How to implement access restrictions to your EA artifacts using Rational System Architect Catalog...
-
Upload
bill-duncan -
Category
Technology
-
view
1.672 -
download
0
description
Transcript of How to implement access restrictions to your EA artifacts using Rational System Architect Catalog...
Page 1 of 27 “Rational Support Whitepaper”
Implement access restrictions to your EA
Artifacts Using Rational System Architect
Catalog Manager
Mirtunjay Kumar Sharma
August 1, 2011
Page 2 of 27 “Rational Support Whitepaper”
Table of Content
INTRODUCTION .................................................................... 3
WHAT IS A CATALOG MANAGER ........................................... 4
NEED FOR A CATALOG MANAGER .......................................... 5
CONFIGURE A CATALOG ....................................................... 8
PERMISSION MAPPING ...................................................... 10
BUSINESS REQUIREMENT 1: .................................................................................. 10
BUSINESS REQUIREMENT 2: .................................................................................. 10
SOLUTION FOR BUSINESS REQUIREMENT 1: ........................................................ 11
SOLUTION FOR BUSINESS REQUIREMENT 2: ........................................................ 19
COMMON ISSUES AND SOLUTIONS ..................................... 22
CONCLUSION ...................................................................... 26
REFERENCES ....................................................................... 27
Page 3 of 27 “Rational Support Whitepaper”
Introduction
The ever increasing challenges of modern day enterprises demand organization to
design effective Enterprise Architecture (EA) for them to succeed and stay
competitive. For EA to be effective, it requires collaboration from many
professionals, some of them directly designing/modifying the EA and while others
are stakeholders who use the EA to make critical strategic decisions. These
decisions in turn define the direction of the organization.
To deliver effective EA, many users have to collaborate. It then becomes equally
important to have proper "Visibility" to all users to avoid "reinventing of wheel".
However at the same time it opens the doors for accidental modifications from
inexperienced users creating inconsistency in the system. The after-effects are
hard to imagine/foresee and sometimes unexpectedly destructive.
In this critical environment where "Visibility" and "Security" form two faces of the
same coin, how do you manage effective delivery of EA? While there are many
tools which allow creation of EA, IBM Rational System Architect (SA) comes
bundled with answers to many more questions than just EA. While Rational
System Architect gives you the platform and also forms the tool to design the EA,
the Catalog Manager with its "Instance Level" and "Type Level" access Control
capabilities complements, completes and addresses the key requirements of
"Visibility" and "Security". There is more that catalog manager helps you with.
Rational System Architect also offers a thin client known as System Architect XT
(Extended Team) which helps sharing EA through browser. For an encyclopedia
that contains EA artifacts to be made accessible by Rational System Architect XT,
it must be an Enterprise encyclopedia controlled by Rational System Architect
Catalog Manager.
This whitepaper talks about what Rational System Architect Catalog Manager is
and how it can be used to addresses the concerns of "Visibility" and "Security".
The paper also provides problem scenarios and their related solutions to help with
your understanding of these capabilities.
Page 4 of 27 “Rational Support Whitepaper”
What is a Catalog Manager
Catalog Manager in Rational System Architect is a utility which enables systems
administrator to grant permission access to model artifact types and instances in
an encyclopedia, based on user roles. It can be used to provide more granular
level of access controls on the information stored in IBM Rational System
Architect encyclopedias. System Architect Catalog Manager stores users and their
associated permissions in a database known as TelelogicEnterpriseCatalog.
The TelelogicEnterpriseCatalog database is also known as Catalog in Rational
System Architect terminology. You can create a catalog on Microsoft SQL Server
or on Oracle database server. The database server can be configured on the same
machine where Rational System Architect Catalog manager is installed or it may
be on any other machine in the same network.
The foremost requirement to create a catalog on a database server instance is
that you should have a sys admin rights on a database instance. On a single
database instance, you can create only one catalog and you can control user
access on all Rational System Architect databases which exist on that instance.
Rational System Architect databases are known as Encyclopedias in Rational
System Architect terminology.
To control the permissions for a user on Rational System Architect encyclopedias,
those encyclopedias need to be attached in the catalog in Rational System
Architect Catalog Manager.
Rational System Architect Catalog Manager controls the permissions for users on
encyclopedias by forming three way relationships between users, encyclopedias,
and roles. The permissions are first assigned to Roles and the users are assigned
to encyclopedias. Then the users are assigned one or more roles for each
encyclopedia in the catalog.
Page 5 of 27 “Rational Support Whitepaper”
Need for a Catalog Manager The best modeling environment for a team is a shared storage area with
concurrent multi-user access. There are many advantages of using shared
repository in your organization for enterprise design and modeling. Few of the
advantages are shown mentioned below:
All model information in the repository is visible and reusable at all times.
There is no threat of any users „reinventing the wheel‟.
Concurrent access allows potential conflicts to be identified quickly.
Administration is minimized. Users don‟t have to waste time and effort in
producing conflicting partial models, and then have to reconcile them
when merging the projects together.
The current state of the Enterprise Architecture information is readily
available to all users, so that questions can be asked of the enterprise
information.
Progress of the enterprise architecture, or a particular project within it, is
easily monitored since the current state of information in the repository is
visible. Rational System Architect automatically timestamps modifications
to the model, and also records the Audit ID of the user who made the
modification
Page 6 of 27 “Rational Support Whitepaper”
Using disconnected storage areas that are worked on simultaneously, and
subsequently merged, requires additional administration and management in
order to resolve conflicts. The shared storage areas are known as encyclopedias
in Rational System Architect. Rational System Architect provides built in
automatic locking facilities so that users can work on related areas with minimal
conflict.
For example: When a user opens a definition for editing, it is automatically locked
and provided in read-only form to any other user trying to open it while the first
user has it open. When the first user closes that definition, it becomes available
for editing by any other user.
There could be many instances of a diagram, definition or symbol type in Rational
System Architect encyclopedias. However to control permissions at an instance
level, you need to create a catalog in Rational System Architect Catalog Manager.
In Rational Catalog Manager, you can assign a read only access to a user on an
instance of a definition, diagram or symbol however at the same time other user
can enjoy read-write access on the same instance of these artifacts.
Rational System Architect Catalog Manager provides two levels of access control
to encyclopedia objects. The first level, Role-based access control, lets you
control permission to object types. This is a general level of control that makes no
distinction among objects of the same type. If you grant permission to Use Case
diagrams for example, then you grant permission to all Use Case diagrams.
Instance Level Access Control (ILAC) provides a higher, more specific level of
access control, letting you choose different permissions for objects of the same
type. For example, you can grant the Read permission to one Use Case diagrams,
and also grant the Write permission to a different Use Case diagram.
Another purpose of attaching an encyclopedia in Rational System Architect
Catalog Manager is to access Rational System Architect encyclopedias using
Rational System Architect XT.
Page 7 of 27 “Rational Support Whitepaper”
In other words, for an encyclopedia to be made accessible by Rational System
Architect XT, it must be an Enterprise encyclopedia controlled by Rational System
Architect Catalog Manager.
An administrator who is responsible to manage Rational System Architect
deployment in an organization can create user defined roles in Rational System
Architect Catalog Manager. A user defined role may contain specific diagram,
definition, macro and menu permissions to fulfill your business requirement to
access specific areas of your enterprise architecture.
You can also control permissions on a user defined artifacts created in the
encyclopedia using a USRPROPS or by a visual basic macro. An administrator for
Rational System Catalog needs to map the permissions using an option in
Rational System Architect Catalog Manager as shown below:
Once you select the encyclopedia where you have user defined artifacts from the
drop down, those artifacts will be listed under the appropriate category like
Diagram Permissions or Definition Permissions.
Page 8 of 27 “Rational Support Whitepaper”
Configure a Catalog Rational System Architect supports only Microsoft SQL Server and Oracle as a
backend database management system to hold the enterprise architecture
design. A catalog in Rational System Architect Catalog Manager can either be
created on Microsoft SQL Server or on an Oracle database management system.
The method to create a catalog in Rational System Architect Catalog Manager on
Microsoft SQL Server or on an Oracle database Management system is same. You
can follow the step mentioned below to create a catalog in Rational System
Architect Catalog Manager:
Launch Rational System Architect Catalog Manager from Start > All Programs >
IBM Rational > IBM Rational Lifecycle Solutions Tools > IBM Rational System
Architect > SA Catalog Manager
Click on Catalog > Create. The screen shown below will appear. Select the
database management system from the drop down list
Once you select the database management system type, you need to select the
database instance name. For example: If you select SQL Server as your database
management system, put one of available instance name under Server name
option as shown below:
Page 9 of 27 “Rational Support Whitepaper”
Once you put the database instance name, select the appropriate authentication
mode to login to the database instance and click on OK.
Once the catalog created, Catalog Manager will appear as shown below:
The next step is to attach those encyclopedias in Catalog Manager on which the
permissions need to be granted to different users. You also need to decide
whether the default roles available in Rational System Architect Catalog will fulfill
you business requirements or do you have to create few custom roles.
Page 10 of 27 “Rational Support Whitepaper”
Permission Mapping Rational System Architect Catalog Manager Administrator has to make a decision
to choose from role based access control (RBAC) and instance level access control
(ILAC). The decision can easily be made understanding the business requirement
and the kind of permissions that needs to be granted for each user in an
organization.
Let us make use of two business requirements to understand role based access
control and instance level access control in Rational System Architect Catalog
Manager.
Business Requirement 1:
There are five users (U1 and U2 who need to be given access on an encyclopedia
E1. The encyclopedia E1 contains a set of Business Process diagrams, class
diagrams and Entity Relationship diagrams. The requirement is in such a way that
user U1 should have only read access on Business Process diagrams and Entity
relationship diagrams. The user U2 needs to be given full access on the
encyclopedia.
Business Requirement 2:
There is a user U3 who needs to be given access on an encyclopedia E2. The
encyclopedia E2 also contains ER1 and ER2 instances of entity relationship
diagrams. The requirement is in such a way that user U3 should be given read
access on ER1 diagram in the encyclopedia and the user U3 should be given read
write access on ER2.
To address these requirements, you can either make use of existing roles or you
can create new roles. You can learn the usage of existing roles from Rational
System Architect Catalog Manager help.
The Business Requirement 1 can easily be implemented using role based
access control in Rational System Architect however, to implement the Business
Requirement 2; you need to implement instance level access control.
Page 11 of 27 “Rational Support Whitepaper”
Solution for Business Requirement 1:
You need to first attach the encyclopedia E1 in Rational System Architect Catalog
Manager. The following steps help you attach the encyclopedia in Rational System
Architect Catalog and assign the required permissions to fulfill the business
requirement:
1. Launch Rational System Architect Catalog Manager
2. Click on Catalog > Connect.
Select the Server type, Server name and authentication and click OK.
3. Right mouse click on Encyclopedias node in Rational System Architect
Catalog Manager and click Attach
Page 12 of 27 “Rational Support Whitepaper”
4. Select the encyclopedia name from the list of encyclopedias exist on the
database instance. You want to assign the permissions on an encyclopedia
E1, select the same encyclopedia from the drop down list and click OK.
5. Once the encyclopedia is attached, it will appear under Encyclopedias
Node in Rational System Architect Catalog Manager.
6. Now, import the users into Rational Catalog Manager. To import the users,
right mouse click on User & Groups node and click on Import Users
Page 13 of 27 “Rational Support Whitepaper”
7. You can import Active directory users, domain users, computer users and
Microsoft SQL Server Database users into Rational System Architect
Catalog Manager
8. Consider that you have a computer by name mirsharm and you want to
import users from the same computer into Rational System Architect
Catalog Manager. Select the users and click OK.
Page 14 of 27 “Rational Support Whitepaper”
9. Once you import the users in Rational System Architect Catalog, the users
will appear under Users & Groups node.
10. Create a user defined role to fulfill your business requirement to assign
appropriate permissions.
To create a user defined role, right mouse click on Roles node and click on
New.
Give a name to the new role as “Business Requirement 1-Read only”.
Page 15 of 27 “Rational Support Whitepaper”
11. Once the role is created, you need to add different permissions to this
role. To add diagram, definition, symbol and macro permissions to
“Business Requirement 1-Read Only” role, expend the first node
Encyclopedia Permissions.
12. Right mouse click on Definition Permissions and click on Copy. Once the
permissions are copied, expand the “Business Requirement 1-Read Only”
role > Encyclopedia Permissions and right mouse click on Definitions
Permissions and click on Paste.
13. Repeat the step 12 for diagram permissions, macro permissions and
menu permissions.
14. To make Business Process and Entity relationship diagrams read only,
expand “Business Requirement 1-Read Only” role and Encyclopedia
Permissions node. Click on Diagram Permissions. Select Business Process
and Entity Relation and right mouse click on the selection. Give only Read
access to these diagrams.
Page 16 of 27 “Rational Support Whitepaper”
15. Once the read only role is created, let‟s map the permissions for the users
U1 and U2 on the encyclopedia E1. Right mouse click on “Business
Requirement 1-Read Only” role and click on copy.
16. Paste this role on the Role node under Encyclopedia E1
17. Similarly, copy the user U1 under “Users & Groups” and paste it under
“Users & Groups” under encyclopedia E1.
18. Now, drag user U1 and drop it on “Business Requirement1-Read Only”
role under encyclopedia. Once you drop the user name on the role, the
mapping will be completed for user U1 on an encyclopedia E1.
Page 17 of 27 “Rational Support Whitepaper”
19. Similarly, you can map the permissions to the user U2. Since user U2
should be given full access on the encyclopedia, you can use a default role
Administrator. The mapping for both the users will look like as:
Now, the role based access is assigned to the users on an encyclopedia. Let‟s
verify the permissions mapping on the encyclopedia in Rational System
Architect. When user U1 opens the encyclopedia E1, you will observe that U1
can just read business process and entity relation diagrams.
Page 18 of 27 “Rational Support Whitepaper”
You can observe the user U1 does not have permissions to edit the business
process diagram. You can also observe that the user U1 is not allowed to
create a new Business Process diagrams as well.
Similarly, you can observe in the screen shown below that the user U1 can not
edit/create entity relation diagrams too.
Note: Ensure that the user has also been given minimum access rights in
Rational System Architect Encyclopedia Manager (SAEM). You can refer the
following technical document to assign minimum permissions for a user in SAEM:
How to apply the minimum permissions to share Professional
Encyclopedias
If you are using Oracle as a backend repository, you can take help from your
Oracle DBA to assign these access rights to a user on an encyclopedia.
Page 19 of 27 “Rational Support Whitepaper”
Solution for Business Requirement 2:
Let‟s attach another encyclopedia E2 in Rational System Architect Catalog
Manager to understand the implementation of business requirement 2. You can
follow the step mentioned above to attach the encyclopedia in Rational System
Architect Catalog manager.
Since you need to control the permissions on the instance of a diagram, you need
first enable the instance level access control (ILAC) option in Rational System
Architect Catalog Manager.
Once the instance level access control option is enabled in Rational System
Architect Catalog Manager, you need to configure the respective encyclopedia to
use instance level access control options. You can follow the steps mentioned
below to assign the permissions to user U1 on an encyclopedia E2:
1. Right mouse click on the encyclopedia E2 and click on Enable ILAC option.
Page 20 of 27 “Rational Support Whitepaper”
2. Once the ILAC is enabled on an encyclopedia, you can verify the same by
clicking on the Encyclopedias node.
3. As Instance Level Access Control can only be applied on a group, let‟s add
user U3 to a group.
4. Right mouse click on the group and click on Copy
5. Right-mouse click ILAC Group Default for Encyclopedia, and select Paste
6. To assign the instance level access control, open the encyclopedia E2 in
Rational System Architect. Let‟s create two Entity Relation diagrams ER1
and ER 2 and map the permissions to U3 to meet the business
requirement 2.
7. Right mouse click on diagram area for ER1 and ER 2 to assign instance
level access control:
Page 21 of 27 “Rational Support Whitepaper”
ER1 is read only to everyone and given read write permissions on Test
Group. Since U3 is a part of Business Requirement 2 group, he has been
given only read access.
All the user group have been given read and read/write access.
Page 22 of 27 “Rational Support Whitepaper”
Common issues and Solutions
Error message: "The Catalog on SQL Server needs to be
upgraded in Catalog Manager" when opening an Enterprise
Encyclopedia.
Solution:
This error is displayed when the encyclopedia is being opened in a later version of
System Architect than that of the SA Catalog Manager utility. After upgrading
your System Architect installation, you must open the catalog with the SA Catalog
Manager. The SA Catalog Manager will detect if an upgrade is required and
automatically upgrade the catalog. After the catalog has been upgraded in SA
Catalog Manager, you may then open the Enterprise Encyclopedia in System
Architect.
Page 23 of 27 “Rational Support Whitepaper”
Error message: No catalog on SQL server while creating an
encyclopedia.
Solution:
You may get this error message "No catalog on SQL server while creating an
encyclopedia" when creating an encyclopedia having the 'Enterprise Encyclopedia'
option checked. This happens if you try creating 'Enterprise Encyclopedia' without
having a Catalog created on the database server.
Scenario 1: If you just want to create an encyclopedia, uncheck 'Enterprise
Encyclopedia' option in the create encyclopedia window. This will create a
Professional encyclopedia. To create an 'Enterprise Encyclopedia', you would first
have to open the System Architect Catalog Manager and create a Catalog. Please
check System Architect online help for more information on creating
encyclopedia.
Scenario 2: Even if the Catalog is created, this error would still occur in a shared
environment. Consider the following example to understand this scenario:
You have a shared instance of SQL Server/Express and you would like to allow
users to create Enterprise Type encyclopedias. Though the Catalog is created
however other user still would not be able to create an enterprise type of
encyclopedia until you follow the set of steps mentioned below:
A. Add the user login in SAEM (System Architect Encyclopedia Manager) and
assign "DBCreator" Server role to his login id.
B. Add the user's login in Catalog manager and give CRWD (Create, Read, Write
and Destroy) or appropriate right on the System Architect Catalog.
Once this is done, user should be able to create an enterprise encyclopedia in a
shared environment.
Page 24 of 27 “Rational Support Whitepaper”
Error Message: Error Message: "An error occurred while
initializing Error:-2147217900, Source: Microsoft OLE DB
Provider for SQL Server, Description: The user does not have
permission to perform this action"
Solution:
The login ID is not set with appropriate permissions on the SQL Server where the
Catalog resides. Lack of database Data Reader permission is results in failure to
connect to existing catalog. Refer to the following knowledge base article to
resolve this error:
http://www.ibm.com/support/docview.wss?uid=swg21427259
Page 25 of 27 “Rational Support Whitepaper”
Unable to import users in IBM Rational System Architect
Catalog Manager without SYS ADMIN permissions.
Solution:
To be able to import other users into System Architect Catalog Manager you must
have 'SYSADMIN' or 'Security Admin' privileges.
However, if you do not want to give Sys Admin permissions and give Security
Admin, then you will need to perform a few additional tasks as mentioned below:
A. Make sure to give the user GRANT VIEW SERVER STATE to login and GRANT
EXECUTE on sp_lock on the Master encyclopedia.
For example if Test User you are trying to use, then the commands would look
like:
GRANT VIEW SERVER STATE to "Test User"
GRANT EXECUTE on sp_lock to "Test User"
B. Also you have to give "Public access" on all the encyclopedias present on the
instance.
C. Make sure that the User has "CRWD" (Create, Read, Write, Execute) on the
Catalog Manager
Page 26 of 27 “Rational Support Whitepaper”
Conclusion
Enterprise architecture is a conceptual blueprint that defines the structure and
operation of an organization. The intent of enterprise architecture is to determine
how an organization can most effectively achieve its current and future
objectives.
To capture different states of your enterprise architecture efficiently, you can
make use of IBM Rational System Architect which is an industry leading
Enterprise Architecture design and modeling tool.
To design architecture for your organization, it is also important to create specific
views of artifacts for different people in hierarchy. Also, in case of distributed
environment where in more than one architect is working on a single project,
administrator needs to provide restricted work area in the repository for each
architect.
Rational System Architect Catalog Manager provides a complete solution to
administer different artifacts stored in encyclopedias in Rational System Architect.
You can apply role based access control or an instance level access control based
on your business requirements.
This paper explained role based access control and instance level access control
with the help of two scenarios. The Business Requirement 1 is used to describe
the usage of role based access control in Rational System Architect Catalog
Manager. Similarly, the Business Requirement 2 is used to explain how an
instance level access control can be helpful to restrict an access to different
users on different instances of an artifact.
Page 27 of 27 “Rational Support Whitepaper”
References
Rational System Architect Information Center
Rational System Architect Catalog Manager online help
Rational System Architect Support Portal
How to apply the minimum permissions to share Professional
Encyclopedias