User Management and Roles
User Management and Roles
User Creation and Management
The first time Arc is launched, the application will prompt for creating the first application user (username and password). The first user defaults to the Admin role, as defined below.
To create and manage further users, navigate to the Settings page and then the Users tab. This tab includes a table of users and includes information about the users’ roles, Admin API access tokens, Federation ID (for Single Sign-On), and more.
Users can be created, deleted, and modified via this page. Only Admin users have permission to manage other users.
User Creation on External Java Servlets
When the Java edition of Arc is deployed to an external servlet (i.e. not using the embedded server included in the Java edition download), additional JAAS configuration is required to allow Arc to dynamically create users within the application. More information on JAAS configuration for specific Java servlets can be found in the Java Edition documentation page.
ArcESB supports three different types of users (roles):
The following subsections describe each role, and the next section contains a comparison table.
The Admin role provides full control over the application. An admin can create new Flows, delete existing Flows, change Profile settings, and perform every other operation supported by the console.
Additionally, only admins can view the Audit Log, which records changes made within the application (by any user).
The Standard role allows for the creation, editing, and deletion of Flows (connectors), but does not allow for changing application-wide settings like those exposed in the Profiles tab.
Standard users can upload new files into the Flow, and can upload public certificates for use by connectors (but not private certificates that would be set in a Profile).
The Support role is a read-only role; these users cannot create new Flows, delete Flows, or change application settings. Support users can send files through existing Flows via the Send operation, but cannot upload new files (thus can only process files already present in the Send folder for a connector).
User Roles Comparison Table
- View Connectors/Flows All roles (Admin, Standard, Support)
- View Application and Transaction Logs All roles (Admin, Standard, Support)
- Send Pending Files (in a Connector’s Input Folder) All roles (Admin, Standard, Support)
- Upload New Files into the Flow Admin, Standard
- Add New Connectors to the Flow Admin, Standard
- Modify Existing Connectors Admin, Standard
- Delete Connectors Admin, Standard
- Upload Public Certificate Files (to Connector Settings) Admin, Standard
- Upload Private Certificate Files (to the Profile) Admin
- Change Profile Settings Admin
- View Audit Logs Admin
Arc supports Single Sign-On via identity providers that implement the OpenID standard. For more information on Single Sign-On, including specific guidance for Azure AD, please see the Single Sign-On page.
Admin API Access
Each user is granted an Auth Token that can be used to access the Admin API. For more information on authenticating against the Admin API, please see the Admin API Documentation.
The specific actions that a user can perform via the Admin API mirrors the actions that the same user could perform via the UI. For example, a user that cannot delete connectors via the UI cannot use the Admin API to delete connectors. To perform any arbitrary action via the Admin API, use an auth token from an Admin user when invoking the API.
In the event that an administrator is locked out of Arc, the embedded web servers in each edition provide the ability to reset an administrator’s password in order to regain access to the application. For example, in the Java edition:
java -jar arcesb.jar -ResetPassword -User <user> -Password <password> -AppDirectory <appDirectory>
and in the Windows edition:
ArcESB.exe -ResetPassword -User <user> -Password <password> -AppDirectory <appDirectory>