Securing Extension Designer
We currently have DTP 5.3.3 along with the Enterprise Pack containing the Extension Designer. We would like to secure who is able to modify the flows and items within the Extension Designer.
I have enabled authentication so only users who have access to DTP can access Extension Designer, but I see no way to limit what those users can do in Extension Designer. We would like to only allow 1-2 user groups to have the ability to modify / create flows.
The DTP Enterprise Pack Server Settings documentation says:
When you enable authentication, you can also configure the security settings to assign all users the same permissions in Service Designer by enabling the Anonymous Access option.
How can we setup security to limit those permissions?
When authentication is enabled in DTP Enterprise Pack only users with administrator privileges can deploy changes to a flow.
Any user, however, can edit and export a flow. If "Anonymous Access" is enabled all DTP users (e.g. even non administrators) are considered administrators in DTP Enterprise Pack.
There are currently three access levels in DTP Enterprise Pack when authentication is enabled:
1. Administrator - Full access to DTP Enterprise Pack. This permission is assigned to users that are members of the "PST Administration" group in DTP.
2. Leader - Can view flows, view models, and create and edit profiles. No deploy access, no inject node access, no access to artifact manager, and no access to settings. This permission is assigned to users that are a leader of at least one project in DTP.
3. Member - Can view flows, view models, and view profiles. No deploy access, no inject node access, no edit access, no access to artifact manager, and no access to settings. This permission is assigned to users in DTP that do not meet the preceding criteria.2
Thanks for the information. I did test that out a few different times and even though my account did not have PST Administration nor was I a Project Leader, I was still able to deploy changes to a flow.
Authentication is enabled in the Enterprise Pack Settings, I logged out and back in to make sure permissions were updated for my session.
Is there anything else that I'm missing?0
Yes, if a user is a member the "GRS Administrators" group they are also considered an administrator, I overlooked this group in my original post. I should also note that permission inheritance is not considered when checking for group membership. If the user is a member of a custom group that includes an administration group but disables inheritance of the administrator permission they are still considered administrators in DTP Enterprise Pack.0