15.3 Managing Access Controls for Remote Applications

Because not all remote applications can be completely trusted, it is often a good idea to limit the privileges of the remote application. This section describes how you can accomplish this.

If you are running a trusted remote application, such as an application that you are maintaining on the same server as Novell Vibe, then you do not need to set access controls on it.

When an application is restricted to a specific role, the application can use Web services to perform only those tasks that are allowed for that role. For example, the Participant role can create new entries, modify entries that the user created, add comments to entries, and so on. Participants cannot perform system administration tasks and cannot modify other users’ entries.

Because workspace and folder owners can change the access control for places they own, you should communicate to your users about registered applications in the system and recommended access-control settings.

To limit the remote application to privileges assigned to a specific role:

  1. Log in to the Vibe site as the Vibe administrator.

  2. Access the top workspace in the hierarchy by clicking the workspace tree icon Application Group Properties page, then clicking Home Workspace (this is the default name for the top workspace).

  3. Click Workspace > Access Control.

  4. On the Configure Access Control page, click Add an Application.

    Clicking Add an Application
  5. In the Add an Application field, use the type-to-find to specify and select the application that you want to add.

  6. In the access control table, select the check box that is located in the row of the remote application that you just added, and the column of the role that you want to assign to the application.

    Selecting the Participant check box for the application
  7. Click Save Changes > Close.

The application that you added is now restricted to those operations allowed for the role that you selected. For example, if you assigned the Participant role to the remote application, then the inheritance of workspace and folder access controls means that it is very likely that most workspaces and folders inherit this setting. Assuming that all places inherited this setting, the most powerful role the remote application can assume within the installation is that of a Participant.

You can assign access-control roles to groups of applications instead of assigning roles to one application at a time if you have enabled multiple applications for your site and have grouped them together in an application group, as described in Section 15.2, Creating an Application Group.