Role management
General concepts
Every Step user is assigned a main role upon creation. With the default configuration of roles and rights, only users with the admin role can access Step projects without any further action.
Users with other roles need to be added as members of specific projects; for each project membership, a specific role is defined.
Pre-populated Roles
| Role | Definition |
|---|---|
| guest | grants read-only access while preventing modifications or executions |
| tester | grants most privileges required to define and execute test plans |
| developer | in addition to tester rights, grants the ability to define keywords and administer individual projects |
| admin | grants all privileges |
Default access matrix
By default, the following mapping of roles and rights is provided. This can be customized by creating a CSV file based on the table below (removing the description column). You may rename role names, add additional roles, and change the rights mapping.
To use your custom CSV file, you simply have to modify your step.properties file on the controller.
# Uncomment the following if you want to use a custom right matrix
# ui.roleprovider.filename=../conf/AccessMatrix.csvDefault access matrix content
| guest | tester | developer | admin | description | |
|---|---|---|---|---|---|
| plan-read | x | x | x | x | can open and view plans |
| plan-write | x | x | x | can create or modify plans | |
| plan-delete | x | x | can delete plans | ||
| plan-execute | x | x | x | can trigger the execution of plans | |
| plan-bulk-execute | x | x | x | can execute multiple plans in bulk from the executions list view | |
| kw-read | x | x | x | x | ‘kw’ stands for keywords, this right allows to read the configuration of a keyword |
| kw-write | x | x | can create or modify keywords | ||
| kw-delete | x | x | can delete keywords | ||
| kw-execute | x | x | x | can automatically generate a temporary plan wrapping this keyword to execute it | |
| automation-package-read | x | x | x | x | allows to read automation packages meta data |
| automation-package-write | x | x | can deploy or update automation packages (other entity rights aren’t required, for example you can deploy a package with keywords without the right kw-write) | ||
| automation-package-delete | x | x | can delete an automation package | ||
| automation-package-execute | x | x | x | can trigger executions of automation packages | |
| mask-read | x | x | x | x | Mask are the entities used for the Image and PDF compare |
| mask-write | x | x | x | can create or modify masks | |
| mask-delete | x | x | x | can delete masks | |
| mask-execute | x | x | x | can automatically generate a temporary plan wrapping this mask to execute it | |
| execution-read | x | x | x | x | allow to view execution results |
| execution-write | x | x | x | can modify execution properties such as (un)marking an execution as retained/archived | |
| execution-delete | x | x | x | can delete executions (one by one) | |
| execution-bulk-delete | x | x | x | can delete executions in bulk | |
| reportLayout-read | x | x | x | x | can read report layouts (required to view Execution Reports) |
| reportLayout-write | x | x | x | can save report layouts | |
| reportLayout-delete | x | x | x | can delete own report layouts | |
| reportLayout-shared-write | x | can overwrite shared report layouts | |||
| reportLayout-shared-delete | x | can delete shared report layouts | |||
| user-write | x | allows to create or modify users (should be reserved to administrators) | |||
| user-read | x | allows to view details of all users (should be reserved to administrators) | |||
| task-read | x | x | x | x | This right allows to read the configuration of a schedule |
| task-write | x | x | x | allows to configure the schedule, and enable or disable it from the configuration dialog | |
| task-toggle | x | x | x | allows to activate or deactiave a schedule using the toggle on the schedules list view (does not require the write right) | |
| task-delete | x | x | x | allows to delete a schedule | |
| dashboard-read | x | x | x | x | can visualize dashboards content |
| dashboard-write | x | x | can create and edit dashboards (data and display settings) | ||
| dashboard-delete | x | can delete dashboards | |||
| scheduler-manage | x | can switch on/off the scheduler globally | |||
| operations-read | x | can view the “current operations” of all executions | |||
| controller-manage | x | can shutdown the controller via the REST call | |||
| maintenance-message-write | x | can write and turn on/off the maintenance message | |||
| admin-ui-menu | x | has access to the settings menu including admin settings (only use one of admin-ui-menu or settings-ui-menu). This menu contains Maintenance, Project, Screens, Scheduler and Housekeeping settings | |||
| settings-read | x | x | x | x | this right is required when using the Step Web UI |
| settings-write | x | this right is required to modify settings such as the maven settings | |||
| settings-delete | x | this right is required to delete settings | |||
| settings-ui-menu | x | has access to the settings menu entry (only use one of admin-ui-menu or settings-ui-menu). This menu contains Project, Screens and Scheduler settings | |||
| param-read | x | x | x | x | cand read parameters |
| param-write | x | x | x | can create or modify parameters (see also param-global-write) | |
| param-delete | x | x | x | can delete parameters | |
| param-global-write | x | x | x | required to create or modify parameters with the global scope | |
| resource-read | x | x | x | x | can read resources (Step resources are entities created to manage files and directories in Step, such as CSV datapool, keyword pacakges, report attachments….). See granular resource type access control for further restriction options. |
| resource-write | x | x | x | can create or modify resources. See granular resource type access control for further restriction options. | |
| resource-delete | x | x | x | can delete resources. See granular resource type access control for further restriction options. | |
| resource-bulk-delete | x | x | x | can delete resources in bulk | |
| interactive | x | x | x | can start interactive execution | |
| token-manage | x | x | can manage agents and tokens (pause token/agents…) | ||
| monitoring-dashboard-configure | x | x | x | can configure the scheduler tasks monitoring view | |
| project-read | x | x | x | x | can read project properties |
| project-write | x | x | x | required to modify project settings, project members or to move (reassign) entities from one project to another | |
| project-delete | x | x | can delete projects | ||
| project-view-all | x | x | can use the project “[All]” filter to view the content of all projects in read-only | ||
| project-access-all | x | can access all projects with his “main” role without being an explicit member of them. Otherwise user must be a member of the project with a project’s specific role | |||
| broker-read | x | x | x | x | can view the event broker data |
| broker-write | x | x | x | can modify the even broker data including publishing events and consuming events by group or name | |
| broker-delete | x | x | can consume events by ID and clear all events and stats data | ||
| screenInputs-read | x | x | can view the screen tempates | ||
| screenInputs-write | x | x | can modify the screen tempates | ||
| screenInputs-delete | x | x | can delete screen inputs from the screen tempates | ||
| table-settings-user-write | x | x | x | can save table settings for current user | |
| table-settings-project-write | x | x | can save table settings for all users in specific project | ||
| table-settings-system-write | x | can save table settings for all users in all projects | |||
| collection-read | x | generic entity read access right used by the API collection services | |||
| collection-write | x | generic entity write access right used by the API collection services | |||
| collection-delete | x | generic entity delete access right used by the API collection services | |||
| on-behalf-of | x | allows to run or schedule execution on behalf on another user, this said user need the right plan-execute and access to the underlying project | |||
| notificationPresets-read | x | x | x | x | right to view notification presets |
| notificationPresets-write | x | x | x | right to edit notification presets | |
| notificationPresets-delete | x | x | x | right to delete notification presets | |
| systemNotificationPresets-read | x | right to view system notification presets | |||
| systemNotificationPresets-write | x | right to edit system notification presets | |||
| systemNotificationPresets-delete | x | right to delete system notification presets | |||
| alerting-rules-read | x | x | x | x | right to view alerting rules |
| alerting-rules-write | x | x | x | right to edit alerting rules | |
| alerting-rules-delete | x | x | x | right to delete alerting rules | |
| incidents-read | x | x | x | x | right to read incidents rules |
| incidents-write | x | x | x | right to write incidents rules | |
| incidents-delete | x | x | x | right to delete incidents rules |
Granular resource type access control
The rights resource-read, resource-write and resource-delete can optionally be combined with a resource-type-specific right using the pattern resource-[resourceType]-(read|write|delete) to further restrict access to specific resource types. The base right is still required.
Available resource types:
| Resource type | Description |
|---|---|
pdfTestScenarioFile |
PDF/Image compare mask scenario files |
datasource |
Datasource files (used by Plan’s forEach and dataset controls) |
functions |
Keyword files (scripts, libraries, folders…) |
stagingContextFiles |
Staging plan repository files |
attachment |
Report attachments |
temp |
Export to files features |
isolatedAp |
Automation Package files created by isolated executions |
isolatedApLib |
Automation Package library files created by isolated execution |
automationPackage |
Automation Package package files |
automationPackageLibrary |
Automation Package library files |
automationPackageManagedLibrary |
Automation Package managed library files |
Example: to give a role read-only access to datasource resources, assign both resource-read and resource-datasource-read rights to that role.