existing Tags to remove it from the User.

Task

To associate a Task with one or more Tags, select Automate from the left menu, then Tasks -> Manage Tasks from the top menu. Select a Task from the list. Click the Tags tab to see the Tags associated with this Task.

Click the Add button to add a new Tag.

Click the x on any existing Tags to remove it from the Task.

Asset

Adding a Tag to an Asset is just like adding a Tag to a User. Select Automate from the left menu, then Tasks -> Manage Assets from the top menu. Select an Asset from the list and click the Tags tab. Click the Add button to add a new Tag. Click the x on any existing Tags to remove it from the Asset.

  • Was this article helpful?