Hello Joao,

If you can access the Decision Center Administration tab, it's because you have the WAS/Liberty rtsAdministrator role. See https://www.ibm.com/docs/en/odm/8.12.0?topic=center-enabling-users-groups about existing Decision Center roles : rtsAdministrator,rtsConfigManager,rtsUser

So, if you want to prevent an access to the Administrator tab, you have to remove this role to your user and just provide the rtsUser role.

You should have something in your Websphere application settings that looks like this :

https://github.com/DecisionsDev/odm-ondocker/blob/master/decisioncenter/config/application-decisioncenter.xml#L10

Here you have to map the J2EE role to existing LDAP groups using fully qualified name as explained here :

https://www.ibm.com/docs/en/odm/8.12.0?topic=profile-step-2-configuring-user-access-decision-center

When your roles are correctly set, then you can manage authorization at Decision Center level. What we also call "fine grained permission".

This video is providing interesting explanations: https://www.youtube.com/watch?v=WpCrAQRqVAA

Hope this helps. 

Hi Mathias,

first of all thanks very much for your quick response.

After reading it I went to check the user mapping in 'Security role to user/group mapping' in the teamserver application configuration and found out that the group my user belongs to is indeed mapped as rtsAdministrator.

So that part is understood.

Now my problem now seems to be in the LDAP configuration at Decision Center level. I am able to import the groups, but not the users. I believe the issue is in one of this parameters. I have to check them with the AD Administrator.

Thanks very much for your help

Hello Joao,

If you can access the Decision Center Administration tab, it's because you have the WAS/Liberty rtsAdministrator role. See https://www.ibm.com/docs/en/odm/8.12.0?topic=center-enabling-users-groups about existing Decision Center roles : rtsAdministrator,rtsConfigManager,rtsUser

So, if you want to prevent an access to the Administrator tab, you have to remove this role to your user and just provide the rtsUser role.

You should have something in your Websphere application settings that looks like this :

https://github.com/DecisionsDev/odm-ondocker/blob/master/decisioncenter/config/application-decisioncenter.xml#L10

Here you have to map the J2EE role to existing LDAP groups using fully qualified name as explained here :

https://www.ibm.com/docs/en/odm/8.12.0?topic=profile-step-2-configuring-user-access-decision-center

When your roles are correctly set, then you can manage authorization at Decision Center level. What we also call "fine grained permission".

This video is providing interesting explanations: https://www.youtube.com/watch?v=WpCrAQRqVAA

Hope this helps. 

Hi,

It is really important that the user login id attribute matches the user login attribute used in the configuration at the application server level.

Also your group search filter is possibly not filtering enough and might be generating to many replies...

Hi Mathias,

first of all thanks very much for your quick response.

After reading it I went to check the user mapping in 'Security role to user/group mapping' in the teamserver application configuration and found out that the group my user belongs to is indeed mapped as rtsAdministrator.

So that part is understood.

Now my problem now seems to be in the LDAP configuration at Decision Center level. I am able to import the groups, but not the users. I believe the issue is in one of this parameters. I have to check them with the AD Administrator.

Thanks very much for your help