Role to Privilege Authorization

Node administration exposes the ability to create user-defined roles with any mix of command privileges. Users can be members of more than one role.

Authorization consists of checking whether one of a user's roles has a particular privilege, optionally on a specific resource (such as a LiveView table or alert, a StreamBase stream, or a node administration command). You specify information to perform authorization checks in a RoleToPrivilegeMappings security file.

You can have any number of role-to-privilege mapping configuration files active on a node; they are all merged into one database. You add mappings by activating a new configuration using the epadmin activate configuration command, remove them by deactivating the configuration with epadmin deactivate configuration, and update them by activating a new version of an existing configuration.

StreamBase supports a fixed set of privileges for node administration, LiveView engine operations, EventFlow engine operations, and LiveView Web create permissions.

A RoleToPrivilegeMappings configuration file grants privileges one at a time to named roles. If no resource property accompanies a privilege, then it is granted to all resources of the appropriate type.

For example, a LiveView-specific configuration file might take the form of the following partial example:

name = "node24privmaps"
version = "4"
type = "com.tibco.ep.dtm.configuration.security"
configuration = {
  RoleToPrivilegeMappings = {
    privileges = {
      LVAdmin = [
        {
          privilege = "LiveViewAll"
        }
      ]
      LVUser = [
        {
          privilege = "APIConnect"
        }
        {
          privilege = "LiveViewTableList"
        }
        {
          privilege = "LiveViewTableAll"
          resource = "ItemsSales"
        }
        ...

This example grants the LVAdmin role full rights over all LiveView server actions. It grants the LVUser role the ability to connect to the server (APIConnect), the ability to list all tables (because no resource is specified), but grants full control over the ItemsSales table.

There are many LiveView-specific privileges grantable, but only a few StreamBase and LiveView Web specific privileges. These are listed in the RoleToPrivilegeMappings section of the security documentation page.

You can also grant or withhold permission to run epadmin administrative commands. Specify these privileges with a two-part resource name consisting of the epadmin verb and target linked by a period. Thus, you can grant the rights to use install.node, display.services, activate.configuration, or any other combination of commands. For example:

configuration = {
    RoleToPrivilegeMappings = {
        privileges {
            administrator=[
                {
                    privilege=AdminRunCommand
                    resource="tunable.get"
                }
                {
                    privilege=AdminRunCommand
                    resource="tunable.reset"
                }
                {
                    privilege=AdminRunCommand
                    resource="tunable.set"
                }
            ]
        }
    }