(Quick Reference)

2 Access Control

2 Access Control

This section describes how to manage access control in Moab Web Services.

2.1 Application Accounts

Applications are the consumers of MWS. They include Moab Viewpoint and other applications that need the resources provided by MWS. An application account consists of four editable fields and resource specific access control settings:

FieldRequiredDefault ValueValue TypeMaximum LengthDescription
Application NameYes-String32The name of the application. Must start with a letter and may contain letters, digits, underscores, periods, hyphens, apostrophes, and spaces.
UsernameYes-String32Used for authentication. Must start with a letter and may contain letters, digits, underscores, periods, and hyphens.
DescriptionNo-String1000The description of the application.
Enabled-trueBoolean-Controls whether the application is allowed to access MWS.
Access Control SettingsYesAll Permissions--The permissions granted to the application. This is controlled by selecting specific check boxes in a grid.

An application account also contains an auto-generated password that is visible only when creating the account or when resetting its password. Whenever an application sends a REST request to MWS, it needs to pass its credentials (username and password) in a Basic Authentication header. See the Authentication section for more information.

The Application Name is a human-friendly way to identify an application account, but MWS does not use it during authentication (or at any other time, for that matter).

The Enabled field is set to true automatically when an application account is created. To change the value of this field, see Modifying an Application Account.

Here is an example of how you might set the fields when creating an application account:

  • Application Name: Moab Viewpoint
  • Username: viewpoint
  • Description: This application account grants access to Moab Viewpoint for Moab Cloud Suite.

The permissions granted to an application account may be customized while creating or modifying the account. See Creating an Application Account and Modifying an Application Account.

2.1.1 Managing Application Accounts

Application accounts are used to grant access to MWS. Every application with an application account must be granted at least one access control permission to a resource in MWS. To manage application accounts, start with Listing Application Accounts.

2.1.2 Listing Application Accounts

To list all applications accounts, browse to the MWS home page (https://servername/mws for example). Log in as the admin user, then click Admin and then Application Accounts.

Each column (except Password) can be sorted in ascending or descending order by clicking on the column heading.

2.1.3 Creating an Application Account

To create an application account, go to the Application List page and click Add Application. The Application Name and Username are required fields. See Application Accounts for more information on the fields.

Access to specific resources and plugin custom web services is granted or revoked by checking or unchecking the check boxes in the respective resources or plugin web services access control sections. For each resource, access may be granted to a resource for each method supported by MWS, including GET, POST, PUT, and DELETE. See the figure below for an example.

In this example, the application has access to all available methods for the Access Control Lists and Accounts resources as well as to retrieve the Events resource through the GET method, but is denied the permission to create new events through the POST method.

Access may also be granted to each plugin type's custom web service(s). When new plugin types or plugin web services are added to MWS, applications must be updated with the new access control settings. See below for an example.

In this example, the application has access to all the custom web services defined for the "Test" plugin type. Note that though Unsecured Web Services are listed, access to them cannot be denied (see Exposing Web Services for more information).

2.1.4 Displaying an Application Account

To show information about an application account, go to the Application List page and click the desired application name.

In addition to displaying the values for fields, grids are also displayed which represent the application's access control permissions defined for resources and plugin custom web services. Examples of the resources and the plugin web services access control displays are shown below.

2.1.5 Modifying an Application Account

To modify an application account, go to the Application List page, click the desired application name, and then click Edit. See Creating an Application Account for more information on available fields and access control settings.

2.1.6 Resetting an Application Password

To reset an application password, go to the Application List page and click the Reset link for the desired application. Alternatively, go to the Display Application page for the desired application and click the Reset link.

2.1.7 Deleting an Application Account

To delete an application account, go to the Application List page, click the desired application name, and then click Delete. A confirmation message is shown. If the OK button is clicked, the application account is deleted from the system and cannot be recovered.