Examples for Role Management Setup
When configuring an XDM environment, it is recommended that you define roles for XDM users, as well as designing a role management system for your XDM installation.
More information about users and roles can be found in the section users and roles.
This document shows typical examples for such a role management system. Depending on the situation, it is usually necessary to adapt these examples to the customer’s organization and its requirements for XDM installation.
Central Provider Setup
The Central Provider Setup is the simplest possible setup. Here most users only have access to the data shop.
Only a small group of users have more access permissions, in order to configure XDM tasks and objects.
The following roles should be defined:
- Technical Admin
-
A technical role, which is used in exceptional cases. Such a user is member of the administrator role and should only be used in situations which cannot be solved by other roles.
- Admin User
-
A role containing users with administrative permissions. This role has access to all XDM objects, but is not member of the administrator role, in difference to the Technical Admin. It is configured by setting permissions in XDM.
- User
-
Users who set up processes and data shops in XDM.
- Data Shop User
-
Users who are only able to order test data from data shops.
In XDM, the permissions for the roles should be defined as follows:
| Role | Data Shop | Diagnose Permission | Task Template | Workflow Template | Stage Hook | Modification Set | Modification Method | Environment | Application Model | Connection, Credential, Storage Location |
|---|---|---|---|---|---|---|---|---|---|---|
Technical Admin |
||||||||||
Admin User |
||||||||||
User |
||||||||||
Data shop User |
| To define these permissions, it is useful to set default permissions for the roles. |
Multiple Teams Setup
A Multiple Teams Setup can be used when several teams are working with XDM. The individual teams are disjunctive and all team members are usually part of one specialized team.
In this situation, there is an administration team, with access to all objects. Furthermore, every team has their own admin users, users and data shop users. Access will only be granted for members of the same team.
The following roles should be defined:
- Technical Admin
-
A technical role, which is used in exceptional cases. Such a user is member of the administrator role and should only be used in situations which cannot be solved by other roles.
- Global Admin User
-
A role containing users with administrative permissions. This role has access to all XDM objects from all teams, but is not member of the administrator role, in difference to the Technical Admin. It is configured by setting permissions in XDM.
- Team Admin User
-
Users with administrative permissions for the team’s processes. These users only have access to objects from their team.
- Team User
-
Users who set up processes and data shops for their team. These users only have access to objects from their team.
- Team Data Shop User
-
Users who are only able to order test data from data shops for their team. These users only have access to data shops from their team.
| The groups Team Admin User, Team User, and Team Data Shop User exist for every team. |
In XDM, the permissions for the roles should be defined as follows:
| Role | Data Shop | Diagnose Permission | Task Template | Workflow Template | Stage Hook | Modification Set | Modification Method | Environment | Application Model | Connection, Credential, Storage Location |
|---|---|---|---|---|---|---|---|---|---|---|
Technical Admin |
||||||||||
Global Admin User |
||||||||||
Team Admin User |
||||||||||
Team User |
||||||||||
Data Shop User |
| To define these permissions, it is useful to set default permissions for the roles. |
Multiple Teams Setup with specialized access
This scenario is similar to the previous one, but offers more possibilities for specialization within the teams. In addition to Team Users, who are only responsible for creating task templates and tasks in this scenario, there are also users who only have special tasks and thus limited rights.
For example, Data Security Users are responsible for managing modification rules and modification sets, and thus only have permission to work with those objects. However, they are also authorized to check whether these are defined correctly by executing tasks.
Modeling Users are responsible for modeling the data structures, in particular for creating environments and application models. Therefore, they do not have access to task templates and tasks, but they can use the data shop to check whether the modeling is correct and complete.
In this scenario, there is also no global admin team; all objects are managed internally for each team.
- Technical Admin
-
A technical role, which is used in exceptional cases. Such a user is member of the administrator role and should only be used in situations which cannot be solved by other roles.
- Team Data Security User
-
Team users who set up anonymization settings for their team. These users will set up modification methods and modification sets. These users only have access to objects from their team.
- Team Admin User
-
Users with administrative permissions for the teams processes. These users only have access to objects from their team.
- Team User
-
Users who set up task templates, tasks and data shops for their team. These users only have access to objects from their team.
- Team Modeling User
-
Users who set up data structures in XDM for their team. These users will set up application models and environments. However, These users have only access to application models and environments belonging to their team. They have no access to task templates and tasks, not even from their own team.
- Team Data Shop User
-
Users who are only able to order test data from data shops for their team. These users only have access to data shops from their team.
In XDM, the permissions for the roles should be defined as follows:
| Role | Data Shop | Diagnose Permission | Task Template | Workflow Template | Stage Hook | Modification Set | Modification Method | Environment | Application Model | Connection, Credential, Storage Location |
|---|---|---|---|---|---|---|---|---|---|---|
Technical Admin |
||||||||||
Team Data Security User |
||||||||||
Team Admin User |
||||||||||
Team User |
||||||||||
Team Modelling User |
||||||||||
Data shop User |
| To define these permissions, it is useful to set default permissions for the roles. |