Chapter 5 Access Control

This section describes how to manage access control in MWS. Applications are the consumers of MWS. They include Moab Viewpoint and other applications that need the resources provided by MWS. An application account consists of four editable fields and resource-specific access control settings:

Table 5-6: Field information

Field Required Default value Value type Maximum length Description
Application Name Yes -- String 32 The name of the application. Must start with a letter and may contain letters, digits, underscores, periods, hyphens, apostrophes, and spaces.
Username Yes -- String 32 Used for authentication. Must start with a letter and may contain letters, digits, underscores, periods, and hyphens.
Description No -- String 1000 The description of the application.
Enabled -- true Boolean -- Controls whether the application is allowed to access MWS.
Access Control Settings Yes All Permissions -- -- The permissions granted to the application. This is controlled by selecting specific check boxes in a grid.

An application account also contains an auto-generated password that is visible only when creating the account or when resetting its password. Whenever an application sends a REST request to MWS, it needs to pass its credentials (username and password) in a Basic Authentication header. For more information, see Authentication.

The Application Name is a human-friendly way to identify an application account, but MWS does not use it during authentication (or at any other time, for that matter).

The Enabled field is set to true automatically when an application account is created. To change the value of this field, see Modifying an Application Account.

Here is an example of how you might set the fields when creating an application account:

The permissions granted to an application account may be customized while creating or modifying the account. For more information, see Creating an Application Account and Modifying an Application Account.

5.223.1 Managing Application Accounts

Application accounts are used to grant access to MWS. Every application with an application account must be granted at least one access control permission to a resource in MWS. To manage application accounts, see Listing Application Accounts.

5.223.2 Listing Application Accounts

To list all applications accounts, browse to the MWS home page (for example, https://servername/mws). Log in as the admin user, click Admin and then Application Accounts.

Each column (except Password) can be sorted in ascending or descending order by clicking on the column heading.

5.223.3 Creating an Application Account

To create an application account, go to the Application List page and click Add Application. The "Application Name" and "Username" are required fields. For more details, see Field information.

Access to specific resources and plugin custom web services is granted or revoked by checking or unchecking the check boxes in the respective resources or plugin web services access control sections. For each resource, access may be granted to a resource for each method supported by MWS, including GET, POST, PUT, and DELETE. See the figure below for an example.

In this example, the application has access to all available methods for the Access Control Lists and Accounts resources as well as to retrieve the Events resource through the GET method, but is denied the permission to create new events through the POST method.

Access may also be granted to each plugin type's custom web service(s). When new plugin types or plugin web services are added to MWS, applications must be updated with the new access control settings. See below for an example.

In this example, the application has access to all the custom web services defined for the Test plugin type. Note that though unsecured web services are listed, access to them cannot be denied (for more information, see Exposing Web Services).

5.223.4 Displaying an Application Account

To show information about an application account, go to the Application List page and click the desired application name.

In addition to displaying the values for fields, grids are also displayed which represent the application's access control permissions defined for resources and plugin custom web services. Examples of the resources and the plugin web services access control displays are shown below:

5.223.5 Modifying an Application Account

To modify an application account, go to the Application List page, click the desired application name, and then click Edit. See Creating an Application Account for more information on available fields and access control settings.

5.223.6 Resetting an Application Password

To reset an application password, go to the Application List page and click the Reset link for the desired application. Alternatively, go to the Display Application page for the desired application and click the Reset link.

5.223.7 Deleting an Application Account

To delete an application account, go to the Application List page, click the desired application name, and then click Delete. A confirmation message is shown. If the OK button is clicked, the application account is deleted from the system and cannot be recovered.

Related Topics 

© 2017 Adaptive Computing