UNIFI: The administrative environment · Nordic User Training, September 2013 ©2013 Waters Corporation 2 ... Training Certificates ©2013 Waters Corporation 19 Security Checks

©2013 Waters Corporation 1

UNIFI: The administrative environment

Ken Eglinton Nordic User Training, September 2013


Topics Covered

Data Folder Hierarchy and Roles/Permissions

User Accounts

Security Checks

– Assigned Roles

Data Folders and Access Grants

– Access Grants Rules/Behaviors

– Stopping Inheritance

Global Policies and Folder Policies

Offline Storage Manager


Security area of Administration


Data Folder Hierarchy and Roles/Permissions


Data Folder Hierarchy

Organizational Hierarchy

– Company

– Facility/Department

– Lab

– Projects


Default Roles


Roles and Permissions


Comparing Roles


User Accounts


General User Account Settings


User Accounts Allowed Roles and Default Role


Notification Subscriptions


Preferences


Data Access


Device Access


Library Access


Account Licenses


Training Certificates


Security Checks


Security Checks

Once the user logs into UNIFI their Data Folders, Scientific

Library Folders and Devices are controlled and dynamically

built from the users access grants.


User – Assigned Roles

There are three Roles in the system.

– Chemist Admin 1




– Chemist Admin 2




– Chemist Admin 3



A user logs in with an account who has the Chemist Admin 2

Role.

When this user tries to create an account, what are the list of

Roles he is allowed to pick from in the Assigned Roles list?

– Chemist Admin 1 and Chemist Admin 2


Application Scenario; Assigned Roles



• Assigned roles

• Determines Role used for folder access assigned with the ‘Login Role’

Role in Access Management.

• Determines system wide permissions for tasks not applicable to a folder.

(Administrative tasks for example)



There are two Roles assigned to the Steve Bird account.



Steve Bird has Direct grant to QC Lab.



Steve Bird has Direct grant to Project 3a.



When Steve Bird logs in, what does his hierarchy look like

and with what grants?

Login Role – Direct

Chemists or Chemists

Admin 1

Login Role - Inherited

Guest - Direct


Data Folders and Access Grants


Access Grants Rules/Behavior

1. Inheritance applies and Direct grants override Inheritance.

2. Inheritance comes from the first Direct grant up the tree.

3. There can be only one unique User or Policy applied to a

single Node (Data Folder, Scientific Library Folder, Device

Folder).

4. Granting at a parent node will be inherited to any child

node, regardless if the user has the appropriate permissions

at the inherited nodes.

5. Editing at a parent node will take affect on any child node

currently inheriting, regardless if the user has the

appropriate permissions at the inherited nodes.

6. Explicit grants can only be edited by users with the

appropriate permission at the node.


Access Grant Example; Users

Steve Bird has direct access to QC Lab with Login Role



Steve Bird has inherited access to the Motrin project via QC Lab



Want Steve Bird to have only Guest access to Motrin

– Directly grant Steve Bird to the Motrin Folder

– Change Role


Access Grant Example; Stopping Inheritance

Steve Bird has direct access to Milford and is inheriting access

to the QC Lab and Motrin folders.



Administrators want to stop his access to the Motrin folder.



Select the user account then ‘Stop inheritance’



Access type changes to ‘No Inheritance’



Without a stop inheritance mechanism

administrators would have to:

– Revoke his access from the Milford folder

– Grant Direct Access to the Milford and QC Lab

folders

– Move the Motrin folder from being a child of the QC

Lab, to being a child of the Waters folder

Also, imagine if there were other users with

Direct access to the Milford folder and you still

wanted those users to continue to have access

to the Motrin folder.

– You would have to grant them back direct access to

the Motrin folder

This would be difficult for administrators

– This is the key point of Stop Inheritance



Why would we change the access type status of the user to ‘No

Inheritance’ rather than remove the user from the list?

– Because removing the user means it has been Revoked using that

command, which is different than stopping inheritance.

– Administrators coming back to Access Management after a period of

time won’t remember they have stopped inheritance on a user and

will attempt to grant direct access.



What happens when a user attempts to directly grant access of

a User or Policy to a Data Folder which has that item currently

applied but in the state of ‘No Inheritance’?

– The item will now show as a direct grant

What happens when a Folder is moved to a different point in

the Folder Hierarchy?

– Access grants will automatically change

o Items that are still inherited from the new parent will stay in the

‘No Inheritance’ state.

o Direct grants will not change


Grants and Inheritance Examples


Scenarios

Creating a Data Folder policy

Editing a Data Folder policy

Applying a Data Folder policy

Revoking a Data Folder policy

Deleting a Data Folder policy

Copy/Paste a Data Folder policy

Folder

Milford

QCLab

Project1

Project2

Project3

Analytical Development

Project 4a

Project 4b

New Jersey


Applying a Data Folder Policy

Policy A1 is applied to the Milford Folder and inherited down the tree. – Per the rules, Inheritance applies and Direct grants

override Inheritance

Node Policy

Milford -

QCLab -

Project1 -

Project2 -

Project3 -

Analytical Development -

Project 4a -

Project 4b -

New Jersey -

Node Policy

Milford A1 Direct

QCLab A1 Inherited

Project1 A1 Inherited



Analytical Development A1 Inherited

Project 4a A1 Inherited

Project 4b A1 Inherited

New Jersey A1 Inherited



User wants to replace Policy A1 with Policy A2 at Milford. – We must first check to ensure the user has the permission to

‘Assign/Revoke folder policies’ at the folder. o If yes, the policy shall be applied.

o Per the rules, any sub-nodes that do not have an explicit policy shall inherit the applied policy from it’s parent.

Node Policy

Milford A1 Direct

QCLab A1 Inherited








Node Policy

Milford A2 Direct

QCLab A2 Inherited










User wants to replace Policy A1 with Policy A2 at Project2. – We must first check to ensure the users has the permission to

‘Assign/Revoke folder policies’ at the folder. o If yes, the policy shall be applied.

o Per the rules, any sub-nodes that do not have an explicit policy shall inherit the applied policy from it’s parent.

Node Policy

Milford A1 Direct

QCLab A1 Inherited








Node Policy

Milford A1 Direct

QCLab A1 Inherited


Project2 A2 Direct








User has the permission to ‘Assign/Revoke folder policies’ at the QCLab, Project1 and Project2 part of the hierarchy, but does not have the permission at Project3.

The user wants to replace Policy A1 with Policy A2 at QCLab. – Per the rules this action is allowed because Project3 is inheriting the

policy.

Node Policy

Milford A1 Direct

QCLab A1 Inherited








Node Policy

Milford A1 Direct

QCLab A2 Direct










User has the permission to ‘Assign/Revoke folder policies’ at the QCLab, Project1 and Project2 part of the hierarchy, but does not have the permission at Project3.

The user wants to replace Policy A1 with Policy A3 at QCLab. – Per the rules this action is allowed because Project3 has policy A2

Directly assigned and Project3 is not changed.

Node Policy

Milford A1 Direct

QCLab A1 Inherited



Project3 A2 Direct





Node Policy

Milford A1 Direct

QCLab A3 Direct



Project3 A2 Direct






Revoking a Data Folder Policy

User has the permission to ‘Assign/Revoke folder policies’ at the Milford part of the hierarchy.

User attempts to Revoke policy A1 from Milford. – Per the rules this action is allowed because all sub folders are inheriting.

– The user is prompted with a dialog indicating the policy will be removed from the Milford folder and all Inherited folders.

Node Policy

Milford A1 Direct

QCLab A1 Inherited








Node Policy

Milford -

QCLab -

Project1 -

Project2 -

Project3 -


Project 4a -

Project 4b -

New Jersey -


Revoking a Data Folder Policy

User has the permission to ‘Assign/Revoke folder policies’ a policy at the Milford part of the hierarchy.

User attempts to Revoke policy A1 from Milford. – Per the rules this action is allowed and applied to all sub folders inheriting the policy as well.

– The user is prompted with a dialog indicating the policy will be removed from the Milford folder and all Inherited folders.

– Any folders within Milford that have Direct policy grants are not affected.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited


Project2 A2 Direct






Node Policy

Milford -

QCLab -

Project1 -

Project2 A2 Direct



Project 4a -

Project 4b -

New Jersey -


Deleting a Data Folder Policy

User has the permission to ‘Delete’ a policy which allows the user to delete the policy from the Global folder policy list.


Creating a Folder

User attempts to Create Project5 in the QCLab folder.

– All policies shall be inherited from the first parent up the hierarchy with a direct Policy grant.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited




Project5 -





Node Policy

Milford A1 Direct

QCLab A1 Inherited










Creating a Folder

User attempts to Create Project5 in the QCLab folder. – All policies shall be inherited from the first parent up the

hierarchy with a direct Policy grant. o In this case, there are no policies assigned so the new project does not

get any either.

Node Policy

Milford -

QCLab -

Project1 -

Project2 -

Project3 -

Project5 -


Project 4a -

Project 4b -

New Jersey -


Moving a Folder

User attempts to Move Project2 from the QCLab folder to the

Analytical Development Lab folder.

– Inheritance applies and in this case there is no change as the

Analytical Development Lab is also inheriting from above.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited




Project5 A2 Explicit





Node Policy

Milford A1 Direct

QCLab A1 Inherited










Moving a Folder



– Inheritance applies and in this case Project 2 and Project3 receive

Policy A2.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited





Analytical Development A2 Explicit




Node Policy

Milford A1 Direct

QCLab A1 Inherited



Analytical Development A2 Direct







Moving a Folder



– Explicit Grants override Inheritance and in this case Project 2 and

Project3 retain Policy A2.

Node Policy

Milford A1 Explicit

QCLab A1 Inherited









Node Policy

Milford A1 Direct

QCLab A1 Inherited




Project2 A2 Direct






Access Management

Those scenarios apply to not only Data Folder Policies, but

user access grants in Access Management as well.


Global Policies and Folder Policies


Overview of UNIFI Policies

Global policies apply to the entire UNIFI Installation

Data Folder Policies apply to a specific Data Folder

By default Everest shall track all actions and the audit trails

shall contain the following: Who, What, When, Old Value and

New Value.

Everest shall have two types of policies to configure the

‘Why’:

– Global Audit Trail Reasons and Data Folder Reason


Global Policies


Global Policies


Global Policies


Global Policies


Global Policies


Global Policies


Global Policies


Folder Policies


Folder Policies


Predefined Reasons


UNIFI Offline Storage Manager (OSM)


OSM Configuration


OSM Configuration


OSM Configuration


OSM Configuration


OSM Configuration


OSM Configuration


OSM Policy


OSM Policy


OSM Policy


OSM Policy


OSM Policy


Questions?

Documents

UNIFI: The administrative environment · Nordic User Training, September 2013 ©2013 Waters Corporation 2 ... Training Certificates ©2013 Waters Corporation 19 Security Checks