UNIFI: The administrative environment · Nordic User Training, September 2013 ©2013 Waters...

UNIFI: The administrative environment

Ken Eglinton Nordic User Training, September 2013

Topics Covered

Data Folder Hierarchy and Roles/Permissions

User Accounts

Security Checks

– Assigned Roles

Data Folders and Access Grants

– Access Grants Rules/Behaviors

– Stopping Inheritance

Global Policies and Folder Policies

Offline Storage Manager

Security area of Administration

Data Folder Hierarchy and Roles/Permissions

Data Folder Hierarchy

Organizational Hierarchy

– Company

– Facility/Department

– Lab

– Projects

Default Roles

Roles and Permissions

Comparing Roles

User Accounts

General User Account Settings

User Accounts Allowed Roles and Default Role

Notification Subscriptions

Preferences

Data Access

Device Access

Library Access

Account Licenses

Training Certificates

Security Checks

Once the user logs into UNIFI their Data Folders, Scientific

Library Folders and Devices are controlled and dynamically

built from the users access grants.

User – Assigned Roles

There are three Roles in the system.

– Chemist Admin 1

– Chemist Admin 2

– Chemist Admin 3

A user logs in with an account who has the Chemist Admin 2

When this user tries to create an account, what are the list of

Roles he is allowed to pick from in the Assigned Roles list?

– Chemist Admin 1 and Chemist Admin 2

Application Scenario; Assigned Roles

• Assigned roles

• Determines Role used for folder access assigned with the ‘Login Role’

Role in Access Management.

• Determines system wide permissions for tasks not applicable to a folder.

(Administrative tasks for example)

There are two Roles assigned to the Steve Bird account.

Steve Bird has Direct grant to QC Lab.

Steve Bird has Direct grant to Project 3a.

When Steve Bird logs in, what does his hierarchy look like

and with what grants?

Login Role – Direct

Chemists or Chemists

Admin 1

Login Role - Inherited

Guest - Direct

Data Folders and Access Grants

Access Grants Rules/Behavior

1. Inheritance applies and Direct grants override Inheritance.

2. Inheritance comes from the first Direct grant up the tree.

3. There can be only one unique User or Policy applied to a

single Node (Data Folder, Scientific Library Folder, Device

Folder).

4. Granting at a parent node will be inherited to any child

node, regardless if the user has the appropriate permissions

at the inherited nodes.

5. Editing at a parent node will take affect on any child node

currently inheriting, regardless if the user has the

appropriate permissions at the inherited nodes.

6. Explicit grants can only be edited by users with the

appropriate permission at the node.

Access Grant Example; Users

Steve Bird has direct access to QC Lab with Login Role

Steve Bird has inherited access to the Motrin project via QC Lab

Want Steve Bird to have only Guest access to Motrin

– Directly grant Steve Bird to the Motrin Folder

– Change Role

Access Grant Example; Stopping Inheritance

Steve Bird has direct access to Milford and is inheriting access

to the QC Lab and Motrin folders.

Administrators want to stop his access to the Motrin folder.

Select the user account then ‘Stop inheritance’

Access type changes to ‘No Inheritance’

Without a stop inheritance mechanism

administrators would have to:

– Revoke his access from the Milford folder

– Grant Direct Access to the Milford and QC Lab

folders

– Move the Motrin folder from being a child of the QC

Lab, to being a child of the Waters folder

Also, imagine if there were other users with

Direct access to the Milford folder and you still

wanted those users to continue to have access

to the Motrin folder.

– You would have to grant them back direct access to

the Motrin folder

This would be difficult for administrators

– This is the key point of Stop Inheritance

Why would we change the access type status of the user to ‘No

Inheritance’ rather than remove the user from the list?

– Because removing the user means it has been Revoked using that

command, which is different than stopping inheritance.

– Administrators coming back to Access Management after a period of

time won’t remember they have stopped inheritance on a user and

will attempt to grant direct access.

What happens when a user attempts to directly grant access of

a User or Policy to a Data Folder which has that item currently

applied but in the state of ‘No Inheritance’?

– The item will now show as a direct grant

What happens when a Folder is moved to a different point in

the Folder Hierarchy?

– Access grants will automatically change

o Items that are still inherited from the new parent will stay in the

‘No Inheritance’ state.

o Direct grants will not change

Grants and Inheritance Examples

Scenarios

Creating a Data Folder policy

Editing a Data Folder policy

Applying a Data Folder policy

Revoking a Data Folder policy

Deleting a Data Folder policy

Copy/Paste a Data Folder policy

Folder

Milford

Project1

Project2

Project3

Analytical Development

Project 4a

Project 4b

New Jersey

Applying a Data Folder Policy

Policy A1 is applied to the Milford Folder and inherited down the tree. – Per the rules, Inheritance applies and Direct grants

override Inheritance

Node Policy

Milford -

QCLab -

Project1 -

Project2 -

Project3 -

Analytical Development -

Project 4a -

Project 4b -

New Jersey -

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Project1 A1 Inherited

Analytical Development A1 Inherited

Project 4a A1 Inherited

Project 4b A1 Inherited

New Jersey A1 Inherited

User wants to replace Policy A1 with Policy A2 at Milford. – We must first check to ensure the user has the permission to

‘Assign/Revoke folder policies’ at the folder. o If yes, the policy shall be applied.

o Per the rules, any sub-nodes that do not have an explicit policy shall inherit the applied policy from it’s parent.

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Node Policy

Milford A2 Direct

QCLab A2 Inherited

User wants to replace Policy A1 with Policy A2 at Project2. – We must first check to ensure the users has the permission to

‘Assign/Revoke folder policies’ at the folder. o If yes, the policy shall be applied.

o Per the rules, any sub-nodes that do not have an explicit policy shall inherit the applied policy from it’s parent.

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Project2 A2 Direct

User has the permission to ‘Assign/Revoke folder policies’ at the QCLab, Project1 and Project2 part of the hierarchy, but does not have the permission at Project3.

The user wants to replace Policy A1 with Policy A2 at QCLab. – Per the rules this action is allowed because Project3 is inheriting the

policy.

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Node Policy

Milford A1 Direct

QCLab A2 Direct

User has the permission to ‘Assign/Revoke folder policies’ at the QCLab, Project1 and Project2 part of the hierarchy, but does not have the permission at Project3.

The user wants to replace Policy A1 with Policy A3 at QCLab. – Per the rules this action is allowed because Project3 has policy A2

Directly assigned and Project3 is not changed.

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Project3 A2 Direct

Node Policy

Milford A1 Direct

QCLab A3 Direct

Project3 A2 Direct

Revoking a Data Folder Policy

User has the permission to ‘Assign/Revoke folder policies’ at the Milford part of the hierarchy.

User attempts to Revoke policy A1 from Milford. – Per the rules this action is allowed because all sub folders are inheriting.

– The user is prompted with a dialog indicating the policy will be removed from the Milford folder and all Inherited folders.

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Node Policy

Milford -

QCLab -

Project1 -

Project2 -

Project3 -

Project 4a -

Project 4b -

New Jersey -

Revoking a Data Folder Policy

User has the permission to ‘Assign/Revoke folder policies’ a policy at the Milford part of the hierarchy.

User attempts to Revoke policy A1 from Milford. – Per the rules this action is allowed and applied to all sub folders inheriting the policy as well.

– The user is prompted with a dialog indicating the policy will be removed from the Milford folder and all Inherited folders.

– Any folders within Milford that have Direct policy grants are not affected.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited

Project2 A2 Direct

Node Policy

Milford -

QCLab -

Project1 -

Project2 A2 Direct

Project 4a -

Project 4b -

New Jersey -

Deleting a Data Folder Policy

User has the permission to ‘Delete’ a policy which allows the user to delete the policy from the Global folder policy list.

Creating a Folder

User attempts to Create Project5 in the QCLab folder.

– All policies shall be inherited from the first parent up the hierarchy with a direct Policy grant.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited

Project5 -

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Creating a Folder

User attempts to Create Project5 in the QCLab folder. – All policies shall be inherited from the first parent up the

hierarchy with a direct Policy grant. o In this case, there are no policies assigned so the new project does not

get any either.

Node Policy

Milford -

QCLab -

Project1 -

Project2 -

Project3 -

Project5 -

Project 4a -

Project 4b -

New Jersey -

Moving a Folder

User attempts to Move Project2 from the QCLab folder to the

Analytical Development Lab folder.

– Inheritance applies and in this case there is no change as the

Analytical Development Lab is also inheriting from above.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited

Project5 A2 Explicit

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Moving a Folder

– Inheritance applies and in this case Project 2 and Project3 receive

Policy A2.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited

Analytical Development A2 Explicit

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Analytical Development A2 Direct

Moving a Folder

– Explicit Grants override Inheritance and in this case Project 2 and

Project3 retain Policy A2.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Project2 A2 Direct

Access Management

Those scenarios apply to not only Data Folder Policies, but

user access grants in Access Management as well.

Global Policies and Folder Policies

Overview of UNIFI Policies

Global policies apply to the entire UNIFI Installation

Data Folder Policies apply to a specific Data Folder

By default Everest shall track all actions and the audit trails

shall contain the following: Who, What, When, Old Value and

New Value.

Everest shall have two types of policies to configure the

‘Why’:

– Global Audit Trail Reasons and Data Folder Reason

Global Policies

Folder Policies

Predefined Reasons

UNIFI Offline Storage Manager (OSM)

OSM Configuration

OSM Policy

Questions?

UNIFI: The administrative environment · Nordic User Training, September 2013 ©2013 Waters...

Documents

Transcript of UNIFI: The administrative environment · Nordic User Training, September 2013 ©2013 Waters...

Finland UPLC Users Meeting Mai, 22th - Waters Corporation

Troubleshooting Common MS Problems - Waters Corporation

Xevo TQ-XS - Waters Corporation AU Technolgoy... · ©2016 Waters Corporation 1 Xevo TQ-XS Jan Bohuslavek, PhD October 25, 2016 Waters Technology Day Vienna, Austria ... Parabens

The History of Jim Waters and Waters Corporation · The History of Jim Waters and Waters Corporation 1958 – Present THE EARLY YEARS OF WATERS, 1958 TO 1978 Out of the heartland

Acquity UPLC Injection Technigues - Waters · PDF file©2013 Waters Corporation 1 Acquity UPLC Injection Technigues Fixed Loop and Flow through Needle Tony Wiklund Nordic Application

UNIFI: The user environment - Waters Corporation · UNIFI: The user environment Ken Eglinton Nordic User Training, September 2013 ©2013 Waters Corporation 2 What is UNIFI? Single

NuGenesis Lab Management System - Waters Corporation

Meeting Customers Challenges - Waters Corporation

Waters Corporation, Milford MA, USA; 2. Waters Corporation…€¦ · · 2013-11-15Waters Corporation, Manchester, United Kingdom ... addition of high fructose corn syrup (HFCS)

GUNAIKURNAI LAND AND WATERS ABORIGINAL CORPORATION (GLAWAC) › wp-content › uploads › 2019 › 12 › ... · GUNAIKURNAI LAND AND WATERS ABORIGINAL . CORPORATION Forestec, 27

Waters Corporation PITTCON 2016 Product Guide

LC Method Development in Bioanalysis - Waters Corporation · LC Method Development in Bioanalysis Successfully Developing HILIC Methods ©2009 Waters Corporation ... report is critical

New Developments in DynamX 3 - Waters Corporation

Warren B Potts III Senior Director, Waters Corporation Trends_Fin… · Warren B Potts III Senior Director, Waters Corporation ... Montelukast Quetiapine ... Impurities Sterility

Finland UPLC Users Meeting Mai, 22th - Waters Corporation · ©2012 Waters Corporation 1 Finland UPLC Users Meeting Mai, 22th Frederic Forini Waters European Headquarters ... contant

•ACQUITY UPLC Troubleshooting, Tips and Tricks. - · PDF file•ACQUITY UPLC Troubleshooting, Tips and Tricks. ••©2011 Waters Corporation©2009 Waters Corporation | COMPANY

Garrett O. Mullen - Waters Corporation · The electronic alternative to the paper lab notebook ©2012 Waters Corporation 11 ... Audit Trail ©2012 Waters ... advantages ©2012 Waters

Waters Technology Corporation * Remains unchanged … Number Product Name/Description List Price NYS Discount NYS Net Price Waters Technology Corporation Lot 1 Equipment & Instruments

Review and Approve Results in Empower - Home : Waters · ©2013 Waters Corporation 1 Review and Approve Results in Empower Data, Meta Data and Audit Trails

Developments in Data Independent MS Acquisition … · 2013. 9. 27. · ©2011 Waters Corporation 30 Synapt G2-S Schematic ©2011 Waters Corporation 31 Ionized Precursors Precursors