Managing user access to data sources in Lifecycle Query Engine

As an administrator, you can directly control read access to the Lifecycle Query Engine (LQE) index by specifying local access policies to the data that LQE indexes.

However, access to the actual lifecycle data, and the tools that provide the data, is subject to the access control defined in each lifecycle tool.

Data from the lifecycle tools (the data sources) is indexed in a single index that is maintained by Lifecycle Query Engine. All read access to the index is granted and controlled by LQE, not by the data sources. When you add a data source, it automatically inherits the permissions that are defined for the LQE index root. You can use the security contexts from the data sources as starting points, or create new user groups with permission to access all or parts of the index. When you specify custom permissions for the index, the project and team members' permissions to access the data sources are not affected.

Lifecycle Query Engine also supports integration with enterprise directory servers, such as LDAP. You can choose users from the directory servers to add to the access control groups.

Remember: Access to the Lifecycle Query Engine index is entirely based on what you, as the administrator, specify on the Permissions page, regardless of the security contexts from the lifecycle tools.
This approach to LQE access control has several benefits:
  • Query and report consumers need to authenticate with Lifecycle Query Engine only once to be able to consume the indexed data.
  • The lifecycle tools that you add as data sources do not need to be online or reachable to run queries or reports.
  • Reports and queries that are run against the LQE index do not consume licenses, although access to the data in the underlying tool (such as by clicking a link) is still subject to license checks.
  • Administrators can override instances where a user does not have a license to a tool, but needs to consume the assets in the form of queries or reports.

Before you begin

Before you can define access policies for the Lifecycle Query Engine index, you must add the data sources. See Configuring Lifecycle Query Engine and generating the index.

Specifying user permissions

You can specify the user groups and users who have permission to view data in the entire LQE index or in specific data groups within the index. When you add a data source, it automatically inherits the permissions that are defined for the LQE index root. Access to the data groups within the index is inherited from the root Lifecycle Query Engine index; however, you can block the inheritance and grant access to specific groups and users by specifying custom permissions.

When you first start Lifecycle Query Engine, no permissions are defined. You must specify which group or user has access to the entire LQE index, each data source, or each access context that is defined in a data source.

Tip: If you are defining access control for the first time and plan to customize the permissions, you might consider setting up user groups and users first, and then specifying the custom permissions.

Screen capture of the Permissions page showing several data groups under the root LQE index.

Procedure

  1. On the Lifecycle Query Engine Administration page, in the navigation pane, under Access Control, click Permissions.
  2. On the Permissions page, under Data Groups, select a data group.
  3. To control access to the data group, choose one of the following options:
    • Inherit permissions from the parent
    • Specify custom permissions:
      • To grant access to a user group, click Add groups and select the associated check boxes.
      • To grant access to a user, click Add users and in the Select Users dialog box, search for the specific user IDs. Select the ID, click Add, and click Close.

Defining and managing user groups

You can manage the user groups that have permission to access the LQE index. You can create new groups and assign users, or modify existing groups.

Screen capture of the LQE User groups page

Procedure

  1. On the Lifecycle Query Engine Administration page navigation, under Access Control, click User Groups.
  2. To create a new user group, on the User Groups page, click Add a new group.
    1. Optional: If you want to use an LDAP server to manage the user group, select the LDAP Group check box and provide the required LDAP server and Group DN information.
    2. Enter a unique name for the group and a description if you want, and click OK.
  3. To review, modify, or delete an existing user group, in the Group list, click a group name and take any action.

Adding LDAP connections

You can integrate LDAP servers with Lifecycle Query Engine and create user groups that are based on the LDAP groups from the data sources. When you create an LDAP-based group for LQE, you can select existing users from the integrated LDAP directory; however, you cannot add new users to an LDAP-based group.

Screen capture of the Add an LDAP connection dialog box

Procedure

  1. In the Lifecycle Query Engine Administration page navigation, under Access Control, click LDAP Connections.
  2. To create a new LDAP connection, click Add LDAP Connection.
    1. Enter the URL for the LDAP server.
    2. Enter a unique label for the connection. This label is displayed in the list of LDAP connections.
    3. Enter a description of the new LDAP connection.
    4. Choose an authentication method for the new connection. If you choose Simple, provide the required user name and password.
    5. Click Next and provide the required values for each of the connection parameters. For more information, see LDAP configuration parameters.
  3. To review, modify, or remove an existing LDAP connection, click name in the list and take any action.
    Note: You cannot add members to the LDAP-based group; they must be added on the LDAP server.

Feedback