Implement access restrictions to your EAArtifacts Using Rational System Architect             Catalog Manager             ...
Table of ContentINTRODUCTION .................................................................... 3WHAT IS A CATALOG MANAG...
IntroductionThe ever increasing challenges of modern day enterprises demand organization todesign effective Enterprise Arc...
What is a Catalog ManagerCatalog Manager in Rational System Architect is a utility which enables systemsadministrator to g...
Need for a Catalog ManagerThe best modeling environment for a team is a shared storage area withconcurrent multi-user acce...
Using disconnected storage areas that are worked on simultaneously, andsubsequently merged, requires additional administra...
In other words, for an encyclopedia to be made accessible by Rational SystemArchitect XT, it must be an Enterprise encyclo...
Configure a CatalogRational System Architect supports only Microsoft SQL Server and Oracle as abackend database management...
Once you put the database instance name, select the appropriate authenticationmode to login to the database instance and c...
Permission MappingRational System Architect Catalog Manager Administrator has to make a decisionto choose from role based ...
Solution for Business Requirement 1:You need to first attach the encyclopedia E1 in Rational System Architect CatalogManag...
4. Select the encyclopedia name from the list of encyclopedias exist on the   database instance. You want to assign the pe...
7. You can import Active directory users, domain users, computer users and   Microsoft SQL Server Database users into Rati...
9. Once you import the users in Rational System Architect Catalog, the users   will appear under Users & Groups node.10. C...
11. Once the role is created, you need to add different permissions to this   role. To add diagram, definition, symbol and...
15. Once the read only role is created, let‟s map the permissions for the users   U1 and U2 on the encyclopedia E1. Right ...
19. Similarly, you can map the permissions to the user U2. Since user U2   should be given full access on the encyclopedia...
You can observe the user U1 does not have permissions to edit the business   process diagram. You can also observe that th...
Solution for Business Requirement 2:Let‟s attach another encyclopedia E2 in Rational System Architect CatalogManager to un...
2. Once the ILAC is enabled on an encyclopedia, you can verify the same by   clicking on the Encyclopedias node.3. As Inst...
ER1 is read only to everyone and given read write permissions on TestGroup. Since U3 is a part of Business Requirement 2 g...
Common issues and SolutionsError message: "The Catalog on SQL Server needs to beupgraded in Catalog Manager" when opening ...
Error message: No catalog on SQL server while creating anencyclopedia.Solution:You may get this error message "No catalog ...
Error Message: Error Message: "An error occurred whileinitializing Error:-2147217900, Source: Microsoft OLE DBProvider for...
Unable to import users in IBM Rational System ArchitectCatalog Manager without SYS ADMIN permissions.Solution:To be able t...
ConclusionEnterprise architecture is a conceptual blueprint that defines the structure andoperation of an organization. Th...
References     Rational System Architect Information Center     Rational System Architect Catalog Manager online help  ...
Upcoming SlideShare
Loading in …5
×

How to implement access restrictions to your EA artifacts using Rational System Architect Catalog Manager

1,973 views

Published on

Abstract
This white paper provides you with information on how to implement access restrictions to your Enterprise Architecture (EA) Artifacts using IBM Rational System Architect Catalog Manager.
Content
This white paper discusses what Rational System Architect Catalog Manager is and how it can be used to addresses the concerns of "Visibility" and "Security". The paper also gives problem scenarios and then the solutions to those scenarios to help easier understanding of the capabilities.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,973
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to implement access restrictions to your EA artifacts using Rational System Architect Catalog Manager

  1. 1. Implement access restrictions to your EAArtifacts Using Rational System Architect Catalog Manager Mirtunjay Kumar Sharma August 1, 2011 Page 1 of 27 “Rational Support Whitepaper”
  2. 2. Table of ContentINTRODUCTION .................................................................... 3WHAT IS A CATALOG MANAGER ........................................... 4NEED FOR A CATALOG MANAGER .......................................... 5CONFIGURE A CATALOG ....................................................... 8PERMISSION MAPPING ...................................................... 10 BUSINESS REQUIREMENT 1: .................................................................................. 10 BUSINESS REQUIREMENT 2: .................................................................................. 10 SOLUTION FOR BUSINESS REQUIREMENT 1: ........................................................ 11 SOLUTION FOR BUSINESS REQUIREMENT 2: ........................................................ 19COMMON ISSUES AND SOLUTIONS ..................................... 22CONCLUSION ...................................................................... 26REFERENCES ....................................................................... 27 Page 2 of 27 “Rational Support Whitepaper”
  3. 3. IntroductionThe ever increasing challenges of modern day enterprises demand organization todesign effective Enterprise Architecture (EA) for them to succeed and staycompetitive. For EA to be effective, it requires collaboration from manyprofessionals, some of them directly designing/modifying the EA and while othersare stakeholders who use the EA to make critical strategic decisions. Thesedecisions in turn define the direction of the organization.To deliver effective EA, many users have to collaborate. It then becomes equallyimportant to have proper "Visibility" to all users to avoid "reinventing of wheel".However at the same time it opens the doors for accidental modifications frominexperienced users creating inconsistency in the system. The after-effects arehard to imagine/foresee and sometimes unexpectedly destructive.In this critical environment where "Visibility" and "Security" form two faces of thesame coin, how do you manage effective delivery of EA? While there are manytools which allow creation of EA, IBM Rational System Architect (SA) comesbundled with answers to many more questions than just EA. While RationalSystem Architect gives you the platform and also forms the tool to design the EA,the Catalog Manager with its "Instance Level" and "Type Level" access Controlcapabilities complements, completes and addresses the key requirements of"Visibility" and "Security". There is more that catalog manager helps you with.Rational System Architect also offers a thin client known as System Architect XT(Extended Team) which helps sharing EA through browser. For an encyclopediathat contains EA artifacts to be made accessible by Rational System Architect XT,it must be an Enterprise encyclopedia controlled by Rational System ArchitectCatalog Manager.This whitepaper talks about what Rational System Architect Catalog Manager isand how it can be used to addresses the concerns of "Visibility" and "Security".The paper also provides problem scenarios and their related solutions to help withyour understanding of these capabilities. Page 3 of 27 “Rational Support Whitepaper”
  4. 4. What is a Catalog ManagerCatalog Manager in Rational System Architect is a utility which enables systemsadministrator to grant permission access to model artifact types and instances inan encyclopedia, based on user roles. It can be used to provide more granularlevel of access controls on the information stored in IBM Rational SystemArchitect encyclopedias. System Architect Catalog Manager stores users and theirassociated permissions in a database known as TelelogicEnterpriseCatalog.The TelelogicEnterpriseCatalog database is also known as Catalog in RationalSystem Architect terminology. You can create a catalog on Microsoft SQL Serveror on Oracle database server. The database server can be configured on the samemachine where Rational System Architect Catalog manager is installed or it maybe on any other machine in the same network.The foremost requirement to create a catalog on a database server instance isthat you should have a sys admin rights on a database instance. On a singledatabase instance, you can create only one catalog and you can control useraccess on all Rational System Architect databases which exist on that instance.Rational System Architect databases are known as Encyclopedias in RationalSystem Architect terminology.To control the permissions for a user on Rational System Architect encyclopedias,those encyclopedias need to be attached in the catalog in Rational SystemArchitect Catalog Manager.Rational System Architect Catalog Manager controls the permissions for users onencyclopedias by forming three way relationships between users, encyclopedias,and roles. The permissions are first assigned to Roles and the users are assignedto encyclopedias. Then the users are assigned one or more roles for eachencyclopedia in the catalog. Page 4 of 27 “Rational Support Whitepaper”
  5. 5. Need for a Catalog ManagerThe best modeling environment for a team is a shared storage area withconcurrent multi-user access. There are many advantages of using sharedrepository in your organization for enterprise design and modeling. Few of theadvantages are shown mentioned below:  All model information in the repository is visible and reusable at all times. There is no threat of any users „reinventing the wheel‟.  Concurrent access allows potential conflicts to be identified quickly. Administration is minimized. Users don‟t have to waste time and effort in producing conflicting partial models, and then have to reconcile them when merging the projects together.  The current state of the Enterprise Architecture information is readily available to all users, so that questions can be asked of the enterprise information.  Progress of the enterprise architecture, or a particular project within it, is easily monitored since the current state of information in the repository is visible. Rational System Architect automatically timestamps modifications to the model, and also records the Audit ID of the user who made the modification Page 5 of 27 “Rational Support Whitepaper”
  6. 6. Using disconnected storage areas that are worked on simultaneously, andsubsequently merged, requires additional administration and management inorder to resolve conflicts. The shared storage areas are known as encyclopediasin Rational System Architect. Rational System Architect provides built inautomatic locking facilities so that users can work on related areas with minimalconflict.For example: When a user opens a definition for editing, it is automatically lockedand provided in read-only form to any other user trying to open it while the firstuser has it open. When the first user closes that definition, it becomes availablefor editing by any other user.There could be many instances of a diagram, definition or symbol type in RationalSystem Architect encyclopedias. However to control permissions at an instancelevel, you need to create a catalog in Rational System Architect Catalog Manager.In Rational Catalog Manager, you can assign a read only access to a user on aninstance of a definition, diagram or symbol however at the same time other usercan enjoy read-write access on the same instance of these artifacts.Rational System Architect Catalog Manager provides two levels of access controlto encyclopedia objects. The first level, Role-based access control, lets youcontrol permission to object types. This is a general level of control that makes nodistinction among objects of the same type. If you grant permission to Use Casediagrams for example, then you grant permission to all Use Case diagrams.Instance Level Access Control (ILAC) provides a higher, more specific level ofaccess control, letting you choose different permissions for objects of the sametype. For example, you can grant the Read permission to one Use Case diagrams,and also grant the Write permission to a different Use Case diagram.Another purpose of attaching an encyclopedia in Rational System ArchitectCatalog Manager is to access Rational System Architect encyclopedias usingRational System Architect XT. Page 6 of 27 “Rational Support Whitepaper”
  7. 7. In other words, for an encyclopedia to be made accessible by Rational SystemArchitect XT, it must be an Enterprise encyclopedia controlled by Rational SystemArchitect Catalog Manager.An administrator who is responsible to manage Rational System Architectdeployment in an organization can create user defined roles in Rational SystemArchitect Catalog Manager. A user defined role may contain specific diagram,definition, macro and menu permissions to fulfill your business requirement toaccess specific areas of your enterprise architecture.You can also control permissions on a user defined artifacts created in theencyclopedia using a USRPROPS or by a visual basic macro. An administrator forRational System Catalog needs to map the permissions using an option inRational System Architect Catalog Manager as shown below:Once you select the encyclopedia where you have user defined artifacts from thedrop down, those artifacts will be listed under the appropriate category likeDiagram Permissions or Definition Permissions. Page 7 of 27 “Rational Support Whitepaper”
  8. 8. Configure a CatalogRational System Architect supports only Microsoft SQL Server and Oracle as abackend database management system to hold the enterprise architecturedesign. A catalog in Rational System Architect Catalog Manager can either becreated on Microsoft SQL Server or on an Oracle database management system.The method to create a catalog in Rational System Architect Catalog Manager onMicrosoft SQL Server or on an Oracle database Management system is same. Youcan follow the step mentioned below to create a catalog in Rational SystemArchitect Catalog Manager:Launch Rational System Architect Catalog Manager from Start > All Programs >IBM Rational > IBM Rational Lifecycle Solutions Tools > IBM Rational SystemArchitect > SA Catalog ManagerClick on Catalog > Create. The screen shown below will appear. Select thedatabase management system from the drop down listOnce you select the database management system type, you need to select thedatabase instance name. For example: If you select SQL Server as your databasemanagement system, put one of available instance name under Server nameoption as shown below: Page 8 of 27 “Rational Support Whitepaper”
  9. 9. Once you put the database instance name, select the appropriate authenticationmode to login to the database instance and click on OK.Once the catalog created, Catalog Manager will appear as shown below:The next step is to attach those encyclopedias in Catalog Manager on which thepermissions need to be granted to different users. You also need to decidewhether the default roles available in Rational System Architect Catalog will fulfillyou business requirements or do you have to create few custom roles. Page 9 of 27 “Rational Support Whitepaper”
  10. 10. Permission MappingRational System Architect Catalog Manager Administrator has to make a decisionto choose from role based access control (RBAC) and instance level access control(ILAC). The decision can easily be made understanding the business requirementand the kind of permissions that needs to be granted for each user in anorganization.Let us make use of two business requirements to understand role based accesscontrol and instance level access control in Rational System Architect CatalogManager.Business Requirement 1:There are five users (U1 and U2 who need to be given access on an encyclopediaE1. The encyclopedia E1 contains a set of Business Process diagrams, classdiagrams and Entity Relationship diagrams. The requirement is in such a way thatuser U1 should have only read access on Business Process diagrams and Entityrelationship diagrams. The user U2 needs to be given full access on theencyclopedia.Business Requirement 2:There is a user U3 who needs to be given access on an encyclopedia E2. Theencyclopedia E2 also contains ER1 and ER2 instances of entity relationshipdiagrams. The requirement is in such a way that user U3 should be given readaccess on ER1 diagram in the encyclopedia and the user U3 should be given readwrite access on ER2.To address these requirements, you can either make use of existing roles or youcan create new roles. You can learn the usage of existing roles from RationalSystem Architect Catalog Manager help.The Business Requirement 1 can easily be implemented using role basedaccess control in Rational System Architect however, to implement the BusinessRequirement 2; you need to implement instance level access control. Page 10 of 27 “Rational Support Whitepaper”
  11. 11. Solution for Business Requirement 1:You need to first attach the encyclopedia E1 in Rational System Architect CatalogManager. The following steps help you attach the encyclopedia in Rational SystemArchitect Catalog and assign the required permissions to fulfill the businessrequirement: 1. Launch Rational System Architect Catalog Manager 2. Click on Catalog > Connect. Select the Server type, Server name and authentication and click OK. 3. Right mouse click on Encyclopedias node in Rational System Architect Catalog Manager and click Attach Page 11 of 27 “Rational Support Whitepaper”
  12. 12. 4. Select the encyclopedia name from the list of encyclopedias exist on the database instance. You want to assign the permissions on an encyclopedia E1, select the same encyclopedia from the drop down list and click OK.5. Once the encyclopedia is attached, it will appear under Encyclopedias Node in Rational System Architect Catalog Manager.6. Now, import the users into Rational Catalog Manager. To import the users, right mouse click on User & Groups node and click on Import Users Page 12 of 27 “Rational Support Whitepaper”
  13. 13. 7. You can import Active directory users, domain users, computer users and Microsoft SQL Server Database users into Rational System Architect Catalog Manager8. Consider that you have a computer by name mirsharm and you want to import users from the same computer into Rational System Architect Catalog Manager. Select the users and click OK. Page 13 of 27 “Rational Support Whitepaper”
  14. 14. 9. Once you import the users in Rational System Architect Catalog, the users will appear under Users & Groups node.10. Create a user defined role to fulfill your business requirement to assign appropriate permissions. To create a user defined role, right mouse click on Roles node and click on New. Give a name to the new role as “Business Requirement 1-Read only”. Page 14 of 27 “Rational Support Whitepaper”
  15. 15. 11. Once the role is created, you need to add different permissions to this role. To add diagram, definition, symbol and macro permissions to “Business Requirement 1-Read Only” role, expend the first node Encyclopedia Permissions.12. Right mouse click on Definition Permissions and click on Copy. Once the permissions are copied, expand the “Business Requirement 1-Read Only” role > Encyclopedia Permissions and right mouse click on Definitions Permissions and click on Paste.13. Repeat the step 12 for diagram permissions, macro permissions and menu permissions.14. To make Business Process and Entity relationship diagrams read only, expand “Business Requirement 1-Read Only” role and Encyclopedia Permissions node. Click on Diagram Permissions. Select Business Process and Entity Relation and right mouse click on the selection. Give only Read access to these diagrams. Page 15 of 27 “Rational Support Whitepaper”
  16. 16. 15. Once the read only role is created, let‟s map the permissions for the users U1 and U2 on the encyclopedia E1. Right mouse click on “Business Requirement 1-Read Only” role and click on copy.16. Paste this role on the Role node under Encyclopedia E117. Similarly, copy the user U1 under “Users & Groups” and paste it under “Users & Groups” under encyclopedia E1.18. Now, drag user U1 and drop it on “Business Requirement1-Read Only” role under encyclopedia. Once you drop the user name on the role, the mapping will be completed for user U1 on an encyclopedia E1. Page 16 of 27 “Rational Support Whitepaper”
  17. 17. 19. Similarly, you can map the permissions to the user U2. Since user U2 should be given full access on the encyclopedia, you can use a default role Administrator. The mapping for both the users will look like as:Now, the role based access is assigned to the users on an encyclopedia. Let‟sverify the permissions mapping on the encyclopedia in Rational SystemArchitect. When user U1 opens the encyclopedia E1, you will observe that U1can just read business process and entity relation diagrams. Page 17 of 27 “Rational Support Whitepaper”
  18. 18. You can observe the user U1 does not have permissions to edit the business process diagram. You can also observe that the user U1 is not allowed to create a new Business Process diagrams as well. Similarly, you can observe in the screen shown below that the user U1 can not edit/create entity relation diagrams too.Note: Ensure that the user has also been given minimum access rights inRational System Architect Encyclopedia Manager (SAEM). You can refer thefollowing technical document to assign minimum permissions for a user in SAEM:  How to apply the minimum permissions to share Professional EncyclopediasIf you are using Oracle as a backend repository, you can take help from yourOracle DBA to assign these access rights to a user on an encyclopedia. Page 18 of 27 “Rational Support Whitepaper”
  19. 19. Solution for Business Requirement 2:Let‟s attach another encyclopedia E2 in Rational System Architect CatalogManager to understand the implementation of business requirement 2. You canfollow the step mentioned above to attach the encyclopedia in Rational SystemArchitect Catalog manager.Since you need to control the permissions on the instance of a diagram, you needfirst enable the instance level access control (ILAC) option in Rational SystemArchitect Catalog Manager.Once the instance level access control option is enabled in Rational SystemArchitect Catalog Manager, you need to configure the respective encyclopedia touse instance level access control options. You can follow the steps mentionedbelow to assign the permissions to user U1 on an encyclopedia E2: 1. Right mouse click on the encyclopedia E2 and click on Enable ILAC option. Page 19 of 27 “Rational Support Whitepaper”
  20. 20. 2. Once the ILAC is enabled on an encyclopedia, you can verify the same by clicking on the Encyclopedias node.3. As Instance Level Access Control can only be applied on a group, let‟s add user U3 to a group.4. Right mouse click on the group and click on Copy5. Right-mouse click ILAC Group Default for Encyclopedia, and select Paste6. To assign the instance level access control, open the encyclopedia E2 in Rational System Architect. Let‟s create two Entity Relation diagrams ER1 and ER 2 and map the permissions to U3 to meet the business requirement 2.7. Right mouse click on diagram area for ER1 and ER 2 to assign instance level access control: Page 20 of 27 “Rational Support Whitepaper”
  21. 21. ER1 is read only to everyone and given read write permissions on TestGroup. Since U3 is a part of Business Requirement 2 group, he has beengiven only read access.All the user group have been given read and read/write access. Page 21 of 27 “Rational Support Whitepaper”
  22. 22. Common issues and SolutionsError message: "The Catalog on SQL Server needs to beupgraded in Catalog Manager" when opening an EnterpriseEncyclopedia.Solution:This error is displayed when the encyclopedia is being opened in a later version ofSystem Architect than that of the SA Catalog Manager utility. After upgradingyour System Architect installation, you must open the catalog with the SA CatalogManager. The SA Catalog Manager will detect if an upgrade is required andautomatically upgrade the catalog. After the catalog has been upgraded in SACatalog Manager, you may then open the Enterprise Encyclopedia in SystemArchitect. Page 22 of 27 “Rational Support Whitepaper”
  23. 23. Error message: No catalog on SQL server while creating anencyclopedia.Solution:You may get this error message "No catalog on SQL server while creating anencyclopedia" when creating an encyclopedia having the Enterprise Encyclopediaoption checked. This happens if you try creating Enterprise Encyclopedia withouthaving a Catalog created on the database server.Scenario 1: If you just want to create an encyclopedia, uncheck EnterpriseEncyclopedia option in the create encyclopedia window. This will create aProfessional encyclopedia. To create an Enterprise Encyclopedia, you would firsthave to open the System Architect Catalog Manager and create a Catalog. Pleasecheck System Architect online help for more information on creatingencyclopedia.Scenario 2: Even if the Catalog is created, this error would still occur in a sharedenvironment. Consider the following example to understand this scenario:You have a shared instance of SQL Server/Express and you would like to allowusers to create Enterprise Type encyclopedias. Though the Catalog is createdhowever other user still would not be able to create an enterprise type ofencyclopedia until you follow the set of steps mentioned below:A. Add the user login in SAEM (System Architect Encyclopedia Manager) andassign "DBCreator" Server role to his login id.B. Add the users login in Catalog manager and give CRWD (Create, Read, Writeand Destroy) or appropriate right on the System Architect Catalog.Once this is done, user should be able to create an enterprise encyclopedia in ashared environment. Page 23 of 27 “Rational Support Whitepaper”
  24. 24. Error Message: Error Message: "An error occurred whileinitializing Error:-2147217900, Source: Microsoft OLE DBProvider for SQL Server, Description: The user does not havepermission to perform this action"Solution:The login ID is not set with appropriate permissions on the SQL Server where theCatalog resides. Lack of database Data Reader permission is results in failure toconnect to existing catalog. Refer to the following knowledge base article toresolve this error:http://www.ibm.com/support/docview.wss?uid=swg21427259 Page 24 of 27 “Rational Support Whitepaper”
  25. 25. Unable to import users in IBM Rational System ArchitectCatalog Manager without SYS ADMIN permissions.Solution:To be able to import other users into System Architect Catalog Manager you musthave SYSADMIN or Security Admin privileges.However, if you do not want to give Sys Admin permissions and give SecurityAdmin, then you will need to perform a few additional tasks as mentioned below:A. Make sure to give the user GRANT VIEW SERVER STATE to login and GRANTEXECUTE on sp_lock on the Master encyclopedia.For example if Test User you are trying to use, then the commands would looklike:GRANT VIEW SERVER STATE to "Test User"GRANT EXECUTE on sp_lock to "Test User"B. Also you have to give "Public access" on all the encyclopedias present on theinstance.C. Make sure that the User has "CRWD" (Create, Read, Write, Execute) on theCatalog Manager Page 25 of 27 “Rational Support Whitepaper”
  26. 26. ConclusionEnterprise architecture is a conceptual blueprint that defines the structure andoperation of an organization. The intent of enterprise architecture is to determinehow an organization can most effectively achieve its current and futureobjectives.To capture different states of your enterprise architecture efficiently, you canmake use of IBM Rational System Architect which is an industry leadingEnterprise Architecture design and modeling tool.To design architecture for your organization, it is also important to create specificviews of artifacts for different people in hierarchy. Also, in case of distributedenvironment where in more than one architect is working on a single project,administrator needs to provide restricted work area in the repository for eacharchitect.Rational System Architect Catalog Manager provides a complete solution toadminister different artifacts stored in encyclopedias in Rational System Architect.You can apply role based access control or an instance level access control basedon your business requirements.This paper explained role based access control and instance level access controlwith the help of two scenarios. The Business Requirement 1 is used to describethe usage of role based access control in Rational System Architect CatalogManager. Similarly, the Business Requirement 2 is used to explain how aninstance level access control can be helpful to restrict an access to differentusers on different instances of an artifact. Page 26 of 27 “Rational Support Whitepaper”
  27. 27. References  Rational System Architect Information Center  Rational System Architect Catalog Manager online help  Rational System Architect Support Portal  How to apply the minimum permissions to share Professional Encyclopedias Page 27 of 27 “Rational Support Whitepaper”

×