2 Access Control
This section describes how to manage access control in Moab Web Services.
2.1 Application Accounts
Applications are the consumers of MWS. They include Moab Viewpoint and
other applications that need the resources provided by MWS. An application
account consists of four editable fields and resource specific access control settings:
| Field | Required | Default Value | Value Type | Maximum Length | Description |
|---|
| Application Name | Yes | - | String | 32 | The name of the application. Must start with a letter and may contain letters, digits, underscores, periods, hyphens, apostrophes, and spaces. |
| Username | Yes | - | String | 32 | Used for authentication. Must start with a letter and may contain letters, digits, underscores, periods, and hyphens. |
| Description | No | - | String | 1000 | The description of the application. |
| Enabled | - | true | Boolean | - | Controls whether the application is allowed to access MWS. |
| Access Control Settings | Yes | All Permissions | - | - | The permissions granted to the application. This is controlled by selecting specific check boxes in a grid. |
An application account also contains an auto-generated password
that is visible only when creating the account or when resetting its
password. Whenever an application sends a REST request to MWS, it needs
to pass its credentials (username and password) in a Basic Authentication
header. See the
Authentication section for more information.
The
Application Name is a human-friendly way to identify an application
account, but MWS does not use it during authentication (or at any other
time, for that matter).
The
Enabled field is set to true automatically when an application
account is created. To change the value of this field, see
Modifying an Application Account.
Here is an example of how you might set the fields when creating an
application account:
- Application Name: Moab Viewpoint
- Username: viewpoint
- Description: This application account grants access to Moab Viewpoint for Moab Cloud Suite.
The permissions granted to an application account may be customized while creating or modifying
the account. See
Creating an Application Account and
Modifying an Application Account.
2.1.1 Managing Application Accounts
Application accounts are used to grant access to MWS. Every application
with an application account must be granted at least one access
control permission to a resource in MWS. To manage application accounts, start with
Listing Application Accounts.
2.1.2 Listing Application Accounts
To list all applications accounts, browse to the MWS home page
(
https://servername/mws for example). Log in as the admin user, then
click
Admin and then
Application Accounts.
Each column (except Password) can be sorted in ascending or descending
order by clicking on the column heading.
2.1.3 Creating an Application Account
To create an application account, go to the
Application List page
and click
Add Application. The
Application Name and
Username
are required fields. See
Application Accounts
for more information on the fields.
Access to specific resources and plugin custom web services is granted or
revoked by checking or unchecking the check boxes in the respective
resources or plugin web services access control sections.
For each resource, access may be granted to a resource for each method
supported by MWS, including GET, POST, PUT, and DELETE. See the figure below
for an example.
In this example, the application has access to all available methods for the Access
Control Lists and Accounts resources as well as to retrieve the Events resource through
the GET method, but is denied the permission to create new events through the POST method.
Access may also be granted to each plugin type's custom web service(s). When
new plugin types or plugin web services are added to MWS, applications must be
updated with the new access control settings. See below for an example.
In this example, the application has access to all the custom web services defined for the
"Test" plugin type. Note that though Unsecured Web Services are listed, access to them
cannot be denied (see
Exposing Web Services for more
information).
2.1.4 Displaying an Application Account
To show information about an application account, go to the
Application List page and click the desired application name.
In addition to displaying the values for fields, grids are also displayed
which represent the application's access control permissions defined for resources and
plugin custom web services. Examples of the resources and the plugin web services
access control displays are shown below.
2.1.5 Modifying an Application Account
To modify an application account, go to the
Application List page,
click the desired application name, and then click
Edit. See
Creating an Application Account for more
information on available fields and access control settings.
2.1.6 Resetting an Application Password
To reset an application password, go to the
Application List page and
click the
Reset link for the desired application. Alternatively, go to
the
Display Application page for the desired application and click the
Reset link.
2.1.7 Deleting an Application Account
To delete an application account, go to the
Application List page, click
the desired application name, and then click
Delete. A confirmation
message is shown. If the
OK button is clicked, the application account
is deleted from the system and cannot be recovered.
