Bentley OpenUtilities Designer Security Features
Bentley OpenUtilities Designer does not perform user authentication checks, which require special logon names and passwords. The product was developed primarily for use in network environments, which typically utilize their own authentication mechanisms. If the Bentley OpenUtilities Designer user is able to log on to the network, then the user has already been authenticated.
Bentley OpenUtilities Designer’s security features provide authorization checks to ensure that the current user is permitted to access specific types of data and perform specific actions. In general, if a user does not have this authority, then the operation will not be available to the user (e.g., the menu option or toolbar button will appear dimmed). Authorization checks require (1) a user database and (2) a set of user group definitions. User accounts and user groups are set up and maintained with the User Manager.
User Data
The user database contains an account for each user with information such as the user’s ID, first and last names, and e-mail address. Users are primarily identified by their network login names, which Bentley OpenUtilities Designer obtains from the operating system to ensure that the user has been entered in the user database. Bentley OpenUtilities Designer checks the user’s membership in a user group to determine which of Bentley OpenUtilities Designer’s restricted capabilities are available to the user. For more information, see Managing User Accounts.
Group Data
The purpose of user groups is to simplify the task of assigning sets of restricted capabilities to individual users. By assigning capabilities to a group and then associating users with one or more groups, system administrators can reassign capabilities for multiple users by editing the group definition. Users cannot be assigned capabilities individually—only as a member of a group. For more information, see Managing User Groups.
Restricted Capabilities
Bentley OpenUtilities Designer restricts access to certain operations that can have an impact on the GIS database and thus are likely to require some level of authorization at most customer sites. For these controlled capabilities, Bentley OpenUtilities Designer performs authorization checks using information about the user’s membership in a user group and the capabilities assigned to that group. Less critical tasks, such as viewing public data and generating reports, are not restricted and can be accessed by all users.
The table below shows how these restricted capabilities are designated and defined. Users who are permitted to perform these operations must belong to user groups that have been assigned the specific capabilities.
|
ID |
Display Name |
Description |
|---|---|---|
|
1 |
Create Work Requests |
Ability to create new work requests. |
|
2 |
Delete Work Requests |
Ability to delete work requests. |
|
3 |
Edit Work Request Properties |
Ability to edit work request properties (e.g., name, description, owner). |
|
4 |
Edit Work Request State |
Ability to execute actions that change a work request’s state (e.g., In Design, Mark Complete, Construction Complete). |
|
5 |
Use Configuration Tools |
Ability to use all the configuration tools for Bentley OpenUtilities Designer. |
|
6 |
Approve Work Requests |
Ability to approve work requests. |
|
7 |
Change Work Request Owner |
Ability to reassign a work request to another user. |
|
8 |
Submit Work Requests |
Ability to submit work requests to external WMS. |
|
9 |
View All Work Requests |
Ability to see all work requests (Workplace Today and My Work views). |
|
10 |
Create Designs |
Ability to create designs. |
|
11 |
Delete Designs |
Ability to delete designs. |
|
13 |
Change Design Owner |
Ability to reassign a design to another user. |
|
14 |
Edit Design Properties |
Ability to edit design properties (e.g., name, description, owner). |
|
12 |
Edit Work Request Attachments/Associations |
Ability to edit work request-design relationships (e.g., Attach, Associate, Detach, Disassociate). |
|
15 |
View All Designs |
Ability to see all designs (Workplace Today and My Designs views). |
|
17 |
Config Public Job Defaults |
Ability to configure settings for public job defaults. |
|
18 |
Config Public Units |
Ability to configure public units (compatible and macro units, materials, and custom costs) and promote private units to public units. |
|
19 |
Config Private Units |
Ability to create and configure private units |
|
20 |
Edit Security Settings |
Ability to configure security settings (user accounts, groups, and capabilities). |
|
21 |
Config Public Reports |
Ability to configure public report properties (e.g., name, file path, owner) and promote private reports to public reports. |
|
23 |
Config Public Templates |
Ability to configure public design templates. |
|
24 |
Config Public CU Rules |
Ability to configure public CU rules. |
|
25 |
Config Public Class Codes |
Ability to configure public class codes. |
Default Security Configuration
Bentley OpenUtilities Designer is installed with a default configuration for one user with the user name administrator so that the system administrator can access Bentley OpenUtilities Designer and create the initial set of users. The administrator can then grant the Edit Security Settings capability to selected users for subsequent configuration changes.
The following table summarizes Bentley OpenUtilities Designer’s default groups. Using the User Manager, the administrator can modify or delete any of these groups to suit configuration needs at the installation site.
| Group Name | Description | Capabilities |
|---|---|---|
|
Guest |
Minimal capabilities. |
|
|
Designers |
Members can perform design and work management tasks. |
1, 2, 3, 4, 8, 10, 11, 12, 14 |
|
Supervisors |
Members can perform design and work management tasks and can see all designs and work requests. |
1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14,15 |
|
Administrators |
Members can fully administer the system. |
1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 20, 21 |
Database Security
Bentley OpenUtilities Designer 3.0 uses an Oracle database to store data. Two methods are supported for database security.
With the Single Database User Account scheme, all users are automatically logged into the database under a single database account. Although this mode makes it easy to configure the database (because there is only one database user/account), it has drawbacks. Since all users are treated as a single user, there is no way for the database administrator to determine which users are currently logged into the database and which users have performed which operations. The Single Database User Account mode is useful for simple demonstrations and for debugging database connection problems. This mode can be enabled on a per-client machine with a special utility (..\bin\chedconfig.exe).
Remote OS Authentication is the recommended mode of operation. Similar to the Bentley OpenUtilities Designer security scheme, the database treats the user as authenticated if the user can access the local area network. When Remote OS Authentication is enabled, the database retrieves the user's login ID from the client machine and uses it to access the user's individual account on the database. Therefore, every user must have a user account on the database to take advantage of Remote OS Authentication mode.
The Remote OS Authentication and Single Database User Account modes are not mutually exclusive. For example, if Bentley OpenUtilities Designer is not connecting to the database using Remote OS Authentication and you want to determine whether the problem is caused by the user's OS account, you can run the chedconfig.exe utility to set up the client machine so that Bentley OpenUtilities Designer will connect to some other known good account. If this procedure works, then the problem is with the user’s account. If not, there may be some other problem.