Managing user access to data sources in Lifecycle Query Engine

Lifecycle Query Engine (LQE) gathers information about project areas and membership from each application in IBM® Engineering Lifecycle Management (ELM). LQE uses this information to create data groups based on the access control settings from the project area of each tool. Data groups become part of the TRS feeds.

Before you begin

Before you can define access policies for LQE, you must add the data sources. See Connecting Lifecycle Query Engine to data sources to generate the index.

About this task

The LQE access control mechanism allows groups of users to run queries against the indexed data. When a user runs a report in Report Builder, the user sends queries to LQE to get the data for the report. Therefore, users running reports must have permission in LQE to access the data. Report Builder also queries LQE for the structure of the data. The metamodel data is used when generating a report. The queries that retrieve metamodel data from LQE run by using a Report Builder functional user, such as jrs_user. This functional user must be granted permission in LQE to run queries.

An automated access control synchronization process takes place at regular intervals; the default is every 15 minutes, but you can change this value on the Advanced Properties page.
Important: The synchronization works only with ELM applications. Both the data and the process TRS feeds must be indexed.

As an administrator, you can control the read access to the LQE index by specifying local access policies to the data that LQE indexes. However, access to the actual lifecycle data, and the tools that provide the data, is subject to the access control defined in each lifecycle tool.

Data from the lifecycle tools (the data sources) is indexed in a single index that is maintained by LQE. All read access to the index is granted and controlled by LQE, not by the data sources. When you add a data source, it automatically inherits the permissions that are defined for the LQE index root. You can use the data groups from the data sources as starting points or create new user groups with permission to access all or parts of the index. When you specify custom permissions to access the index, the project and team member permissions to access the data sources aren’t affected.

LQE also supports integration with enterprise directory servers, such as LDAP. You can choose users from the directory servers to add to the access control groups.

Remember: Access to the LQE index is entirely based on what the administrators specify on the Permissions page, regardless of the data groups from the lifecycle management tools.
This approach to LQE access control has several benefits:
  • Query and report consumers authenticate with LQE only once to use the indexed data.
  • The lifecycle management tools that you add as data sources don't have to be online or reachable when to run queries or reports.
  • Reports and queries that run against the LQE index don't consume licenses. However, access to the data in the lifecycle management tools (when you click a link in a report) is still subject to license checks.
  • Administrators can override instances where a user doesn’t have a license to a tool but wants to use artifacts in queries or reports.

If permission problems occur, messages show up on the Data Sources page at http://<host_name>:<port>/lqe/web/admin/data-sources. Click the message link to find details about the problem. If LQE can't reach the data source to set permissions, check the logs for LQE and the data source for HTTP errors or timeouts.

Example of permission errors on the data sources page

Administrators can set up email notification to find out when permission errors occur. For details, see Setting up email notification for Lifecycle Query Engine events.

Specifying user permissions

You can specify user groups and users who can view data in the entire LQE index or in specific data groups within the index. When you add a data source, it automatically inherits the permissions that are defined for the LQE index root.

When you first start LQE, no permissions are defined. You must specify which user group or user has access to the entire LQE index, each data source, or each access context that is defined in a data source.

Access to the data groups within the index is inherited from the root LQE index; however, you can block the inheritance, change permissions, and grant access to specific groups and users. When you select a group on the Permissions page, local and inherited permissions are shown, and you can see which users and groups are defined. You can’t change inherited permissions; for example, if the permissions are inherited from the parent, you can’t delete a user. You can change the permissions for a particular user directly in the parent group.

If individual users, who don’t work with the data in the applications, need access to project area data in LQE to create reports, you can add them to specific project area data sources.

Tip: If you’re defining access control for the first time and plan to customize the permissions, you might consider setting up user groups and users first, and then specifying the custom permissions.

Screen capture of the Permissions page showing several data groups under the root LQE index.

Procedure

  1. On the LQE Administration page, in the menu, under Access Control, click Permissions.
  2. On the Permissions page at http://<host_name>:<port>/lqe/web/admin/permissions, under Data Groups, select a group.
  3. To control access to the data group, choose one of the following options:
    • Inherit permissions from the parent
    • Assign different permissions
    Note: You can specify whether you want project areas and team areas to inherit permissions from the data source resource group. In this example, note that the permissions for the Business Recovery Matters team area inherit permissions from the EWM Process Resources (TRS 2.0) data group and not the parent Config Banking (Change Management) project area.
    Permissions for team area
  4. To grant access to a user group, click Add groups and select the associated check boxes.
  5. To grant access to a user, click Add users and in the Select Users dialog box, search for the specific user IDs. Select the ID, click Add, and then close.

Defining and managing user groups

You can manage the user groups that have permission to access the LQE index: create new groups and assign users or modify existing groups.
Note: Many of the user groups are automatically created by LQE; these groups shouldn’t be modified. If you make changes to these groups, they are overwritten when the synchronization runs.

Screen capture of the LQE User groups page

Procedure

  1. On the LQE Administration page navigation, under Access Control, click User Groups.
  2. To create a user group, click Add a new group.
    1. Optional: If you want to use an LDAP server to manage the user group, select the LDAP Group check box and provide the required LDAP server and Group DN information.
    2. Enter a unique name for the group and a description if you want, and click OK.
  3. To review, modify, or delete an existing user group, click a group name and take any action.

Adding LDAP connections

You can integrate LDAP servers with LQE and create user groups that are based on the LDAP groups from the data sources. When you create an LDAP-based group for LQE, you can select existing users from the integrated LDAP directory; however, you can’t add new users to an LDAP-based group.

Screen capture of the Add an LDAP connection dialog box

Procedure

  1. In the LQE Administration page menu, under Access Control, click LDAP Connections.
  2. To create a new LDAP connection, click Add LDAP Connection.
    1. Enter the URL for the LDAP server.
    2. Enter a unique label for the connection. This label is displayed in the list of LDAP connections.
    3. Enter a description of the new LDAP connection.
    4. Choose an authentication method for the new connection. If you choose Simple, provide the required user name and password.
    5. Click Next and provide the required values for each of the connection parameters.
  3. To review, modify, or remove an existing LDAP connection, click the name in the list and take any action.
    Note: You can’t add members to the LDAP-based group; they must be added on the LDAP server.

Disabling access control

In certain situations, you might have to temporarily disable access control to the indexed data.
CAUTION:
Only disable LQE access control if absolutely necessary, and reverse it as soon as possible.

Procedure

  1. On the Lifecycle Query Engine Administration page, in the menu, under Configuration, click SPARQL Service.
  2. On the SPARQL Service page, click Edit.
  3. Clear the Use Access Control 2.0 check box, select the Ignore Data Source Access Controls check box, and click Save.

Feedback