T. Rowe Price would like to develop a common access control profile per user group. User groups are defined (loosely) as Administrators, Power Users and Read Only Users for example. Adding a license to the Administrators access group is relatively simple as that license has full access to all directories on the FSU. The other two access groups are harder to maintain due to the strict definitions required for appropriate set up of access by dataset. An administrator must create multiple read only and power user groups by dataset which makes maintenance difficult and needlessly creates a very large access control configuration file.
In order to streamline the access control groups and create standardized access rules by the appropriate user group, we would like to be able to use the internal variables such as %Source Profile% to facilitate this. (%Source Profile% is used by the Field Viewer visualization)
Take for example:
The below two entries provide a power user with appropriate access to the DB1 and DB2 datasets, their own user folder and two specific files (log processing.cfg and transformation.cfg) to permit them to change dates and/or kick off re-transformation processes (mainly for dev/qual testing).
0 = AccessGroup:
Members = vector: 1 items
0 = string: CN: Workstation10
Name = string: DB1 Power Users
Read-Only Access = vector: 5 items
0 = string: /Profiles/
1 = string: /Status/
2 = string: /Software/
3 = string: /Addresses/
4 = string: /Users/$
Read-Write Access = vector: 3 items
0 = string: /Profiles/DB1/Dataset/Log Processing.cfg
1 = string: /Profiles/DB1/Dataset/Transformation.cfg
2 = string: /Users/%CN%/
1 = AccessGroup:
Members = vector: 1 items
0 = string: CN: Workstation10
Name = string: DB2 Power Users
Read-Only Access = vector: 5 items
0 = string: /Profiles/
1 = string: /Status/
2 = string: /Software/
3 = string: /Addresses/
4 = string: /Users/$
Read-Write Access = vector: 3 items
0 = string: /Profiles/DB2/Dataset/Log Processing.cfg
1 = string: /Profiles/DB2/Dataset/Transformation.cfg
2 = string: /Users/%CN%/
These two items could be collapsed into one if we could use internal dataset variables. See example below:
This one entry in access control would promote the consistent definition for access for power users, irregardless of dataset (thanks to using the %Source Profile% variable).
0 = AccessGroup:
Members = vector: 1 items
0 = string: CN: Workstation10
Name = string: Power Users
Read-Only Access = vector: 5 items
0 = string: /Profiles/
1 = string: /Status/
2 = string: /Software/
3 = string: /Addresses/
4 = string: /Users/$
Read-Write Access = vector: 3 items
0 = string: /Profiles/%Source Profile%/Dataset/Log Processing.cfg
1 = string: /Profiles/%Source Profile%/Dataset/Transformation.cfg
2 = string: /Users/%CN%/
As our user base is growing, we are finding the need to create multiple profiles and access control groups to meet business needs while protecting the stability of the environment. Having over 25+ dataset profiles in our production environment, you easily see how access control.cfg will grow to over 50+ or more entries to facilitate this activity. While doable (as we have implemented some of this already), there can be a better way.
