Role management
General concepts
Every Step’s user is given a main role upon creation. With the default configuration of roles and rights, only the users with the admin role will be able to access Step’s projects without further actions required. Users with other roles will need to be added as member of specific projects; for each project membership a specific role is defined.
Pre-populated Roles
| Role | Definition |
|---|---|
| guest | grants read-only access, while preventing modifications or executions |
| tester | grants most privileges required for defining and executing test plans |
| developer | in addition to the tester rights it allows to define keywords, and to administer individual projects |
| admin | grant all privileges |
Default access matrix
By default following mapping or roles and rights is provided. This can be customized by creating a CSV file based on the below table (removing the description column). You main rename role names, add additional roles and change the rights mapping.
To use your custom CSV file, you simply have to modify you step.properties file on the controller.
# Uncomment the following if you want to use a custom right matrix
# ui.roleprovider.filename=../conf/AccessMatrix.csvDefault access matrix content
Note:: description for the different entity CRUD rights are self-explanatory and as therefore been left empty.
| guest | tester | developer | admin | description | |
|---|---|---|---|---|---|
| plan-read | x | x | x | x | |
| plan-write | x | x | x | ||
| plan-delete | x | x | |||
| plan-execute | x | x | x | ||
| plan-bulk-execute | x | x | x | can execute multiple plans in bulk from the executions list view | |
| kw-read | x | x | x | x | |
| kw-write | x | x | |||
| kw-delete | x | x | |||
| kw-execute | x | x | x | ||
| automation-package-read | x | x | x | x | |
| automation-package-write | x | x | |||
| automation-package-delete | x | x | |||
| automation-package-execute | x | x | x | ||
| mask-read | x | x | x | x | |
| mask-write | x | x | x | ||
| mask-delete | x | x | x | ||
| mask-execute | x | x | x | ||
| execution-read | x | x | x | x | |
| execution-write | x | x | x | can modify execution properties such as (un)marking an execution as retained/archived | |
| execution-delete | x | x | x | can delete executions (one by one) | |
| execution-bulk-delete | x | x | x | can delete executions in bulk | |
| user-write | x | ||||
| user-read | x | ||||
| task-read | x | x | x | x | |
| task-write | x | x | x | ||
| task-delete | x | x | x | ||
| dashboard-read | x | x | x | x | can visualize dashboards content |
| dashboard-write | x | x | can create and edit dashboards (data and display settings) | ||
| dashboard-delete | x | can delete dashboards | |||
| scheduler-manage | x | can switch on/off the scheduler globally | |||
| operations-read | x | can view the “current operations” of all executions | |||
| controller-manage | x | can shutdown the controller via the REST call | |||
| maintenance-message-write | x | can write and turn on/off the maintenance message | |||
| admin-ui-menu | x | has access to the settings menu including admin settings (only use one of admin-ui-menu or settings-ui-menu). This menu contains Maintenance, Project, Screens, Scheduler and Housekeeping settings | |||
| settings-read | x | x | x | x | This right is required when using the Step Web UI |
| settings-write | x | ||||
| settings-delete | x | ||||
| settings-ui-menu | x | has access to the settings menu entry (only use one of admin-ui-menu or settings-ui-menu). This menu contains Project, Screens and Scheduler settings | |||
| param-read | x | x | x | x | |
| param-write | x | x | x | ||
| param-delete | x | x | x | ||
| param-global-write | x | x | x | ||
| resource-read | x | x | x | x | |
| resource-write | x | x | x | ||
| resource-delete | x | x | x | ||
| interactive | x | x | x | can start interactive execution | |
| token-manage | x | x | can manage agents and tokens (pause token/agents…) | ||
| notification-gateway-configure | x | add/edit the notification gateway (emails, webhooks) | |||
| notification-subscription-read | x | x | x | x | |
| notification-subscription-write | x | x | x | ||
| notification-subscription-delete | x | x | x | ||
| monitoring-dashboard-configure | x | x | x | can configure the scheduler tasks monitoring view | |
| project-read | x | x | x | x | |
| project-write | x | x | x | ||
| project-delete | x | x | |||
| project-view-all | x | x | can use the project “[All]” filter to view the content of all projects in read-only | ||
| project-access-all | x | can access all projects with his “main” role without being an explicit member of them. Otherwise user must be a member of the project with a project’s specific role | |||
| broker-read | x | x | x | x | |
| broker-write | x | x | x | ||
| broker-delete | x | x | |||
| screenInputs-read | x | x | |||
| screenInputs-write | x | x | |||
| screenInputs-delete | x | x | |||
| table-settings-user-write | x | x | x | Can save table settings for current user | |
| table-settings-project-write | x | x | Can save table setting for all users in specific project | ||
| table-settings-system-write | x | Can save table settings for all users in all projects | |||
| collection-read | x | generic entity read access right used by the API collection services | |||
| collection-write | x | generic entity write access right used by the API collection services | |||
| collection-delete | x | generic entity delete access right used by the API collection services | |||
| on-behalf-of | x | allow to run or scheduler execution on behalf on another user, this said user need the right plan-execute and access to the underlying project | |||
| dockerRegistries-read | x | x | right to view docker repositories information | ||
| dockerRegistries-write | x | x | right to edit docker repositories information | ||
| dockerRegistries-delete | x | x | right to delete docker repositories information |