Previous Security Administration Manager Next

Using the Security Administration Manager

The left-hand panel of the Security Administration Manager (the security object hierarchy) shows the securable objects that have been loaded into the Security Administration Manager. The right-hand panel shows details of the object selected in the hierarchy. See The Security Administration Manager.


Object Hierarchy

The security object hierarchy shows the securable objects that have been loaded into the Security Administration Manager.

If the Security Administration Manager is launched from an instantiated object, the security object hierarchy will be automatically populated with objects, interfaces, and methods. If these objects are then assigned security access entries, they will be added to persistent storage.

When the Security Administration Manager is launched from a Service node, the security object hierarchy is empty. To populate it with entries from persistent storage, right-click on the root node and use one of the pop-up menu options, described below.

Different objects in the Security Administration Manager are identified by different icons in the security object hierarchy tree view.
Security Object Icons  

Icon

Node


Root Node

The object hierarchy root node.


Object

Represents a CORBA object or Java object. When this node is selected, security access information for the object is shown in the right-hand panel.

When this node is expanded, all methods applicable to the object are shown. Methods inherited from any operations type class are also shown.


Type

Represents an object's operations type class, to allow security access controls to be set against either the object or the type.


Method

Represents a method, which is the lowest level at which security access controls can be set. When this node is selected, security access information for the method is shown in the right-hand panel.

Security Hierarchy Options

The following options are used to populate the security object hierarchy. These options are accessed by right-clicking on the root node of the security object hierarchy.

This option retrieves the first 100 entries in the XML file. For performance reasons, the number of entries displayed at any one time is limited to 100.

This option is enabled after the Get First 100 Security Access Entries option has been used. This option retrieves the next 100 security access entries from the XML file. The previous 100 entries are removed from the hierarchy, so that a maximum of 100 entries are displayed at one time.

This option allows a single interface to be loaded from persistent storage. Enter an interface name in the dialog box displayed when this option is selected. If an entry exists in persistent storage for the object, or a method or interface relating to the object, the details are retrieved and added to the security object hierarchy.

This option allows a new security access entry to be added for an interface. Enter an interface name in the dialog box displayed when this option is selected. If an entry exists in persistent storage for the object, or a method or interface relating to the object, the details are retrieved and added to the security object hierarchy. If it does not exist, the details will be added to the security object hierarchy and a persistent storage entry will be created if Principals are added and saved.

Excluding Methods from the Object Hierarchy

In some circumstances, it is only possible to secure an object at the object level, not at the method level. In this situation, it is useful to exclude the object's methods from the object hierarchy. See Excluding Methods from the Security Manager for details.

Tool Bar Buttons

The Security Administration Manager adds a new button to the tool bar.
Security Administration Manager Tool Bar

Button

Function


Save Changes to Security Access Entries

Saves security access entries to XML files for persistent storage.

Principals Panel

The Principals panel controls security access for the object, interface, or method selected in the security hierarchy. It consists of two sections: Add new principals and Access Entry Details.

The Access Entry Details list box lists all Principals who have been granted access to the class or method. The Add new principals list box lists all Principals that are available for adding to a class or method. This list is built dynamically as each node is selected. It is not a definitive list of all known Principals.


Operations

The following operations can be performed from the Principals panel of the Security Administration Manager:

These operations are described in the following sections.

Add a New Principal

  1. In the security object hierarchy, select the class or method that the Principal will be added to.
  2. Enter the Principal name in the text box under Add new principles.
  3. Click the Add button. The Principal will be added to the Access Entry Details list.
  4. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

A Principal must be added to a specific class or method. It is not possible to add a Principal to the list of Principals without also assigning it to a class or method.

A new Principal will be added to persistent storage with the ACL entry for the object, interface, or method it is added to.

Assign a Principal to a Class or Method

Once a Principal has been added to one class or method, it is available to add to other classes and methods.

  1. Select the class or method from the security object hierarchy.
  2. Click the Principal name in the list of Principals. Use shift+click to select a range of Principals, ctrl+click to select a non-contiguous range.
  3. Click the Add button. The Principal will be added to the selected class or method.
  4. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

Add and Inherit

Principals applied to an object or interface are not automatically applied to every method of that object or interface. The following procedure should be used to cause a method to inherit its parent's security Principals.

  1. Select a method from the security object hierarchy.
  2. Click the Add and Inherit button. (This button is not enabled until a method is selected in the security object hierarchy.)
  3. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

Remove a Principal from a Class or Method

  1. Select the class or method from the security object hierarchy.
  2. Click the Principal name in the Access Entry Details list. Use shift+click to select a range of Principals, ctrl+click to select a non-contiguous range.
  3. Click the Remove Selected button.
  4. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

Note that when a Principal has been removed from all classes and methods and the changes saved, it is no longer held in persistent storage. It remains in the Principals list until the Security Administration Manager is shut down.

Remove All Principals from a Class or Method

There are two ways in which all Principals can be removed from a class or method. The results of the two procedures are significantly different because of how empty ACLs are treated. See ACLs for more details of this.

Remove Principals and deny all access

This will leave the class or method's ACL with no Principals recorded against it. This has the effect of denying all access to the class (if Principals are removed at the class level) or method (if Principals are removed at the method level).

  1. Select the class or method from the security object hierarchy.
  2. Click the Remove All button.
  3. Click the Save Changes to Security Access Entries tool bar button to commit the changes.
Remove Principals and allow free access

This will remove the class or method's ACL. This has the effect of removing all security from the class (if Principals are removed at the class level) or method (if Principals are removed at the method level) and allowing anyone access to it.

  1. Right-click the class or method in the security object hierarchy.
  2. Select Delete Access Entry from the pop-up menu.
  3. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

Delete Access Entries Globally

This procedure will delete all security access entries for an object or interface, and all security access entries for methods of that object or interface.

  1. Right-click the object or interface in the security object hierarchy.
  2. Select Global Delete from the pop-up menu.

Note that the deleted Principals remain in the Principals list until another node in the security object hierarchy is selected.

  1. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

Assign Principals Globally

  1. Assign Principals to a class or method, using the steps in either Add a New Principal or Assign a Principal to a Class or Method.
  2. Click the Assign Globally button. Every Principal in the Access Entry Details list is assigned to all methods of the parent object or interface.
  3. Click the Save Changes to Security Access Entries tool bar button to commit the changes.

Implementing Security Configuration Changes

Changes to the security configuration for a Service can be performed while the Service is running or halted, but changes made while the Service is running will not be immediately implemented. There are two ways in which security changes can be passed to a running Service:

Interfaces

This panel is only displayed when the Security Administration Manager has been invoked from a Service node (see Starting from a Service node).

The Interfaces panel lists the interfaces for the class selected in the security object hierarchy. These interfaces may have their own security access settings, and so can be loaded into the security object hierarchy.

To load an interface class into the hierarchy:

  1. Select an object in the security hierarchy. The Interfaces panel will not be available if a method is selected.
  2. Select the Interfaces tab in the right-hand panel of the Security Administration Manager.
  3. Select the required interface from the list in the Interfaces panel.
  4. Click the Load Selected Class button.

The class (including all of its methods) is loaded as a separate node in the security object hierarchy, and if it has access details in persistent storage they are retrieved and loaded also.



Previous Security Administration Manager Next