...
Note that this topic does not cover security access controls in the virtual assets or message proxies that are accessed by the application under test (AUT). That is addressed in
...
Working with Message Proxies and Configuring for Services Deployed Over HTTPS.
About Virtualize Server User Access Control
| Anchor | ||||
|---|---|---|---|---|
|
User access control allows you to control what actions each user can perform on the Virtualize Servers connected to his or her Virtualize Desktop installation. This allows you to determine which users can view, provision, create, modify, delete, and deploy assets. For example, you can control which users can start and stop proxy recording, modify and activate data groups and performance profiles, create and modify message proxies, use JDBC controllers, and so forth.
Authentication
When user access control is in effect, a user must provide credentials when adding a remote Virtualize Server to his or her Virtualize desktop. Once the user is authenticated, he can perform only the operations that are allowed for his or her assigned role.
Roles
Available roles are Admin, System, and Provision. These roles are configured in CTP. They also control access to CTP operations.
...
For a more detailed breakdown of the actions allowed for each role, see Configuring user Access Control for Virtualize Servers Understanding Role-Based Permissions.
How it Works: Details
Virtualize Server user access control takes effect whenever the server is configured to connect to a CTP installation. If such a connection is configured and user authentication succeeds, the user will be granted the appropriate level of access. If such a connection is configured but user authentication fails (e.g., because valid credentials were not supplied or because the Virtualize-CTP connection failed), the user will not be granted any access—even read-only access—to the Virtualize Server.
...
Virtualize Server caches access control roles for the credentials it receives from Virtualize Desktop with a lifespan of 1 minute. This means that if a role/user is modified in CTP, it can take up to a minute for the new access controls to be enforced by Virtualize Server. Also, due to caching on Virtualize Desktop, it can take up to a minute for connected Virtualize Desktops to update access control labels, enable right-click menu options, and enable controls within editors.
How it Works: Summary
| CTP (EM) | Virtualize Server |
|---|---|
| Virtualize Server not configured to connect to EM | Full access |
| Admin role + successful EM authentication | Full access |
| System role + successful EM authentication | Full access |
| Provision role + successful EM authentication | Provision-only access |
| No assigned role + successful EM authentication | Read-only access |
| Unauthenticated (EM authentication failed) | No access |
| No credentials provided + Virtualize Server is configured to connect to EM | No access |
| Virtualize Server configured to connect to EM, but connection fails | No access |
| EM restricts access to the Virtualize Server | Access only for the selected list of users, based on their role. All other authenticated users have read-only access to that restricted resource |
| EM does not restrict access to the Virtualize Server | [Based on user role] |
Migrating from Virtualize 9.5 or Earlier
If Virtualize Server 9.5 or earlier was configured to connect to CTP, then upgrading to Virtualize 9.6 or later will result in User Access Control being enabled on that server. Full access to the server will become restricted as a result of the upgrade.
...
- Ensure that the desired roles and access controls for that server are configured in CTP.
- For each Virtualize Desktop previously-connected to the Virtualize Server, re-connect with authentication (i.e., double-click the existing remote server node in the Virtualize Server view, specify a valid username/password, then save the Server Configuration editor)
Configuring User Access Controls for a Virtualize Server
To configure user access controls for a Virtualize Server:
Connect the Virtualize Server to CTP via Preferences> CTP. See CTP Settings for details.
Note title HTTPS Note If CTP is deployed over an HTTPS connection (recommended), the Virtualize Server’s CTP connection settings should use an HTTPS URL. This will ensure that the Virtualize Server will communicate with CTP securely over SSL.
If the SSL certificate that CTP is configured with is not trusted by Virtualize Server (e.g., if it is self-signed), you will need to configure the Virtualize Server to trust all certificates—or add that particular CTP certificate to the Virtualize default Java cacerts file and select that option. This can be config-ured in the Preferences> Security settings (as described in Security Settings).
- If you have not already done so, use CTP to configure user accounts and permissions. For details, see the CTP User’s Guide.
Working with User Access Control
The following sections explains how Virtualize Server user access control impacts Virtualize Desktop users.
Adding a Remote Server
When adding a remote server, users need to enter a valid username and password in the Add Server dialog.
...
...
| Note | ||
|---|---|---|
| ||
By default, the SSL connector (on port 9443) is enabled with a default self-signed certificate, which Virtualize Desktop will trust by default. If the HTTPS option was selected when the remote server was added to the Virtualize Desktop, Virtualize Desktop will communicate with Virtualize Server securely over SSL.
|
Note that access levels (Read Only, Full Access, Provision Only) will be indicated with labels in the Virtualize Server view. For example:
...
Additionally, access levels will be indicated in the server configuration page:
| Anchor | ||||
|---|---|---|---|---|
|
If users need to re-enter credentials (e.g., if their roles were changed via CTP), they can provide this data in the Virtualize Server's Authentication tab:
Understanding Role-Based Permissions
| Anchor | ||||
|---|---|---|---|---|
|
The following table is designed to help you understand which capabilities are associated with the available roles:
...