Access Control

The yunIO access control allows you to define the following user authorizations:

• Authorization for server and yunIO Designer access, see Global Access Control
• Authorization for specific services, see Service Access Control

Global Access Control #

Global access control allows you to define user authorizations for server and yunIO Designer access.
To open the global access control settings, open the Access Control menu:

Server Access #

Activate or deactivate access control for the Designer and the server.

• If Anonymous Access is active, anyone can access the Designer and execute services. Anonymous is the default setting.
• If Authenticated is active, only defined users with a designated restriction level have access to the Designer and the server.
  This option is available, if at least one user is defined and Transport Layer Security is enabled.

Privileges (Global) #

Assign restriction levels for Designer and server access to users.

All users defined in User management are listed in the subsection Privileges.
Select a restriction level from the dropdown list next to the user name to assign a restriction level. The following restriction levels are available:

• Server Admin: No restrictions.
• Create / Modify: The user can login to the designer; create new connections and services; modify existing ones. The user cannot make changes to users, access control, or server settings.
• Read / Execute: The user can login to the Designer, but cannot make any changes. The user can run services.
• No access: The user can not login to the Designer or run any services. This option can be used to temporarily disable users from using yunIO.

Restrict Designer and Server Access #

Follow the steps below to restrict the access to the Designer and the server. The access restrictions also apply to services. To define custom access restrictions for services, see Restrict Access to Services.

1. Open the Settings menu and activate Transport Layer Security, see Server Settings: Transport Layer Security.
   
2. Restart the yunIO service and connect to the Designer using an HTTPS connection.
3. Open the Access Control menu.
4. Activate Authenticated, see Server Access.
   
5. Assign user rights to existing users, see Privileges (Global).
6. Click [Save] and restart the yunIO service again.
7. When connecting to the Designer, you are now prompted to enter user credentials:
   

Note: If you lock yourself out and cannot login to the Designer, delete the permission.json file in the installation directory of yunIO e.g., C:\Program Files\Theobald Software\yunIO\config\servers\permission.json. Restart the yunIO server afterwards.

Tip: You can also use SAP credentials for basic authentication, see SAP Connection: Authentication. Using SAP credentials and custom user credentials for basic authentication in parallel is not supported.

Service Access Control #

Service access control allows you to define user authorizations for specific services.
To open the service access control settings, click the icon of the service you want to restrict access to.

Service Access #

Activate or deactivate further restrictions of existing global access rights for the selected service.

• If Inherit is active, the global access rights apply to the service, see Global Access Control. Inherit is the default setting.
• If Custom is active, the access rights defined in the subsection Privileges apply to the service.
  Custom service restrictions do not affect users with global Administrator rights.

Privileges (Services) #

Assign restriction levels for the service access to users.

All users defined in User management are listed in the subsection Privileges. Select a restriction level from the dropdown list next to the user name to assign a restriction level. The following restriction levels are available:

• Modify: The user can read, run and modify the service.
• Read / Execute: The user can read and run the service.
• No access: The user can not access, modify, read or run the service.

Restrict Access to Services #

By default services inherit access restrictions from the server-level, see Global Access Control. Follow the steps below to set up custom access restrictions for specific services:

1. Open the Services menu.
2. Click () at the service you want to restrict access to. The access control menu of the service opens.
   
3. Activate Custom, see Service Access
   
4. Assign user rights to existing users, see Privileges (Services).
5. Click [Save].
6. Open the Services menu and copy or download the service definition.
   
7. Call the service using basic authentication. Enter the credentials of a user that is allowed to run services.

Note: When access rights from the server and service levels differ, the more restrictive access right applies, e.g., a user with Read/Execute privilege on the server level cannot be upgraded to Modify on the service level. The Administrator privilege is the only privilege on the server level that cannot be downgraded on the service level.

Tip: Click [Reset permissions] to set all user rights to No Access.