Version

    Groups

    Group is an abstract set of users, which gives assigned users some permissions. So it is not necessary to specify permissions for each single user.

    There are independent levels of permissions implemented in CloverDX Server

    • permissions to Read/Write/eXecute in sandboxes - The sandbox owner can specify different permissions for different groups. For details, see Sandbox Content Security and Permissions.

    • permissions to perform some operation - user with an operation permission Permission assignment may assign specific permission to existing groups.

    • permissions to launch specific service - For details, see Data Services.

    Table 20. Default groups created during installation
    Group name Description

    Administrator

    This group has an operation permission all assigned, which means that it has unlimited permissions. Default user clover is assigned to this group, which makes him administrator.

    Everyone

    A special group with auto-managed membership – it always includes all users, nobody can be removed. Once installed, the group cannot be deleted or renamed. By default, it has no permissions. It can be used to set the default permissions.

    All users

    This legacy group was intended to include all users; however, the assignment must be maintained by server administrator. If you really want to handle all users, use the Everyone group instead. It is possible to remove users from this group, but it is not recommended. This group is useful for some permissions to sandboxes or some operations which you would like to make accessible for all users.

    L2 support

    Members of the L2 support group have broad access permissions to CloverDX Server and can change many of its settings. The group is targeted at technical operators of the Server who need to solve various issues or who need to deploy new versions of code to the Server.

    L1 support

    Members of the L1 support group have limited access to CloverDX Server. The group is aimed at operators who help with basic Server maintenance – monitoring jobs, rerunning them, investigating production issues and so on.

    Job developer

    Members of the Job developer group have broad access to CloverDX Server. The group is aimed at non-production environments and is designed for users who need to develop and test CloverDX solutions.

    QA engineer

    Members of the QA engineer group have broad access to CloverDX Server. The group is aimed at non-production environments and is designed for users who need to develop and test CloverDX solutions.

    Data App users

    Members of the Data App users group have very limited permissions and can only access Data Apps user interface. Members of this group cannot access full CloverDX Server.

    Read-only users

    Members of the Read-only users group have very limited permissions. The group applies to users who need to monitor job execution on the Server or who want to see how the jobs work via Job Inspector.

    Wrangler

    Members of the Wrangler group have access to Wrangler user interface and can create and run Wrangler jobs. Members of this group cannot access full CloverDX Server Console.

    Users Assignment

    Relation between users and groups is N:M. Thus in the same way, how groups are assignable to users, users are assignable to groups.

    Any change in user assignment to groups will automatically log out the affected users from all their active sessions and force them to log in again.

    Groups permissions

    Groups permissions are structured as a tree, where permissions are inherited from the root to leafs. Thus if some permission (tree node) is enabled (blue dot), all permissions in sub tree are automatically enabled (white dot). Permissions with white cross are disabled.

    Thus for the admin group just the all permission is assigned, every single permission in the sub tree is assigned automatically.

    With none of the following privileges, a user can: log into the Server console, create a server project (in Designer) from its own sandbox, create a file in its own existing sandbox, and run graphs.

    Any change in group permissions will automatically log out all users assigned to the affected group from all their active sessions and force them to log in again.
    • All permissions

      The user with this permission has all available permissions. The Admin group has all permissions by default.

      • Unlimited access to sandboxes

        Allows the user to perform operations on all sandboxes, even if the sandbox accessibility is not specified explicitly.

        This permission does not include the suspend sandbox permission.

        • Sandboxes

          Allows the user to work with sandboxes. This permission contains all the permissions below. The user can perform operations only on sandboxes owned by himself or on sandboxes with explicitly added access to him, see Sandboxes.

          • List sandbox

            In the Server web interface, it allows the user to list their sandboxes and sandboxes with read permission granted to the user’s group.

            In the Server web interface, this permission is necessary to create, edit, or delete sandboxes.

            Within a sandbox with the write access granted, the user can edit or remove files and create or delete directories even without this permission.

          • Create sandbox

            Allows the user to create new sandboxes.

            If a sandbox is to be created in web interface, the user must have the list sandbox permission.

          • Delete sandbox

            Allows the user to delete sandboxes.

            If a sandbox is to be deleted in web interface, the user must have the list sandbox permission.

          • Edit sandbox

            Allows the user to edit sandboxes.

            If a sandbox is to be modified in web interface, the user must have the list sandbox permission.

          • May delete files missing in uploaded ZIP

            In Sandbox  Upload ZIP, it allows the user to use a checkbox to delete files missing in the ZIP to be uploaded. If the user does not have this permission, the checkbox to delete mission files in ZIP is not displayed.

            If a sandbox is to be uploaded from a ZIP file in the Server web interface, the user must have the list sandbox permission.

      • Libraries administration

        Allows the user to add and remove Libraries. No special permission is required to use them, all authenticated users may use public subgraphs from installed Libraries in CloverDX Designer.

      • Scheduling

        Allows the user to manage schedules, see Scheduling.

      • Event listeners

        Allows the user to manage event listeners, see Listeners.

      • Unlimited access to execution history

        Allows the user to perform the same operations as unlimited access to execution history list permission.

        • Unlimited access to execution history list

          Allows the user to view execution history of all jobs.

          • Limited access to execution history list

            Allows the user to view execution history of jobs from sandboxes the user can read from. In Designer, this permission is required to be able to view Execution log in Designer’s console and execution history in Execution tab.

      • View edge debug data

        Allows the user to view edge debug data in Job Inspector - Data Inspector Panel and in the Data Inspector in CloverDX Designer.

      • Data service

        Allows the user to access the Data service section, see Data Services.

        • List data services

          Allows the user to list data services.

        • Manage data services

          Allows the user to manage data services.

        • Execute and access documentation

          Allows the user to execute and access documentation.

        • Manage HTTPS connectors

          Allows the user to manage HTTPS connectors.

    • Tasks history

      Allows the user to access the Tasks history section, see Tasks.

    • Monitoring full access

      Grants the user all its sub-permissions.

      • Monitoring UI

        Allows the user to access the Monitoring section. For the Operations Dashboard, the List dashboards and monitors permission is also required.

        See Monitoring.

      • Operations dashboard write access

        Allows the user to create, edit and delete dashboards and monitors.

        • Mark issues as resolved

          Allows the user to reset error state on triggers and monitors.

        • List dashboards and monitors

          Allows the user to see dashboards and monitors via API and UI.

      • Suspend

        Allows the user to suspend the server, a Cluster node, or a sandbox.

        The user must have the Monitoring UI permission to access the Monitoring section.

        • Suspend server

          Allows the user to suspend or resume the server.

          The user must have the Monitoring UI permission to access the Monitoring section.

        • Suspend Cluster node

          Allows the user to suspend or resume a Cluster node.

          The user must have the Monitoring UI permission to access the Monitoring section.

        • Suspend sandbox

          Allows the user to suspend a sandbox. The user must have list sandbox permission to view the sandboxes to suspend them.

          See also Sandboxes.

      • Reset caches

        Deprecated.

      • Running jobs unlimited

        If the graph is to be run from server web interface, the user must have the list sandbox permission to list the graphs.

        • Running jobs limited

          If the graph is to be run from server web interface, the user must have the list sandbox permission to list the graphs.

    • Configuration

      Allows the user to access the configuration section.

      • Users

        This permission allow user to access the Users section and configure user accounts.

        • List user

          Allows the user to list users and access to the Users administration section (Configuration  Users)

        • Change passwords

          Allows the user to change his password and to change password of another user.

          To see list of users, the user needs the list user permission.

        • Edit user

          Allows the user to change group assignment.

          To see the list of users, the user must have the list user permission.

          • Edit own profile and password

            Allows the user to change his profile (first name, last name, email, and password).

            The user can access his/her profile in main web console view under username, in upper right corner of the page. See user profile for more information.

        • Unlock user

          Allows the user to unlock a user.

          The user must have the list user permission to list available users.

        • Delete user

          Allows the user to disable a user.

          The user must have the list user permission to list available users.

        • Create user

          Allows the user to create a new user.

          If the user is to be created in the Server web interface, the creating user must have the list user permission to list users to access this option.

        • Groups assignment

          Allows the user to assign users to groups.

          The user must have the edit user permission to successfully finish the assignment of users to groups.

          If the user is to be created in the Server web interface, the creating user must have the list user permission to list users to access this option.

      • Groups

        Allows the user to manage groups: user can list groups, create groups, delete groups, edit the group, assign users to the group, and change permissions of the group.

        • List groups

          Allows the user to list groups. This permission is necessary for use of other options from the Groups group.

        • Create group

          Allows the user to create a new user group.

          If the user group is to be created in the Server web interface, the user must have the list groups permission to view a list of groups and to access this option.

        • Delete group

          Allows the user to delete a user group.

          Only empty groups can be deleted. You need to have the list groups permission to view list of groups and to access this option.

        • Edit group

          This permission allow user to edit user groups.

          This permission does not include User assignment and Permission assignment.

          If the user group is to be edited from server web interface, the user must have the list groups permission.

        • Users assignment

          Allows the user to assign users to groups.

          The user needs Edit group permission to commit the changes in the assignment.

          If the assignment is to be edited in the Server web interface, the user must have the list groups permission to list the groups.

        • Permission assignment

          Allows the user to configure group Permissions.

          The user needs have the Edit group permission to commit the changes.

          If the permissions are to be edited in the Server web interface, the user must have the list groups permission to list the groups.

      • Secure parameters administration

        • Secure params

          Allows the user to change the value of a secure parameter.

          The user can use secure parameters in graphs even without this permission.

      • Unlimited access to Secret Managers

        Allows the user to create, edit and delete Secret Managers.

      • CloverDX/System info sections

        Allows the user to view System Info and CloverDX Info sections.

      • CloverDX Server properties

        Allows the user to view Server Properties tab in CloverDX Info section.

        The user must have the CloverDX/System info sections permission to access CloverDX Info section.

      • Reload license

        Allows the user to reload and view the server license.

        The user must have the CloverDX/System info sections permission to access the Configuration section.

      • Upload license

        Allows the user to update the server license.

        The user must have the CloverDX/System info sections permission to access the Configuration section.

        See Activation.

      • Server Configuration Management

        Allows the user to import and export the server configuration.

      • Temp Space Management

        Allows the user to access Temp Space Management section.

      • Server Setup

        Allows the user to access the server setup.

        See Setup.

      • Heap Memory Dump

        Allows the user to create a Thread dump and a Heap Memory Dump.

    • Groovy Code API

      Allows the user to run Groovy scripts.

    • Open Server Console

      Allows the user to log into the Server console.

    • Access to the Wrangler UI

      Allows the user to log into the Wrangler UI console.