Groups

CloverDX Server > Administration > Users and Groups > Groups

Group is an abstract set of users, which gives assigned users some permissions. So it is not necessary to specify permissions for each single user.

There are independent levels of permissions implemented in CloverDX Server

permissions to Read/Write/eXecute in sandboxes - The sandbox owner can specify different permissions for different groups. For details, see Sandbox Content Security and Permissions.
permissions to perform some operation - user with an operation permission Permission assignment may assign specific permission to existing groups.
permissions to launch specific service - For details, see Chapter 48, Launch Services, Data Services.

Table 24.4. Default groups created during installation

Group name	Description
admins	This group has an operation permission all assigned, which means, that it has unlimited permission. Default user clover is assigned to this group, which makes him administrator.
all users	By default, every single CloverDX user is assigned to this group. It is possible to remove a user from this group, but it is not a recommended approach. This group is useful for some permissions to sandbox or some operation, which you would like to make accessible for all users without exceptions.

Users Assignment

Relation between users and groups is N:M. Thus in the same way, how groups are assignable to users, users are assignable to groups.

Groups permissions

Groups permissions are structured as a tree, where permissions are inherited from the root to leafs. Thus if some permission (tree node) is enabled (blue dot), all permissions in sub tree are automatically enabled (white dot). Permissions with red cross are disabled.

Thus for the admin group just the all permission is assigned, every single permission in the sub tree is assigned automatically.

With none of the following privileges, a user can: log into the Server console, create a server project (in Designer) from its own sandbox, create a file in its own existing sandbox, and run graphs.

All permissions
The user with this permission has all available permissions. The Admin group has all permissions by default.
- Unlimited access to sandboxes
  Allows the user to perform operations on all sandboxes, even if the sandbox accessibility is not specified explicitly.
  This permission does not include the suspend sandbox permission.
  - Sandboxes
    Allows the user to work with sandboxes. This permission contains all the permissions below. The user can perform operations only on sandboxes owned by himself or on sandboxes with explicitly added access to him, see Sandboxes.
    List sandbox
    In the Server web interface, it allows the user to list their sandboxes and sandboxes with read permission granted to the user's group.
    In the Server web interface, this permission is necessary to create, edit, or delete sandboxes.
    Within a sandbox with the write access granted, the user can edit or remove files and create or delete directories even without this permission.
    Create sandbox
    Allows the user to create new sandboxes.
    If a sandbox is to be created in web interface, the user must have the list sandbox permission.
    Delete sandbox
    Allows the user to delete sandboxes.
    If a sandbox is to be deleted in web interface, the user must have the list sandbox permission.
    Edit sandbox
    Allows the user to edit sandboxes.
    If a sandbox is to be modified in web interface, the user must have the list sandbox permission.
    May delete files missing in uploaded ZIP
    In Sandbox → Upload ZIP, it allows the user to use a checkbox to delete files missing in the ZIP to be uploaded. If the user does not have this permission, the checkbox to delete mission files in ZIP is not displayed.
    If a sandbox is to be uploaded from a ZIP file in the Server web interface, the user must have the list sandbox permission.
- Scheduling
  Allows the user to manage schedules, see Scheduling.
  - List schedule
    Allows the user to list all schedules.
    List schedule limited
    Allows the user to list the enabled schedules.
  - Create schedule
    Allows the user to create new schedules.
    The user must have the list schedule limited permission to access the scheduling section to create a new schedule.
  - Delete schedule
    Allows the user to delete schedules.
    The user must have the list schedule limited permission or list schedule permission to access the scheduling section to delete the schedule.
  - Edit schedule
    Allows the user to edit schedules.
    The user must have the list schedule limited permission or list schedule permission to access the scheduling section to edit the schedule.
- Event listeners
  Allows the user to manage event listeners, see Listeners.
  - List of Event Listeners
    Allows the user to list all event listeners.
    List of Jobflow Event Listeners unlimited
    Allows the user to list jobflow event listeners.
    See Jobflow Event Listeners
    List of Jobflow Event Listeners limited
    Allows the user to list jobflow event listeners of sandboxes the user can read from.
    List of Graph Event Listeners unlimited
    Allows the user to list all graph event listeners, see Graph Event Listeners.
    List of Graph Event Listeners limited
    Allows the user to list graph event listeners from sandboxes the user can read from.
    List of File Event Listeners unlimited
    Allows the user to list all file event listeners, see File Event Listeners (remote and local).
    List of File Event Listeners limited
    Allows the user to list all file event listeners.
    List of JMS Event Listeners unlimited
    Allows the user to list all JMS listeners, see JMS Message Listeners.
    List of JMS Event Listeners limited
    Allows the user to list all JMS listeners.
    List of Universal Event Listeners unlimited
    Allows the user to list all universal event listeners, see Universal Event Listeners.
    List of Universal Event Listeners limited
    Allows the user to list all universal event listeners.
    See Universal Event Listeners.
    List of Task Event Listeners unlimited
    Allows the user to list all task event listeners, see Task Failure Listeners.
    List of Task Event Listeners limited
    Allows the user to list all task event listeners from sandboxes the user can read from.
    See Task Failure Listeners.
  - Create Event Listener
    Allows the user to create event listeners.
    If an event listener is to be created in the Server web interface, the user must have permission to list the event listeners of the particular type.
    Create Jobflow Event Listener
    Allows the user to create new Jobflow Event listeners.
    If a Jobflow event listener is to be created in the Server web interface, the user must have the list of jobflow event listeners limited permission.
    See Jobflow Event Listeners.
    Create Graph Event Listener
    Allows the user to create graph event listeners.
    If a graph event listener is to be created in the Server web interface, the user must have the list of graph event listeners limited permission.
    See Graph Event Listeners.
    Create File Event Listener
    Allows the user to create graph event listeners.
    If a file event listener is to be created in the Server web interface, the user must have the list of file event listeners limited permission.
    See File Event Listeners (remote and local).
    Create JMS Listener
    Allows the user to create JMS event listeners.
    If a JMS event listener is to be created in the Server web interface, the user must have the list of JMS event listeners limited permission.
    See JMS Message Listeners.
    Create Universal Event Listener
    Allows the user to create universal event listeners.
    If a universal event listener is to be created in the Server web interface, the user must have the list of universal event listeners limited permission.
    See Universal Event Listeners.
    Create Task Event Listener
    Allows the user to create task event listeners.
    If a task event listener is to be created in the Server web interface, the user must have the list of task event listeners limited permission.
    See Task Failure Listeners.
  - Edit Event Listener
    Allows the user to edit event listeners.
    If an event listener is to be created in the Server web interface, the user must have permission to list event listener of the particular type.
    Edit Jobflow Event Listener
    Allows the user to edit jobflow event listeners.
    If a jobflow event listener is to be edited in the Server web interface, the user must have the list of jobflow event listeners limited permission.
    See Jobflow Event Listeners.
    Edit Graph Event Listener
    Allows the user to edit graph event listeners.
    If a graph event listener is to be edited in the Server web interface, the user must have the list of graph event listeners limited permission.
    See Graph Event Listeners.
    Edit File Event Listener
    Allows the user to edit file event listeners.
    If a file event listener is to be edited in the Server web interface, the user must have the list of file event listeners limited permission.
    See File Event Listeners (remote and local).
    Edit JMS Event Listener
    Allows the user to edit JMS event listeners.
    If a JMS event listener is to be edited in the Server web interface, the user must have the list of JMS event listeners limited permission.
    Edit Universal Event Listener
    Allows the user to edit universal event listeners.
    If a universal event listener is to be edited in the Server web interface, user must have permission list of universal event listeners limited permission.
    See Universal Event Listeners.
    Edit Task Event Listener
    Allows the user to edit task event listeners.
    If a task event listener is to be edited in the Server web interface, user must have permission list of task event listeners limited permission.
    See Task Failure Listeners.
  - Delete Event Listener
    Allows the user to delete event listeners.
    Delete Jobflow Event Listener
    Allows the user to delete jobflow event listeners.
    The user must have the delete graph event listener permission to delete a jobflow event listener.
    It a jobflow event listener is to be deleted in the Server web interface, the user must have the list of jobflow event listeners limited permission
    Delete Graph Event Listener
    Allows the user to delete graph event listeners.
    If a graph event listener is to be deleted in the Server web interface, the user must have the list of graph event listeners limited permission.
    See Graph Event Listeners.
    Delete File Event Listener
    Allows the user to delete file event listeners.
    The user must have the delete graph event listener permission to delete a file event listener.
    If a file event listener is to be deleted in the Server web interface, the user must have the list of file event listeners limited permission.
    See File Event Listeners (remote and local).
    Delete JMS Event Listener
    Allows the user to delete JMS Event Listeners.
    The user must have the delete graph event listener permission to delete a JMS event listener.
    If a graph event listener is to be deleted in the Server web interface, the user must have the list of JMS event listeners limited permission.
    Delete Universal Event Listener
    Allows the user to delete universal event listeners.
    The user must have the delete graph event listener permission to delete universal event listener.
    If a universal event listener is to be deleted in the Server web interface, the user must have the list of universal event listeners limited permission.
    See Universal Event Listeners.
    Delete Task Event Listener
    Allows the user to delete task event listeners.
    If a task event listener is to be deleted in the Server web interface, the user must have the list of task event listeners limited permission.
    See Task Failure Listeners.
  - Manual task Execution
    Allows the user to manually execute a task (send an email, execute a script, etc.) with an immediate effect.
    See Chapter 35, Manual Task Execution.
- Unlimited access to execution history
  Allows the user to perform the same operations as unlimited access to execution history list permission.
  - Unlimited access to execution history list
    Allows the user to view execution history of all jobs.
    Limited access to execution history list
    Allows the user to view execution history of jobs from sandboxes the user can read from. In Designer, this permission is required to be able to view Execution log in Designer's console and execution history in Execution tab.
- Launch Services
  Allows the user to list, create, edit, and delete launch services, see Chapter 48, Launch Services.
  - List Launch Services unlimited
    Allows the user to list all launch services.
    List Launch Services Limited
    Allows the user to list launch services from sandboxes the user can read from.
  - Create Launch service
    Allows the user to create a new launch service.
    User has to have the create graph event listener permission to bind the launch service with a graph.
    If the launch service is to be created in the Server web interface, the user has to have the list launch services limited permission (or the list launch services unlimited permission) to access the section with launch services.
  - Delete Launch Service
    Allows the user to delete a launch service.
    User has to have delete graph event listener permission to delete a launch service.
    If the launch service is to be deleted in the Server web interface, the user must have the list launch services limited permission to access the section with launch services.
  - Edit Launch Service
    Allows the user to edit a launch services.
    User has to have edit graph event listener to edit the launch service.
    If the launch service is to be edited in the Server web interface, the user must have the list launch services limited permission to choose the launch service in the server interface.
- Data service
  Allows the user to access the Data service section, see Data Services.
  - List data services
    Allows the user to list data services.
  - Manage data services
    Allows the user to manage data services.
  - Execute and access documentation
    Allows the user to execute and access documentation.
  - Manage HTTPS connectors
    Allows the user to manage HTTPS connectors.
Tasks history
Allows the user to access the Tasks history section, see Chapter 34, Tasks.
Monitoring
Monitoring permission grants user all its subpermissions.
- Monitoring section
  Allows the user to access the Monitoring section, including the Operations Dashboard. See Operations Dashboard Configuration for more details about permissions for Operations Dashboard.
  See Chapter 21, Monitoring.
- Suspend
  Allows the user to suspend the server, a Cluster node, or a sandbox.
  The user must have the monitoring section permission to access the Monitoring section.
  - Suspend server
    Allows the user to suspend or resume the server.
    The user must have the monitoring section permission to access the monitoring section.
  - Suspend Cluster node
    Allows the user to suspend or resume a Cluster node.
    The user must have the monitoring section permission to access the monitoring section.
  - Suspend sandbox
    Allows the user to suspend a sandbox. The user must have list sandbox permission to view the sandboxes to suspend them.
    See also Sandboxes.
- Reset caches
  Deprecated.
- Running jobs unlimited
  If the graph is to be run from server web interface, the user must have the list sandbox permission to list the graphs.
  - Running jobs limited
    If the graph is to be run from server web interface, the user must have the list sandbox permission to list the graphs.
Configuration
Allows the user to access the configuration section.
- Users
  This permission allow user to access the Users section and configure user accounts.
  - List user
    Allows the user to list users and access to the Users administration section (Configuration → Users)
  - Change passwords
    Allows the user to change his password and to change password of another user.
    To see list of users, the user needs the list user permission.
  - Edit user
    Allows the user to change group assignment.
    To see the list of users, the user must have the list user permission.
    Edit own profile and password
    Allows the user to change his profile (first name, last name, email, and password).
    The user can access her profile in main web console view under username, in upper right corner of the page.
  - Unlock user
    Allows the user to unlock a user.
    The user must have the list user permission to list available users.
  - Delete user
    Allows the user to disable a user.
    The user must have the list user permission to list available users.
  - Create user
    Allows the user to create a new user.
    If the user is to be created in the Server web interface, the creating user must have the list user permission to list users to access this option.
  - Groups assignment
    Allows the user to assign users to groups.
    The user must have the edit user permission to successfully finish the assignment of users to groups.
    If the user is to be created in the Server web interface, the creating user must have the list user permission to list users to access this option.
- Groups
  Allows the user to manage groups: user can list groups, create groups, delete groups, edit the group, assign users to the group, and change permissions of the group.
  - List groups
    Allows the user to list groups. This permission is necessary for use of other options from the Groups group.
  - Create group
    Allows the user to create a new user group.
    If the user group is to be created in the Server web interface, the user must have the list groups permission to view a list of groups and to access this option.
  - Delete group
    Allows the user to delete a user group.
    Only empty groups can be deleted. You need to have the list groups permission to view list of groups and to access this option.
  - Edit group
    This permission allow user to edit user groups.
    This permission does not include User assignment and Permission assignment.
    If the user group is to be edited from server web interface, the user must have the list groups permission.
  - Users assignment
    Allows the user to assign users to groups.
    The user needs Edit group permission to commit the changes in the assignment.
    If the assignment is to be edited in the Server web interface, the user must have the list groups permission to list the groups.
  - Permission assignment
    Allows the user to configure group Permissions.
    The user needs have the Edit group permission to commit the changes.
    If the permissions are to be edited in the Server web interface, the user must have the list groups permission to list the groups.
- Secure parameters administration
  - Secure params
    Allows the user to change the value of a secure parameter.
    The user can use secure parameters in graphs even without this permission.
- CloverDX/System info sections
  Allows the user to view System Info and CloverDX Info sections.
- CloverDX Server properties
  Allows the user to view Server Properties tab and Data Profiler properties tab in CloverDX Info section.
  The user must have the CloverDX/System info sections permission to access CloverDX Info section.
- Reload license
  Allows the user to reload and view the server license.
  The user must have the CloverDX/System info sections permission to access the Configuration section.
- Upload license
  Allows the user to update the server license.
  The user must have the CloverDX/System info sections permission to access the Configuration section.
  See Activation.
- Server Configuration Management
  Allows the user to import and export the server configuration.
  See Server Configuration Migration.
  - Export Server Configuration
    Allows the user to export the server configuration.
    See Server Configuration Export.
  - Import Server Configuration
    Allows the user to import the server configuration.
    See Server Configuration Import.
- Temp Space Management
  Allows the user to access Temp Space Management section.
  See Chapter 22, Temp Space Management.
- Server Setup
  Allows the user to access the server setup.
  See Chapter 15, Setup.
- Heap Memory Dump
  Allows the user to create a Thread dump and a Heap Memory Dump.
  See Chapter 29, Diagnostics.
Groovy Code API
Allows the user to run Groovy scripts.
Open Profiler Reporting Console
Allows the user to log into the Profiler reporting console.
The permission is necessary to view the results of CloverDX Profiling Jobs in Designer.
Even without this permission, a user can create and run .cpj jobs from Designer.
Open Server Console
Allows the user to log into the Server console.