Permissions
Administrators in Intrexx
In Intrexx, there are two types of administrators: the portal administrator and the supervisor administrator.
The difference between the two administrators results from the architecture of Intrexx (see also Intrexx architecture).
Supervisor
One component of Intrexx is what is known as the Supervisor. The Supervisor is a program that controls the creation and management of portals and other cross-portal actions. This means that when you create a new portal with the Portal Manager, a connection to the Supervisor is established first. In other program contexts, the Portal Manager does not connect or reconnect to the Supervisor.
The Supervisor does not have its own graphical interface.
Supervisor administrator
The Supervisor has its own administrator or administrator role.
Assign password for the Supervisor administrator
As of Intrexx Steady Track 10.5.0, you will be prompted during the installation of Intrexx to assign a password for the Supervisor administrator. For more information on this, refer to the section Administrator account (Supervisor).
You can change the password for the Supervisor administrator and create additional Supervisor administrators. Detailed information about this can be found in the section Administration login.
Querying the supervisor-administrator password
To perform the following actions in Intrexx, you will be asked for the password for the Supervisor administrator:
Delete portals
Import portals
Change licensing details
Manage administration logins
Use the tool SystemCare
For more information on this, refer to the section Administration login.
The Supervisor administrator is not listed in the "Users" module. Only the portal administrators are listed or managed there.
Portal administrator
Once you have created a portal, the portal has a portal administrator. This role is responsible for central actions related to the administration of a portal. Refer also to the section "Administrators" user group.
You can create and manage additional portal administrators in the Intrexx Portal Manager after you have logged in to the portal. Refer also to the section Users module.
The portal administrator is listed in the "Users" module.
Administration login
Via the main menu "Tools/manage administration logins" a dialog can be opened in which the list of administration users is managed. Central, overriding permissions are provided here. These permissions apply to every portal.
List of administration users
Every username defined as an administration login is shown here.
Delete
Deletes the currently selected administration user.
Add / Edit
Opens a dialog where a new administration login user can be added or the currently selected administration login user can be edited.
User
If a new administration user is created, enter a username here. The usernames for administration logins have no correlation to the usernames of other administrators (e.g. from the User management). The name is completely free choice.
New password / Retype password
Enter a password and repeat it.
The dialog shows the following fields when an existing administration user is editing:
Current password
Enter the current password.
New password / Retype password
Enter the new password and repeat it.
Click on "OK" to save the settings and close the dialog.
An administration login user can
Create portals
Delete portals
Import portals
Change licensing details
Manage administration logins
Use the tool SystemCare
Supervisor password
A supervisor password can be assigned during installation. There are four variants of how an installation can be carried out:
Variant 1 - Installation via UI
Here, a dialog is displayed when the summary is exited, prompting the user to enter a password.
Variant 2 - Interactive Installation via console
Again, the user must enter and confirm the desired supervisor password.
Variant 3A - Installation via configuration file with specified supervisor password
The supervisor password specified in the configuration.yml is taken over (Attribute name "supervisorPassword"). It is not included in the configuration file in the installation directory "/installer/cfg/configuration.yml", otherwise passwords will appear in plain text on the server. Please note that since Intrexx Steady Track 10.1.0 the file format "yml" is used. In the previous versions, a .properties-file was used here.
Variant 3B - Installation via configuration file without specified supervisor password
If no password is specified in the configuration file, a random password is generated. This is stored in the installation directory "/cfg/initial_passwd". This ensures that a privileged login on the supervisor only occurs if you also have access to the file system. When the Portal Manager logs on to the supervisor for the first time, it then checks whether the randomly assigned password has been changed. If this is not the case, a prompt to change the password is displayed. Once the password has been changed, the inital_passwd is automatically deleted.
Provide permissions
In Intrexx, permissions can be provided in the permissions dialog which generally always has the same structure.
First column
Displays an image that represents the type of permission holder.
"Name" column
Displays the name of the permission holder.
"Path" column
Displays the path to the user object in the User Manager.
"Add" button
Opens a dialog where a user object can be selected.
"Remove" button
Removes the user object from the list. This does not mean that all of their permissions are automatically removed. The permission holder could still possess permissions by being a member of other objects, e.g. by being a member of the Users group.
"Permissions" column
When you select a permission holder at the top of the dialog, the individual permissions are displayed at the bottom.
Permit
Activate the respective checkbox to provide the user object with the desired permissions.
Portal access permissions
Portal permissions will be controlled from the main menu "Portal / Portal access permissions". This menu item is only available after logging in to a portal. All permissions defined here are valid for the current portal.
Administrate portal
With this permission, portal properties can be configured and portal exports or imports can be created via the main menu "Portal / Portal exports" or "Portal imports".
Configure portal pages in the browser
Permissions holders are allowed to administrate the portal pages in the default mode.
Access ... module
Permissions holders have access to the corresponding module in the Portal Manager.
Intrexx Share Chat
Permission holders can use Intrexx Share Chat.
Publish Velocity and Groovy scripts
Users with this permission may publish Velocity and Groovy scripts to the server.
Access Integration modules
With this setting the following users are permitted to use the following functions in the module "Integration":
Manage JDBC data sources
Run data transfers
Manage FileWalker connections
Register OData services
Provide OData services
Register web services
Provide web services
Document integration
Register Lotus Notes sources
Manage Microsoft Exchange sources
Manage SAP Business Suite sources
Manage SAP Business One sources
Register M-Files services
Access to tools
Users with this permission are allowed to configure the Tools module:
Use system monitor
Manage Lucene indexes
Manage task scheduler
Manage request variables
Access email service
User
In the Users module, permissions are managed on two different levels: Global and individual permissions.
Global permissions
Global permissions are managed via the User menu / Permissions main menu. Permission holders can edit object classes and object instances, have access to the Schema manager, can add, edit and delete classes or attributes or edit the organigram.
Administration
With the permission "Write configuration", existing object classes in the Schema manager can be edited.
Object classes
Manage class
With this permission, existing object classes in the Schema manager can be edited.
Create new object
Allows the creation of new objects within the class in the Schema Manager.
Object instances
Manage
Applies to the instances taken from the basic classes Container, Set and User. It enables the editing of all taken instances or the respective basic class including the instances from subclasses.
Please note that individual permissions will be overruled when you assign global permissions.
Individual permissions
These are managed via the main menu "Edit / Permissions". This menu is available if a user object has been selected.
Add user objects
Click here for more information about the selection of users in the upper area of this dialog.
"Manage" permission
With the individual permission to edit the properties of individual object instances, you permit the changing of values that are also stored physically in the database for each instance, such as the name of the instance or address or contact data for an instance of the user object.
Apply these settings recursively
With this setting the "Manage" permission is applied to all objects subordinate to the current user object or also suspended there, if you have disabled the right in the currently selected object.
Default users and user groups
In new created portals there are already the user groups "Administrators" and "Users". You can also find the users "Administrator" and "Anonymous". Here you can find information about the permissions of these users and user groups.
Application permissions
Application permissions are defined in the Applications module. Furthermore, the administration permission, which allows the user to edit the application technically, can be provided. The application permissions can be edited via the Application menu / Permissions or the Edit menu / Properties, when the application node is selected.
On the left of the dialog, you can see tabs which represent the different levels of access permissions that can be defined for the application:
Application
Access to the application link and the starting page in the browser, administration permissions
Pages
Access to additional individual pages
Data groups
Read and write access to application data
File fields
Read and write access to file fields
Search configurations
Permissions for search configurations
Topics
Permissions for topics
Click here to find out how you can add permission holders and assign individual permissions in the right area of the dialog.
New or edited permission settings are transferred to the server when the application is published.
Application
Full access
This setting automatically activates all other permissions.
Manage application
Permissions holders are allowed to administrate the application in the Applications moduleആ.
Use application
Permissions holders have access to the application link and the starting page of the application.
The Administrators user group has full access to all pages and data groups of the application, as well as the application itself. This setting cannot be changed within the application permissions. Remove a permission holder from the Administrators user group if you do not want them to have the permission to administrate applications. The creator of an application always has permission to administrate the application. This permission will be given automatically to the creator of an application.
Pages
Allows you to provide access to individual pages of the application. If you select one or more pages on the left, you can determine the permissions for all of these pages on the right. All pages, which the user does not have permission for, will be automatically hidden from the application menu. Buttons that lead to an unpermitted page will not be shown in the browser.
Data groups
Here you will define in which data group data can be read, added to, modified or deleted.
The data group permissions for Intrexx Share are controlled internally with Java classes and cannot be changed here.
Full access
This setting automatically marks all additional permissions.
Read data record
Permissions holders may read the data of an application.
Read data record (own)
Permissions holders may read existing data records they have saved.
Add data record
Permissions holders may add new data.
Change data record
Permissions holders may modify existing data records.
Change data record (own)
Permissions holders may modify existing data records they have saved.
Delete data record
Permissions holders may delete existing data records.
Delete data record (own)
Permissions holders may delete existing data records they have saved.
File fields
If a data group contains file data fields, the following permissions can be assigned here:
Full access (enables all permissions named below)
Read file
Read file (own)
Add file
Change file
Change file (own)
Delete file
Delete file (own)
To do so, select the corresponding file field in the application structure in the left-hand area of the dialog.
Apply permissions of the data group
If this setting is active, all permissions configured for the data group will be applied to all file fields contained in it. The permissions for data fields can only be set individually if this setting is not active.
If individual permissions are assigned to a single file field, a conflict check occurs. In the permissions table, the permissions will be highlighted in red if a conflict has been detected. A conflict occurs when permissions to a file field are assigned that, according to the data group, are not permitted. For example: A user may only read in the data group. If this user is given the Delete permission for a file field in the data group, a conflict occurs. The "Delete" permission will then be highlighted in red.
Search configurations
Select the search configurations, you would like to define the permissions for, on the left-hand side of the dialog.
Apply permissions of the data group
If this setting is activated, the permissions of the data group, which you have defined in the search configuration properties, will be used.
Topics
"Topics" are connected to WebSockets. They represent the object that WebSocket messages output/make available. A "consumer" can subscribe to a topic. A topic can be compared to a message channel that can be subscribed to.
You can grant the following permissions for topics:
Full access
If you select this option, the corresponding user is granted both the "Read topic" and "Write to topic" permissions.
Read topic
With this permission, you can control which users should be able to see WebSocket messages in the browser.
Write to topic
This permission refers to the user of a process that contains a WebSocket action or a Groovy action with WebSocket functions. You can execute processes in a user context. The permissions of the respective user are relevant in this case. If the user does not have the "Write to topic" permission, then a WebSocket message will not be sent via the process and will also not appear in the browser.
More information about WebSockets is available here:
Menu structure
Permissions can be assigned for each menu item. These permissions can be edited via the main menu "Portal / Edit menu structure". Menu items that a user may not select will be hidden in the browser.
The permission "Administer menu item (CMS)" allows the CMS application to publish articles under this menu item. Articles are published directly in the CMS application. For menu items that originate from the CMS, the permissions cannot be managed via the menu designer. Deleting a CMS menu item is also only possible via the CMS application. Menu items that refer to CMS content can only be managed in the CMS application.
The permission "select menu item" allows the corresponding user to select the menu item in the browser.
With the permission "Full access" all rights are automatically marked as "Allowed" and with click on "OK" also applied.
Click here to find more information about editing the menu structure.
FileWalker
The access to files on the network are managed at two points: In the connection in the "Integration" module and in the properties of the FileWalker element in the "Applications" module.
Set permissions in the Integration module
Click here to find information about how to add users to the list of permission holders.
Full access
This setting automatically activates all other permissions.
Administration
With this permission, the settings of the connection can be administrated.
Use in applications
Permissions holders are allowed to select the connection in the Applications module and assign it to a FileWalker element.
Please note that permissions for FileWalker connections are subordinate to the directory permissions of the individual users.
Application permissions
The permissions for the FileWalker application element are provided on the Permissions tab in the properties dialog.
Click here to find information about how to add users to the list of permission holders.
Full access
This setting automatically marks all additional permissions.
Direct access
The permissions holder has direct access to all files. Changes will be applied to the original files.
Download
Download files.
Create file
Create new files.
Copy file
Create copies of a file.
Overwrite file
Overwrite files.
Rename file
File names can be changed.
Delete file
Files can be deleted.
Create directory
Additional network directories can be created.
Rename directory
Directory names can be changed.
Delete directory
Directories can be deleted.
The permissions can be activated by clicking the corresponding checkbox in the "Permit" column. Users of the FileWalker also require permissions for the application and for the page that contains the FileWalker element.
Office Integration
The users of Office integration must at least have the data group permissions "Read", "Add", and "Change" for the data group that contains the edit page. These permissions are required to edit documents. Permissions for the edit page are also required.
Web service
To be able to configure web services, the user requires the portal permission Register web services and permission for the Tools module.
Implement a login module
Click here for more information about this topic.