Role management
General concepts
Every Step’s user is given a main role upon creation. With the default configuration of roles and rights, only the users with the admin role will be able to access Step’s projects without further actions required. Users with other roles will need to be added as member of specific projects; for each project membership a specific role is defined.
Pre-populated Roles
Role | Definition |
---|---|
guest | grants read-only access, while preventing modifications or executions |
tester | grants most privileges required for defining and executing test plans |
developer | in addition to the tester rights it allows to define keywords, and to administer individual projects |
admin | grant all privileges |
Default access matrix
By default following mapping or roles and rights is provided. This can be customized by creating a CSV file based on the below table (removing the description column). You main rename role names, add additional roles and change the rights mapping.
To use your custom CSV file, you simply have to modify you step.properties file on the controller.
# Uncomment the following if you want to use a custom right matrix
# ui.roleprovider.filename=../conf/AccessMatrix.csv
Default access matrix content
guest | tester | developer | admin | description | |
---|---|---|---|---|---|
plan-read | x | x | x | x | can open and view plans |
plan-write | x | x | x | can create or modify plans | |
plan-delete | x | x | can delete plans | ||
plan-execute | x | x | x | can trigger the execution of plans | |
plan-bulk-execute | x | x | x | can execute multiple plans in bulk from the executions list view | |
kw-read | x | x | x | x | ‘kw’ stands for keywords, this right allows to read the configuration of a keyword |
kw-write | x | x | can create or modify keywords | ||
kw-delete | x | x | can delete keywords | ||
kw-execute | x | x | x | can automatically generate a temporary plan wrapping this keyword to execute it | |
automation-package-read | x | x | x | x | allows to read automation packages meta data |
automation-package-write | x | x | can deploy or update automation packages (other entity rights aren’t required, for example you can deploy a package with keywords without the right kw-write) | ||
automation-package-delete | x | x | can delete an automation package | ||
automation-package-execute | x | x | x | can trigger executions of automation packages | |
mask-read | x | x | x | x | Mask are the entities used for the Image and PDF compare |
mask-write | x | x | x | can create or modify masks | |
mask-delete | x | x | x | can delete masks | |
mask-execute | x | x | x | can automatically generate a temporary plan wrapping this mask to execute it | |
execution-read | x | x | x | x | allow to view execution results |
execution-write | x | x | x | can modify execution properties such as (un)marking an execution as retained/archived | |
execution-delete | x | x | x | can delete executions (one by one) | |
execution-bulk-delete | x | x | x | can delete executions in bulk | |
user-write | x | allows to create or modify users (should be reserved to administrators) | |||
user-read | x | allows to view details of all users (should be reserved to administrators) | |||
task-read | x | x | x | x | This right allows to read the configuration of a schedule |
task-write | x | x | x | allows to configure the schedule, and enable or disable it from the configuration dialog | |
task-toggle | x | x | x | allows to activate or deactiave a schedule using the toggle on the schedules list view (does not require the write right) | |
task-delete | x | x | x | allows to delete a schedule | |
dashboard-read | x | x | x | x | can visualize dashboards content |
dashboard-write | x | x | can create and edit dashboards (data and display settings) | ||
dashboard-delete | x | can delete dashboards | |||
scheduler-manage | x | can switch on/off the scheduler globally | |||
operations-read | x | can view the “current operations” of all executions | |||
controller-manage | x | can shutdown the controller via the REST call | |||
maintenance-message-write | x | can write and turn on/off the maintenance message | |||
admin-ui-menu | x | has access to the settings menu including admin settings (only use one of admin-ui-menu or settings-ui-menu). This menu contains Maintenance, Project, Screens, Scheduler and Housekeeping settings | |||
settings-read | x | x | x | x | this right is required when using the Step Web UI |
settings-write | x | this right is required to modify settings such as the maven settings | |||
settings-delete | x | this right is required to delete settings | |||
settings-ui-menu | x | has access to the settings menu entry (only use one of admin-ui-menu or settings-ui-menu). This menu contains Project, Screens and Scheduler settings | |||
param-read | x | x | x | x | cand read parameters |
param-write | x | x | x | can create or modify parameters (see also param-global-write) | |
param-delete | x | x | x | can delete parameters | |
param-global-write | x | x | x | required to create or modify parameters with the global scope | |
resource-read | x | x | x | x | can read resources (Step resources are entities created to manage files and directories in Step, such as CSV datapool, keyword pacakges, report attachments….) |
resource-write | x | x | x | can create or modify resources | |
resource-delete | x | x | x | can delete resources | |
resource-bulk-delete | x | x | x | can delete resources in bulk | |
interactive | x | x | x | can start interactive execution | |
token-manage | x | x | can manage agents and tokens (pause token/agents…) | ||
monitoring-dashboard-configure | x | x | x | can configure the scheduler tasks monitoring view | |
project-read | x | x | x | x | can read project properties |
project-write | x | x | x | required to modify project settings, project members or to move (reassign) entities from one project to another | |
project-delete | x | x | can delete projects | ||
project-view-all | x | x | can use the project “[All]” filter to view the content of all projects in read-only | ||
project-access-all | x | can access all projects with his “main” role without being an explicit member of them. Otherwise user must be a member of the project with a project’s specific role | |||
broker-read | x | x | x | x | can view the event broker data |
broker-write | x | x | x | can modify the even broker data including publishing events and consuming events by group or name | |
broker-delete | x | x | can consume events by ID and clear all events and stats data | ||
screenInputs-read | x | x | can view the screen tempates | ||
screenInputs-write | x | x | can modify the screen tempates | ||
screenInputs-delete | x | x | can delete screen inputs from the screen tempates | ||
table-settings-user-write | x | x | x | can save table settings for current user | |
table-settings-project-write | x | x | can save table settings for all users in specific project | ||
table-settings-system-write | x | can save table settings for all users in all projects | |||
collection-read | x | generic entity read access right used by the API collection services | |||
collection-write | x | generic entity write access right used by the API collection services | |||
collection-delete | x | generic entity delete access right used by the API collection services | |||
on-behalf-of | x | allows to run or schedule execution on behalf on another user, this said user need the right plan-execute and access to the underlying project | |||
notificationPresets-read | x | x | x | x | right to view notification presets |
notificationPresets-write | x | x | x | right to edit notification presets | |
notificationPresets-delete | x | x | x | right to delete notification presets | |
systemNotificationPresets-read | x | right to view system notification presets | |||
systemNotificationPresets-write | x | right to edit system notification presets | |||
systemNotificationPresets-delete | x | right to delete system notification presets | |||
alerting-rules-read | x | x | x | x | right to view alerting rules |
alerting-rules-write | x | x | x | right to edit alerting rules | |
alerting-rules-delete | x | x | x | right to delete alerting rules | |
incidents-read | x | x | x | x | right to read incidents rules |
incidents-write | x | x | x | right to write incidents rules | |
incidents-delete | x | x | x | right to delete incidents rules |