ON THIS PAGE:
Sentinel’s security is managed in the IFS OI Server Management Security module.
Accessing Security
To access the IFS OI Server Management, find out the URL for the IFS OI Explorer instance that Sentinel is using. This could be something like: https://[P2 Server machine name]/P2.Server.Management/
You will need Security Administrator privileges to access the Security module.
To open IFS OI Security, click the padlock icon on the left menu bar.
Privileges
The three sections of Security that are used for managing Sentinel’s privileges are:
- Security Admin: Used for managing Sentinel’s (and other module’s) users and roles, and for setting Sentinel privileges. Essentially all security functions are accessible to anyone with security Admin privileges.
- Sentinel Admin Privileges: The highest level of Sentinel security. The Sentinel Admin privilege encompasses several features, plus it cascades into all of Sentinel Resource level privileges.
- Sentinel Resource Privileges: More granular privileges are set here. For example, a particular Sentinel role can have the single privilege of User Processes Edit set at this level.
Details of these three sections are described below.
Security Admin Privilege
Sentinel’s security can only be updated by a user with the Security Admin privilege. For example, anyone with the default Administrators role, which has this privilege. (Note that a new role can also be created with the Security Admin privilege.)
Note that the default Administrators role also has Module Privileges for all modules, including the Sentinel Admin privilege.
Sentinel Admin Privilege
If you want a user to be able to import workspaces, folders, monitors and user processes, you need to assign them to a role that includes the Sentinel Admin module privilege.
The Sentinel Admin module privilege is located near the top of the privileges panel for the different roles.
The Sentinel Admin module privilege allows the following functionality to all roles that have this privilege:
| Area of Functionality | Privileges to… |
| Private Workspaces |
|
| Delete |
|
| Import and Export |
|
Sentinel Resource Privileges
If you want a user to be able to Re-run monitors, you need to assign them to a role that includes the Sentinel Workspaces Re-Run resource privilege.
Sentinel privileges at the resource level are also located in the Privileges page, for the different roles.
The Sentinel Admin module privilege allows the following functionality to all roles that have this privilege:
| Sentinel | View | Edit | Delete | Approve | Re-Run | Clear Messages |
| Events | - | Edit events | Delete events | - | - | - |
| User Processes | - | Add or Edit user processes | Delete user processes | - | - | - |
| Workspaces |
|
|
- | Approve submitted monitors | Re-Run monitors | Clear messages |
Workspace View Privileges
If you want to set workspace view privileges at the workspace level for a particular role, then you can edit the workspace and select that role in the Security Settings list for that workspace. Follow the instructions in the IFS OI Sentinel User’s Guide, in the Workspace Security Roles section.
To grant a role privileges at this level, you should ensure that the Workspace View privilege is deselected at the Sentinel resource level, for that role, otherwise the role will have view privileges for each and every public workspace, regardless of individual workspace settings.
Note: To set workspace view privilege at the workspace level in Sentinel, you need the Sentinel Admin privilege.
Approve Privileges
If you want to set workspace approver privileges at the workspace level for a particular role, then you can edit the workspace and select that role in the Approvers list for that workspace. Follow the instructions in the IFS OI Sentinel User’s Guide, in the Workspace Approvers section.
To grant a role privileges at this level, you should ensure that the Workspace Approve privilege is deselected at the Sentinel resource level, for that role, otherwise the role will have approve privileges for each and every public workspace, regardless of individual workspace settings.
Note: To set workspace approve privilege at the workspace level in Sentinel, you need the Sentinel Admin privilege.
Server Entities View Privilege
The Server Entities View privilege relates to entities in Server, and can be assigned at the resource level (Server Entities View). Roles with this privilege allow Case editing and viewing for all entities. Roles with View privileges assigned at entity level allow Case editing and viewing for those entities only.
Comparing Security Roles in Sentinel 4.6 versus Sentinel 4.1.7
In Sentinel 4.1.7 and earlier, privileges were defined in the SentinelConfig file, with default roles allocated to them.
- <Param Key="SecurityRolesWorkspaceAdd" Value="Sentinel Administrators" />
- <Param Key="SecurityRolesWorkspaceDelete" Value="Sentinel Administrators" />
- <Param Key="SecurityRolesWorkspaceEdit" Value="Sentinel Administrators" />
- <Param Key="SecurityRolesFolderAdd" Value="Sentinel Administrators,Sentinel Editors" />
- <Param Key="SecurityRolesFolderDelete" Value="Sentinel Administrators,Sentinel Deleters" />
- <Param Key="SecurityRolesFolderEdit" Value="Sentinel Administrators,Sentinel Editors" />
- <Param Key="SecurityRolesMonitorAdd" Value="Sentinel Editors" />
- <Param Key="SecurityRolesMonitorDelete" Value="Sentinel Administrators,Sentinel Deleters" />
- <Param Key="SecurityRolesMonitorEdit" Value="Sentinel Editors" />
- <Param Key="SecurityRolesMonitorReRun" Value="Sentinel Administrators" />
- <Param Key="SecurityRolesEventEdit" Value="Sentinel Administrators,Sentinel Editors" />
- <Param Key="SecurityRolesEventDelete" Value="Sentinel Administrators" />
- <Param Key="SecurityRolesEventViewAdd" Value="Sentinel Administrators,Sentinel Editors" />
- <Param Key="SecurityRolesEventViewEdit" Value="Sentinel Administrators,Sentinel Editors" />
- <Param Key="SecurityRolesEventViewView" Value="Sentinel Administrators,Sentinel Editors" />
- <Param Key="SecurityRolesMonitorStatusReportClearMessages" Value="Sentinel Administrators" />
- <Param Key="SecurityRolesImport" Value="Sentinel Importers" />
- <Param Key="SecurityRolesExport" Value="Sentinel Exporters" />
- <Param Key="SecurityRolesUserProcessEdit" Value="Sentinel Administrators,Sentinel Process Editors" />
- <Param Key="SecurityRolesUserProcessDelete" Value="Sentinel Administrators,Sentinel Deleters" />
- <Param Key="SecurityRolesCaseViewer" Value="Case Viewer" />
- <Param Key="SecurityRolesCaseEditor" Value="Case Editor" />
The table below shows the default privileges for Sentinel 4.1.7 and earlier (on the left), compare against the privileges in Sentinel 4.6 and later. Refer to this table when configuring the new security roles and privileges.
| Privilege in Sentinel 4.1.7 and Earlier | Permission To… | Default Roles in 4.1.7 and Earlier | Privilege in Sentinel 4.6 and Later |
| SecurityRolesWorkspaceDelete | Delete workspaces | Sentinel Administrators | Sentinel Admin |
| SecurityRolesFolderDelete | Delete folders | Sentinel Administrators, Sentinel Deleters |
|
| SecurityRolesMonitorDelete | Delete monitors | Sentinel Administrators, Sentinel Deleters |
|
| SecurityRolesImport | >Import workspaces, folders, monitors (includes bulk import) | Sentinel Importers | |
| SecurityRolesExport | Export workspaces, folders, monitors (includes bulk export) | Sentinel Exporters | |
| SecurityRolesWorkspaceAdd | Add workspaces | Sentinel Administrators | Workspaces Edit |
| SecurityRolesWorkspaceEdit | Edit workspaces | Sentinel Administrators | |
| SecurityRolesFolderAdd | Add folders | Sentinel Administrators, Sentinel Editors |
|
| SecurityRolesFolderEdit | Edit folders | Sentinel Administrators, Sentinel Editors |
|
| SecurityRolesMonitorAdd | Add monitors | Sentinel Editors | |
| SecurityRolesMonitorEdit | Edit monitors | Sentinel Editors | |
| SecurityRolesEventViewAdd | Add event views | Sentinel Administrators,
Sentinel Editors |
|
| SecurityRolesEventViewEdit | Edit event views | Sentinel Administrators, Sentinel Editors |
|
| SecurityRolesMonitorReRun | Re-run monitors | Sentinel Administrators | Workspaces Re-Run |
| SecurityRolesEventViewView | View event views | Sentinel Administrators, Sentinel Editors |
Workspaces View |
| SecurityRolesMonitorStatusReportClearMessages | Clear monitor status messages | Sentinel Administrators | Workspaces Clear Messages |
| SecurityRolesUserProcessEdit | Edit user processes | Sentinel Administrators, Sentinel Process Editors |
User Processes Edit |
| SecurityRolesUserProcessDelete | Delete user processes | Sentinel Administrators, Sentinel Deleters |
User Processes Delete |
| SecurityRolesEventEdit | Edit events | Sentinel Administrators, Sentinel Editors |
Events Edit |
| SecurityRolesEventDelete | Delete events | Sentinel Administrators | Events Delete |
| SecurityRolesCaseViewer | View cases | Case Viewer | * Server Entities View |
| SecurityRolesCaseEditor | Edit cases | Case Editor |
*Server Entities View privileges are set for Server’s security. This is also in IFS OI Server Management. Refer to the section Server Entities View Privilege (above), for more information on this privilege.
Security Roles
There are two default roles in Security:
Administrators: A default administrator role that has all privileges assigned.
Everyone: A default role that represents all authenticated users. When a new user is added to Security, the Everyone role is assigned to them.
In order to change anything in Security, you will need the Security Admin privilege. This comes with the Administrators role, or you can use any other role with this privilege.
All other roles need to be added. There might already be roles intended for the other modules (such as Explorer and Commentary), and there may be roles for Sentinel that have already been added by another Security Admin user.
We recommend adding some basic Sentinel roles, preferably prefixed by the word ‘Sentinel’, for example:
- Sentinel Administrators
- Sentinel Workspaces Administrator
- Sentinel Viewer
- Sentinel Process Editors
- Sentinel Process Deleters
Creating a Role
In our example, we will create a new Sentinel role for Sentinel Process Editors.
Example:
- In the Security section, in IFS OI Server Management, click the Roles menu button, then create and save a new role called Sentinel Process Editor, with the description: Sentinel Process Editors will be able to add and edit processes in Sentinel Studio.
Assigning Privileges
Roles are assigned one or more privileges, which then get allocated to users with that role.
Example: Following the previous example, we will assign the Sentinel User Processes Edit privilege to the new Sentinel Process Editor.
- In the Security section, in IFS OI Server Management, click the Privileges menu button, then edit the Sentinel Process Editor role, giving it the User Processes, Edit privilege.
Sentinel Privileges
The Sentinel privileges are close to the bottom of the privileges panel. Locate the User Processes row, and the Edit column, and click the button in the intersecting position.
Before the privilege is set, it is a grey circle with a cross, indicating that this privilege has not been set
After clicking, the grey circle turns to a green circle with a tick, indicating that the privilege has been set
Privilege Settings
In Security, some of the privilege buttons are disabled, and cannot be reset. Others can be clicked on or off. Each privilege button is represented by a symbol, as explained below:
| Symbol | Meaning | Example | |
| Grey Cross (can click) |  |
Privilege not granted | The Workspaces Re-Run privilege has not been granted to this role. |
| Green Tick (can click) |  |
Privilege is explicitly granted, and associated privileges will be automatically granted | The Workspaces Approve privilege has been granted for this role. |
| Green Dot (cannot click) |  |
Privilege is granted because a higher level privilege has been granted on the same resource | The User Process Edit privilege is implied by the User Process Delete privilege, which has been granted for this role. |
| Blue (cannot click) |  |
Privilege is granted because it is inherited from a module privilege (the Sentinel Admin privilege) | The Sentinel Admin privilege has been granted for this role. This cascades into all of the Sentinel resource privileges. |
Adding Sentinel Users
In order to be able to add users, a user must be a Security administrator (someone with a role that has the Security Admin privilege). There are two ways to add a new user:
Adding Users with Active Directory
Many of the users will be added automatically, using AD Sync. The AD Sync tool will automatically add all users in Active Directory that are configured to have access to IFS OI Explorer. For instructions on running the AD Sync tool, refer to the IFS OI Explorer Installation Guide.
Adding Users Manually
You can manually add a user who can access IFS OI Explorer, using either their domain credentials or a user name and password.