Role management
General concepts
Every Step’s user is given a main role upon creation. With the default configuration of roles and rights, only the users with the admin role will be able to access Step’s projects without further actions required. Users with other roles will need to be added as member of specific projects; for each project membership a specific role is defined.
Pre-populated Roles
| Role | Definition |
|---|---|
| guest | grants read-only access, while preventing modifications or executions |
| tester | grants most privileges required for defining and executing test plans |
| developer | in addition to the tester rights it allows to define keywords, and to administer individual projects |
| admin | grant all privileges |
Default access matrix
By default following mapping or roles and rights is provided. This can be customized by creating a CSV file based on the below table (removing the description column). You main rename role names, add additional roles and change the rights mapping.
To use your custom CSV file, you simply have to modify you step.properties file on the controller.
# Uncomment the following if you want to use a custom right matrix
# ui.roleprovider.filename=../conf/AccessMatrix.csvDefault access matrix content
Note:: description for the different entity CRUD rights are self-explanatory and as therefore been left empty.
| guest | tester | developer | admin | description | |
|---|---|---|---|---|---|
| plan-read | x | x | x | x | |
| plan-write | x | x | x | ||
| plan-delete | x | x | |||
| plan-execute | x | x | x | ||
| plan-bulk-execute | x | x | x | can execute multiple plans in bulk from the executions list view | |
| kw-read | x | x | x | x | ‘kw’ stands for keywords |
| kw-write | x | x | |||
| kw-delete | x | x | |||
| kw-execute | x | x | x | ||
| automation-package-read | x | x | x | x | |
| automation-package-write | x | x | |||
| automation-package-delete | x | x | |||
| automation-package-execute | x | x | x | ||
| mask-read | x | x | x | x | Mask are the entities used for the Imange and PDF compare |
| mask-write | x | x | x | ||
| mask-delete | x | x | x | ||
| mask-execute | x | x | x | ||
| execution-read | x | x | x | x | |
| execution-write | x | x | x | can modify execution properties such as (un)marking an execution as retained/archived | |
| execution-delete | x | x | x | can delete executions (one by one) | |
| execution-bulk-delete | x | x | x | can delete executions in bulk | |
| user-write | x | ||||
| user-read | x | ||||
| task-read | x | x | x | x | Task is the legacy term used for schedules |
| task-write | x | x | x | ||
| task-delete | x | x | x | ||
| dashboard-read | x | x | x | x | can visualize dashboards content |
| dashboard-write | x | x | can create and edit dashboards (data and display settings) | ||
| dashboard-delete | x | can delete dashboards | |||
| scheduler-manage | x | can switch on/off the scheduler globally | |||
| operations-read | x | can view the “current operations” of all executions | |||
| controller-manage | x | can shutdown the controller via the REST call | |||
| maintenance-message-write | x | can write and turn on/off the maintenance message | |||
| admin-ui-menu | x | has access to the settings menu including admin settings (only use one of admin-ui-menu or settings-ui-menu). This menu contains Maintenance, Project, Screens, Scheduler and Housekeeping settings | |||
| settings-read | x | x | x | x | This right is required when using the Step Web UI |
| settings-write | x | ||||
| settings-delete | x | ||||
| settings-ui-menu | x | has access to the settings menu entry (only use one of admin-ui-menu or settings-ui-menu). This menu contains Project, Screens and Scheduler settings | |||
| param-read | x | x | x | x | |
| param-write | x | x | x | ||
| param-delete | x | x | x | ||
| param-global-write | x | x | x | ||
| resource-read | x | x | x | x | |
| resource-write | x | x | x | ||
| resource-delete | x | x | x | ||
| interactive | x | x | x | can start interactive execution | |
| token-manage | x | x | can manage agents and tokens (pause token/agents…) | ||
| monitoring-dashboard-configure | x | x | x | can configure the scheduler tasks monitoring view | |
| project-read | x | x | x | x | |
| project-write | x | x | x | require to modify project settings, project members or to move (reassign) entities from one project to another | |
| project-delete | x | x | |||
| project-view-all | x | x | can use the project “[All]” filter to view the content of all projects in read-only | ||
| project-access-all | x | can access all projects with his “main” role without being an explicit member of them. Otherwise user must be a member of the project with a project’s specific role | |||
| broker-read | x | x | x | x | |
| broker-write | x | x | x | ||
| broker-delete | x | x | |||
| screenInputs-read | x | x | |||
| screenInputs-write | x | x | |||
| screenInputs-delete | x | x | |||
| table-settings-user-write | x | x | x | Can save table settings for current user | |
| table-settings-project-write | x | x | Can save table setting for all users in specific project | ||
| table-settings-system-write | x | Can save table settings for all users in all projects | |||
| collection-read | x | generic entity read access right used by the API collection services | |||
| collection-write | x | generic entity write access right used by the API collection services | |||
| collection-delete | x | generic entity delete access right used by the API collection services | |||
| on-behalf-of | x | allow to run or schedule execution on behalf on another user, this said user need the right plan-execute and access to the underlying project | |||
| dockerRegistries-read | x | x | right to view docker repositories information | ||
| dockerRegistries-write | x | x | right to edit docker repositories information | ||
| dockerRegistries-delete | x | x | right to delete docker repositories information | ||
| notificationPresets-read | x | x | x | x | right to view notification presets |
| notificationPresets-write | x | x | x | right to edit notification presets | |
| notificationPresets-delete | x | x | x | right to delete notification presets | |
| systemNotificationPresets-read | x | right to view system notification presets | |||
| systemNotificationPresets-write | x | right to edit system notification presets | |||
| systemNotificationPresets-delete | x | right to delete system notification presets | |||
| alerting-rules-read | x | x | x | x | right to view alerting rules |
| alerting-rules-write | x | x | x | right to edit alerting rules | |
| alerting-rules-delete | x | x | x | right to delete alerting rules | |
| incidents-read | x | x | x | x | right to read incidents rules |
| incidents-write | x | x | x | right to write incidents rules | |
| incidents-delete | x | x | x | right to delete incidents rules |