Problem

How to give restricted access on Copilot UI to local users?

Resolution

To provide restricted access to users on Copilot UI, needs to use Internal Access Management as Authentication method. Using this method will create users and groups and will be assigned to available CFTROLE object or custom CFTROLE* in CFT.

*--> Custom CFTROLE functionality is applicable from CFT version 3.10.

To setup Internal Access Management below steps needs to be followed:

For Unix Environment:

- Add current CFT system superuser in XFBADM using xfbadmusr (set same password as that of system password)

- Add other required users using "xfbadmusr" in user database(XFBADM)

- Create group using "xfbadmgrp" on CFT

XFBADM user and group commands:

xfbadmusr add [-l <login>] [-p <passwd>] [-u <UID>] [-g <GID>]

xfbadmusr print [-l <login>]

-l < login >: Login name

-p < passwd >: Password

-u < UID >: User identifier - When set to AUTO, a UID is generated automatically

-g < GID >: Group identifier - When set to AUTO, the GID is generated automatically

xfbadmgrp add [-G <group>] [-p <passwd>] [-g <GID>] [-u <users>]

xfbadmgrp print [-G <group>]

-G <group>: ASCII name of the user group

-p <passwd>: Password required to access this group

-g <GID>: Numeric identifier of the group. If it is set to AUTO, the GID is generated automatically

-u <usr1,usr2>: List of existing users, separated by a comma

After creating required groups and users and adding users in the group. Need to change values of uconf parameters. In CFT 3.6v, only pre-defined roles can be used and role customization is not available. Assign the group name to available CFTROLE in uconf parameters.

Change uconf parameters value:

- Change am.internal.group_database=xfbadm

(cftutil uconfset id=am.internal.group_database, value=xfbadm)

- id=am.internal.role.admin, value=(admin_group_name)

- id=am.internal.role.helpdesk, value=(operation_team_group_name)

- Set "copilot.restapi.authentication_method" value to "am"

(cftutil uconfset id = copilot.restapi.authentication_method, value = am)

- Change am.type=internal

(cftutil uconfset id=am.type, value=internal)

- Restart CFT and Copilot services.

User with restricted access will be able to see the options on UI but won't be able to perform actions except assigned access. Available group with their rights are mentioned below:

am.internal.role.admin -> Admin role and groups mapping. This role enables you to perform all administrative tasks.

am.internal.role.helpdesk -> Help Desk role and groups mapping. This role enables you to view the log, transfers and configuration.

am.internal.role.partnermanager -> Partner Manager role and groups mapping. This role enables you to create and manage partner.

am.internal.role.designer -> Designer role and groups mapping. This role enables you to manage flows.

am.internal.role.application -> Application role and groups mapping. This role enables application to send transfers.

All these roles contains List of Groups with blank as a separator

Note: Before changing am.type=internal, make sure you have added CFT superuser in xfbadm database.

For Windows Environment:

- Create a custom group in Windows like 'AdminGrp'.

- Add the users (whom you want to allow access) to above created custom group 'AdminGrp'.

- Stop CFT and Copilot from Windows service.

- Change uconf parameters value:

- Set "am.internal.role.admin" value to above created group "AdminGrp"

(CFTUTIL uconfset id = am.internal.role.admin, value = AdminGrp)

- Set "copilot.restapi.authentication_method" value to "am"

(CFTUTIL uconfset id = copilot.restapi.authentication_method, value = am)

- Set "am.type" value to "internal"

(CFTUTIL uconfset id = am.type, value = internal)

- Start Copilot and CFT from Windows service.


With this configuration you will be successfully able to provide Restricted Access to local users or will be able to setup Internal Access Management in CFT.