©2013 Waters Corporation 1
UNIFI: The administrative environment
Ken Eglinton Nordic User Training, September 2013
©2013 Waters Corporation 2
Topics Covered
Data Folder Hierarchy and Roles/Permissions
User Accounts
Security Checks
– Assigned Roles
Data Folders and Access Grants
– Access Grants Rules/Behaviors
– Stopping Inheritance
Global Policies and Folder Policies
Offline Storage Manager
©2013 Waters Corporation 3
Security area of Administration
©2013 Waters Corporation 4
Data Folder Hierarchy and Roles/Permissions
©2013 Waters Corporation 5
Data Folder Hierarchy
Organizational Hierarchy
– Company
– Facility/Department
– Lab
– Projects
©2013 Waters Corporation 6
Default Roles
©2013 Waters Corporation 7
Roles and Permissions
©2013 Waters Corporation 8
Comparing Roles
©2013 Waters Corporation 9
User Accounts
©2013 Waters Corporation 10
General User Account Settings
©2013 Waters Corporation 11
User Accounts Allowed Roles and Default Role
©2013 Waters Corporation 12
Notification Subscriptions
©2013 Waters Corporation 13
Preferences
©2013 Waters Corporation 14
Data Access
©2013 Waters Corporation 15
Device Access
©2013 Waters Corporation 16
Library Access
©2013 Waters Corporation 17
Account Licenses
©2013 Waters Corporation 18
Training Certificates
©2013 Waters Corporation 19
Security Checks
©2013 Waters Corporation 20
Security Checks
Once the user logs into UNIFI their Data Folders, Scientific
Library Folders and Devices are controlled and dynamically
built from the users access grants.
©2013 Waters Corporation 21
User – Assigned Roles
There are three Roles in the system.
– Chemist Admin 1
©2013 Waters Corporation 22
User – Assigned Roles
There are three Roles in the system.
– Chemist Admin 2
©2013 Waters Corporation 23
User – Assigned Roles
There are three Roles in the system.
– Chemist Admin 3
©2013 Waters Corporation 24
User – Assigned Roles
A user logs in with an account who has the Chemist Admin 2
Role.
When this user tries to create an account, what are the list of
Roles he is allowed to pick from in the Assigned Roles list?
– Chemist Admin 1 and Chemist Admin 2
©2013 Waters Corporation 25
Application Scenario; Assigned Roles
©2013 Waters Corporation 26
Application Scenario; Assigned Roles
• Assigned roles
• Determines Role used for folder access assigned with the ‘Login Role’
Role in Access Management.
• Determines system wide permissions for tasks not applicable to a folder.
(Administrative tasks for example)
©2013 Waters Corporation 27
Application Scenario; Assigned Roles
There are two Roles assigned to the Steve Bird account.
©2013 Waters Corporation 28
Application Scenario; Assigned Roles
Steve Bird has Direct grant to QC Lab.
©2013 Waters Corporation 29
Application Scenario; Assigned Roles
Steve Bird has Direct grant to Project 3a.
©2013 Waters Corporation 30
Application Scenario; Assigned Roles
When Steve Bird logs in, what does his hierarchy look like
and with what grants?
Login Role – Direct
Chemists or Chemists
Admin 1
Login Role - Inherited
Guest - Direct
©2013 Waters Corporation 31
Data Folders and Access Grants
©2013 Waters Corporation 32
Access Grants Rules/Behavior
1. Inheritance applies and Direct grants override Inheritance.
2. Inheritance comes from the first Direct grant up the tree.
3. There can be only one unique User or Policy applied to a
single Node (Data Folder, Scientific Library Folder, Device
Folder).
4. Granting at a parent node will be inherited to any child
node, regardless if the user has the appropriate permissions
at the inherited nodes.
5. Editing at a parent node will take affect on any child node
currently inheriting, regardless if the user has the
appropriate permissions at the inherited nodes.
6. Explicit grants can only be edited by users with the
appropriate permission at the node.
©2013 Waters Corporation 33
Access Grant Example; Users
Steve Bird has direct access to QC Lab with Login Role
©2013 Waters Corporation 34
Access Grant Example; Users
Steve Bird has inherited access to the Motrin project via QC Lab
©2013 Waters Corporation 35
Access Grant Example; Users
Want Steve Bird to have only Guest access to Motrin
– Directly grant Steve Bird to the Motrin Folder
– Change Role
©2013 Waters Corporation 36
Access Grant Example; Stopping Inheritance
Steve Bird has direct access to Milford and is inheriting access
to the QC Lab and Motrin folders.
©2013 Waters Corporation 37
Access Grant Example; Stopping Inheritance
Administrators want to stop his access to the Motrin folder.
©2013 Waters Corporation 38
Access Grant Example; Stopping Inheritance
Select the user account then ‘Stop inheritance’
©2013 Waters Corporation 39
Access Grant Example; Stopping Inheritance
Access type changes to ‘No Inheritance’
©2013 Waters Corporation 40
Access Grant Example; Stopping Inheritance
Without a stop inheritance mechanism
administrators would have to:
– Revoke his access from the Milford folder
– Grant Direct Access to the Milford and QC Lab
folders
– Move the Motrin folder from being a child of the QC
Lab, to being a child of the Waters folder
Also, imagine if there were other users with
Direct access to the Milford folder and you still
wanted those users to continue to have access
to the Motrin folder.
– You would have to grant them back direct access to
the Motrin folder
This would be difficult for administrators
– This is the key point of Stop Inheritance
©2013 Waters Corporation 41
Access Grant Example; Stopping Inheritance
Why would we change the access type status of the user to ‘No
Inheritance’ rather than remove the user from the list?
– Because removing the user means it has been Revoked using that
command, which is different than stopping inheritance.
– Administrators coming back to Access Management after a period of
time won’t remember they have stopped inheritance on a user and
will attempt to grant direct access.
©2013 Waters Corporation 42
Access Grant Example; Stopping Inheritance
What happens when a user attempts to directly grant access of
a User or Policy to a Data Folder which has that item currently
applied but in the state of ‘No Inheritance’?
– The item will now show as a direct grant
What happens when a Folder is moved to a different point in
the Folder Hierarchy?
– Access grants will automatically change
o Items that are still inherited from the new parent will stay in the
‘No Inheritance’ state.
o Direct grants will not change
©2013 Waters Corporation 43
Grants and Inheritance Examples
©2013 Waters Corporation 44
Scenarios
Creating a Data Folder policy
Editing a Data Folder policy
Applying a Data Folder policy
Revoking a Data Folder policy
Deleting a Data Folder policy
Copy/Paste a Data Folder policy
Folder
Milford
QCLab
Project1
Project2
Project3
Analytical Development
Project 4a
Project 4b
New Jersey
©2013 Waters Corporation 45
Applying a Data Folder Policy
Policy A1 is applied to the Milford Folder and inherited down the tree. – Per the rules, Inheritance applies and Direct grants
override Inheritance
Node Policy
Milford -
QCLab -
Project1 -
Project2 -
Project3 -
Analytical Development -
Project 4a -
Project 4b -
New Jersey -
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 46
Applying a Data Folder Policy
User wants to replace Policy A1 with Policy A2 at Milford. – We must first check to ensure the user has the permission to
‘Assign/Revoke folder policies’ at the folder. o If yes, the policy shall be applied.
o Per the rules, any sub-nodes that do not have an explicit policy shall inherit the applied policy from it’s parent.
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A2 Direct
QCLab A2 Inherited
Project1 A2 Inherited
Project2 A2 Inherited
Project3 A2 Inherited
Analytical Development A2 Inherited
Project 4a A2 Inherited
Project 4b A2 Inherited
New Jersey A2 Inherited
©2013 Waters Corporation 47
Applying a Data Folder Policy
User wants to replace Policy A1 with Policy A2 at Project2. – We must first check to ensure the users has the permission to
‘Assign/Revoke folder policies’ at the folder. o If yes, the policy shall be applied.
o Per the rules, any sub-nodes that do not have an explicit policy shall inherit the applied policy from it’s parent.
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A2 Direct
Project3 A2 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 48
Applying a Data Folder Policy
User has the permission to ‘Assign/Revoke folder policies’ at the QCLab, Project1 and Project2 part of the hierarchy, but does not have the permission at Project3.
The user wants to replace Policy A1 with Policy A2 at QCLab. – Per the rules this action is allowed because Project3 is inheriting the
policy.
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A2 Direct
Project1 A2 Inherited
Project2 A2 Inherited
Project3 A2 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 49
Applying a Data Folder Policy
User has the permission to ‘Assign/Revoke folder policies’ at the QCLab, Project1 and Project2 part of the hierarchy, but does not have the permission at Project3.
The user wants to replace Policy A1 with Policy A3 at QCLab. – Per the rules this action is allowed because Project3 has policy A2
Directly assigned and Project3 is not changed.
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A2 Direct
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A3 Direct
Project1 A3 Inherited
Project2 A3 Inherited
Project3 A2 Direct
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 50
Revoking a Data Folder Policy
User has the permission to ‘Assign/Revoke folder policies’ at the Milford part of the hierarchy.
User attempts to Revoke policy A1 from Milford. – Per the rules this action is allowed because all sub folders are inheriting.
– The user is prompted with a dialog indicating the policy will be removed from the Milford folder and all Inherited folders.
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford -
QCLab -
Project1 -
Project2 -
Project3 -
Analytical Development -
Project 4a -
Project 4b -
New Jersey -
©2013 Waters Corporation 51
Revoking a Data Folder Policy
User has the permission to ‘Assign/Revoke folder policies’ a policy at the Milford part of the hierarchy.
User attempts to Revoke policy A1 from Milford. – Per the rules this action is allowed and applied to all sub folders inheriting the policy as well.
– The user is prompted with a dialog indicating the policy will be removed from the Milford folder and all Inherited folders.
– Any folders within Milford that have Direct policy grants are not affected.
Node Policy
Milford A1 Explicit
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A2 Direct
Project3 A2 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford -
QCLab -
Project1 -
Project2 A2 Direct
Project3 A2 Inherited
Analytical Development -
Project 4a -
Project 4b -
New Jersey -
©2013 Waters Corporation 52
Deleting a Data Folder Policy
User has the permission to ‘Delete’ a policy which allows the user to delete the policy from the Global folder policy list.
©2013 Waters Corporation 53
Creating a Folder
User attempts to Create Project5 in the QCLab folder.
– All policies shall be inherited from the first parent up the hierarchy with a direct Policy grant.
Node Policy
Milford A1 Explicit
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Project5 -
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Project5 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 54
Creating a Folder
User attempts to Create Project5 in the QCLab folder. – All policies shall be inherited from the first parent up the
hierarchy with a direct Policy grant. o In this case, there are no policies assigned so the new project does not
get any either.
Node Policy
Milford -
QCLab -
Project1 -
Project2 -
Project3 -
Project5 -
Analytical Development -
Project 4a -
Project 4b -
New Jersey -
©2013 Waters Corporation 55
Moving a Folder
User attempts to Move Project2 from the QCLab folder to the
Analytical Development Lab folder.
– Inheritance applies and in this case there is no change as the
Analytical Development Lab is also inheriting from above.
Node Policy
Milford A1 Explicit
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Project5 A2 Explicit
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project5 A2 Explicit
Analytical Development A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 56
Moving a Folder
User attempts to Move Project2 from the QCLab folder to the
Analytical Development Lab folder.
– Inheritance applies and in this case Project 2 and Project3 receive
Policy A2.
Node Policy
Milford A1 Explicit
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A1 Inherited
Project3 A1 Inherited
Project5 A1 Inherited
Analytical Development A2 Explicit
Project 4a A2 Inherited
Project 4b A2 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project5 A1 Inherited
Analytical Development A2 Direct
Project2 A2 Inherited
Project3 A2 Inherited
Project 4a A2 Inherited
Project 4b A2 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 57
Moving a Folder
User attempts to Move Project2 from the QCLab folder to the
Analytical Development Lab folder.
– Explicit Grants override Inheritance and in this case Project 2 and
Project3 retain Policy A2.
Node Policy
Milford A1 Explicit
QCLab A1 Inherited
Project1 A1 Inherited
Project2 A2 Explicit
Project3 A2 Inherited
Project5 A1 Inherited
Analytical Development A1 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
Node Policy
Milford A1 Direct
QCLab A1 Inherited
Project1 A1 Inherited
Project5 A1 Inherited
Analytical Development A1 Inherited
Project2 A2 Direct
Project3 A2 Inherited
Project 4a A1 Inherited
Project 4b A1 Inherited
New Jersey A1 Inherited
©2013 Waters Corporation 58
Access Management
Those scenarios apply to not only Data Folder Policies, but
user access grants in Access Management as well.
©2013 Waters Corporation 59
Global Policies and Folder Policies
©2013 Waters Corporation 60
Overview of UNIFI Policies
Global policies apply to the entire UNIFI Installation
Data Folder Policies apply to a specific Data Folder
By default Everest shall track all actions and the audit trails
shall contain the following: Who, What, When, Old Value and
New Value.
Everest shall have two types of policies to configure the
‘Why’:
– Global Audit Trail Reasons and Data Folder Reason
©2013 Waters Corporation 61
Global Policies
©2013 Waters Corporation 62
Global Policies
©2013 Waters Corporation 63
Global Policies
©2013 Waters Corporation 64
Global Policies
©2013 Waters Corporation 65
Global Policies
©2013 Waters Corporation 66
Global Policies
©2013 Waters Corporation 67
Global Policies
©2013 Waters Corporation 68
Folder Policies
©2013 Waters Corporation 69
Folder Policies
©2013 Waters Corporation 70
Predefined Reasons
©2013 Waters Corporation 71
UNIFI Offline Storage Manager (OSM)
©2013 Waters Corporation 72
OSM Configuration
©2013 Waters Corporation 73
OSM Configuration
©2013 Waters Corporation 74
OSM Configuration
©2013 Waters Corporation 75
OSM Configuration
©2013 Waters Corporation 76
OSM Configuration
©2013 Waters Corporation 77
OSM Configuration
©2013 Waters Corporation 78
OSM Policy
©2013 Waters Corporation 79
OSM Policy
©2013 Waters Corporation 80
OSM Policy
©2013 Waters Corporation 81
OSM Policy
©2013 Waters Corporation 82
OSM Policy
©2013 Waters Corporation 83
Questions?