Skip to main content
Version: 7.1

Access control

Authentication and authorization are separated in ASM and configured independently, and the security model uses two levels of management:

  • system-level authentication using an authentication module

  • application-based authorization for project access based on roles defined in the authentication module

Authentication

ASM authentication is the process for determining who can log in to the system. See Appendix: Managing users in Keycloak for more information on how to create users in the authentication module.

Authorization

ASM authorization is the process of determining what a logged-in user can do in the system. ASM will accept authenticated users who have been assigned an ASM role. Then, at the application level, we define authorization rules for users authenticated at the system level. See Users for more information about user management in ASM.

By default, the ASM role set consists of three different roles:

  • asm-admins - this role is required in order to log in into the ASM UI and access the Administration view. This allows the project administrator to create and manage projects and their members. The role can be used in combination with the asm-users role, in which case the project administrator can also be assigned to work in a project. Without the added asm-users role, however, the project administrator will not have access to all ASM functionality and will be limited to project administration only.
  • asm-users - this role is required in order for the user to log in into the ASM UI and access a project within ASM. After a user with this role has been assigned to a project, the user will be able to log in and access the Services Manager and the project. Application-based authentication is used to determine the user's level of permission (read-only or all). All gives the user unrestricted access to all data and functions in the Services Manager, though the user will not be able to manage the project without also having the asm-admins role.
  • domain-auditor - this role is required for users who should have access to historical data, for example for auditing. Consequently, a user need this role to have access to the Roll back functionality of ASM.

For those with an asm-users role, access to projects and permission to edit data depends on the settings applied at the application security management level. When a user is assigned to a project, the user is given either Read-only or All permission within the project. The project administrator can modify permissions at any point. See Project setup for more information about project administration.

Note: A user can be assigned all three roles, which is recommended for the administrator to be able to work with projects as well as the administration view.