User Management

Cumulus permissions are based on an additive concept. This means that a new user does not have any permissions by default. This minimizes the risk of granting permissions accidentally but implies that you have to grant any new user at least the minimum permissions a user needs to work with Cumulus.

Cumulus users are managed with the User Manager module of the Server Console.

The user management is based on a special Cumulus catalog. Its catalog name is $Users and its catalog file name is Users.ccf. This manual refers to it as the Users catalog.

The Users catalog has to be managed by your Cumulus Server, meaning it has to be included in the Catalog Access list. It must not be shared nor published to the Internet.

It is possible to open the Users catalog with a Cumulus Client, but this is not recommended for user management. There is only one reason to open the Users catalog with a Cumulus Client: The user data are stored in record fields. If you want to have more fields than the default configuration offers, you can add record fields to the Users catalog. If you do this, always use the version of the Cumulus Client application that fits the version of your Cumulus Server.

Cumulus is intended to meet the needs of many different customers. This is why the Cumulus user management offers different modes. Whether you settle for user-based or role-based mode defines the method by which permissions are assigned. For both methods a simple and advanced view is offered for granting the permissions.

Cumulus provides two different modes for the method of managing users:

• the role-based mode where each user can be assigned to roles that include certain permissions (Note that this is an optional feature which may not be available with your Cumulus configuration.)

While the user-based mode is intended for a small number of users to be administered, the role-based mode is intended for a large number of users. You can create roles that you use to assign a common set of permissions and catalogs to multiple users. Organizing users by defining roles makes it easier to manage access rights. With this strategy, rather than assigning permissions to each user for each object, you assign permissions to a few roles and then add users to the appropriate role. When using Cumulus, users are granted permissions based on any roles to which they belong.

When you create a user account for a new user, you add that account to the appropriate role. Then, the user has the permissions associated with that role. Also, changing permissions is easier: rather than having to change permissions for each and any user individually, you simply change the permissions assigned to the role.

If you work with the role-based mode and you have a LDAP server, you can define mappings from LDAP groups to Cumulus roles. By using this mapping you no longer need an entry for this user in the User Manager. (See “Cumulus Roles”, for further information.)

You have to decide which mode you want to work with. Once you have switched to the role-based mode you cannot switch back to the user-based mode. Both modes offer the same range of functions – except that the role-based mode offers roles to “bundle” users. So in case you have Cumulus users that can easily be “bundled” or split into different groups, we recommend that you employ the role-based mode. And we do not recommend that you start with the user-based mode and then switch to the role-based mode, otherwise each user you have defined will be converted to be a role.

The user-based as well as the role-based mode works with the Users catalog and the User Manager module to manage users with this catalog.

The user-based as well as the role-based mode can be used in either the simple or the advanced view. The simple view subsumes several permissions whereas the advanced view lets you assign permissions in a very granular manner. For more information, see “Simple View: Permissions” , and “Advanced View: Permissions”.

The simple view enables you to set user or role permissions for a single catalog, or your entire Cumulus Server with just a few mouse clicks. You can switch to the advanced view when you need to make more granular changes. Both modes are always available, so you don’t have to choose just one.