Modifying the Access Scope of Portal User Profile

Scenario

If a portal user added to Huawei Cloud Astro Zero is not configured with a specified profile, the preset Portal User Profile is used by default. If Portal User Profile cannot meet the requirements, you can configure the required profiles for the portal user by referring to this section.

You can use either of the following methods to modify portal user permissions:

• Method 1: Modify the preset Portal User Profile profile in the system.

  The Portal User Profile profile is global-level. Modifying this profile affects all applications in the system.

• Method 2: Create a profile.

  Based on the preset Portal User Profile profile, customize a profile and permission set for the portal user. A new profile inherits all permissions from the profile based on which it is created.

Modifying Portal User Profile

1. Log in to the Huawei Cloud Astro Zero console and click Access Homepage. The application development page is displayed.
2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
3. In the navigation pane, choose User Security > Profiles.
4. In the Profiles page, click Portal User Profile. The profile details page is displayed.
5. In the Permissions area, and click to assign new permissions to Portal User Profile.

   For details about the functions of each permission, see Table 1.

   Figure 1 Assigning new permissions to Portal User Profile
   

6. On the App Settings tab page, click to set which applications are visible to portal users.
   Figure 2 Setting whether the application is visible
   

7. On the Custom Object Permissions tab page, click to set custom object permissions.
   Figure 3 Setting custom object permissions
   

8. On the APIs tab page, click and configure permissions for running flows, scripts, and BPMs.

   The setting takes effect only when the permission to execute flow, script execution, and BPM is set in the basic information tab page.

9. On the Service Permissions Credentials tab page, click and configure service permissions.

   When customizing an API URL, you can configure service permission credentials to allow only specific users to access the API URL. For details, see Customize a URL for Calling Scripts and Customizing the URL for a Flow.

Creating Profiles

The new profile csProfile is used as an example. When new portal users are registered, assign them the csProfile profile. The portal users then obtain the permissions in the profile.

1. Create the csProfile profile.
   1. Log in to the Huawei Cloud Astro Zero console and click Access Homepage. The application development page is displayed.
   2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
   3. In the navigation pane, choose User Security > Profiles. Then click New.
   4. In the displayed dialog box, select an existing profile to inherit permissions.
      Figure 4 Creating a profile based on Portal User Profile
      

      Table 1 Parameters for creating a profile

      Parameter	Description
      Existing Profile	Existing profile to be inherited by the new profile. Set this parameter to Portal User Profile.
      Clone Mode	Normal: Newly created profiles can be inherited through cloning, and all permissions can be modified independently. Inherited: Newly created profiles cannot be inherited through cloning. Only basic and service permissions can be modified independently. Other permission items are the same as those of the parent profile and cannot be modified. The default value is Normal.
      User License	The value is automatically associated by the system and does not need to be set.
      Profile Name	Name of the new profile. The value contains a maximum of 64 characters. Set this parameter to csProfile.
      Description	Description of the profile. Value: 1–255 characters.

   5. Click Save.
   6. In the Profiles page, csProfile is displayed.
      Figure 5 Viewing csProfile
      

2. Modify the csProfile profile.
   1. In the navigation pane, choose User Security > Profiles.
   2. In the Profiles page, click csProfile to go to its details page.
   3. On the Basic Information tab page, click next to the parameter to modify.
      • Basic Information: basic information about the profile. The name and description can be modified.
      • Password Policies: the password policy for logging in to the system, including the lockout duration and the maximum number of consecutive login attempts.
      • Session Policies: validity period of the access token and refresh token.
      • Permissions: basic permissions contained in csProfile.
   4. On the App Settings tab page, click next to the APP Settings to set whether the applications are visible on the page.

      When there are two or more applications, at least one application must be visible. After this function is enabled, click the application icon on the application preview page. In the application list that is displayed, you can switch applications.

   5. On the Standard Object Permissions and Custom Object Permissions tab page, set permissions for objects and object fields.
      Figure 6 Setting permissions for objects and object fields
      
   6. On the APIs tab page, set the flow, script, or BPM that can be executed.

      The setting takes effect only when the permission to execute flow, script execution, and BPM is set in the basic information tab page.

   7. On the Connectors tab page, set the OBS buckets and object storage proxies that can be accessed.
   8. On the Events tab page, configure the events that can be accessed.
   9. On the Permission Sets tab page, configure permission sets for the profile.

      For details about how to create a permission set, see Creating a Permission Set.

   10. On the Service Permissions Credentials tab page, configure service permissions.

       When customizing an API URL, you can configure service permission credentials to allow only specific users to access the API URL. For details, see Customize a URL for Calling Scripts and Customizing the URL for a Flow.

   11. On the System Parameters tab page, configure the system parameters that can be read.

Assigning csProfile to a Portal User

1. Log in to the Huawei Cloud Astro Zero console and click Access Homepage. The application development page is displayed.
2. In the upper left corner of the page, click and choose Environments > Environment Configuration.
3. Choose Maintenance from the main menu.
4. In the navigation pane, choose Global Elements > Portal Users.
5. In the portal user list, click the target portal user (for example, test_cs) to go to the portal user details page.

   If there are a large number of portal users, search for the target portal user by entering the username in the search box.

6. Click Edit to assign csProfile to the test_cs portal user.
   Figure 7 Assigning csProfile to test_cs
   

7. Select the check box of Overwrite Profile if necessary.
   Figure 8 Selecting the check box of Overwrite Profile
   

   If this parameter is selected, all permissions of the portal user read the permission settings in the permission set. If this parameter is not selected, the application permission of the portal user is read from Portal User Profile, and other permissions are read from the permission settings in the permission set. The implementation logic of the portal user profile is as follows:

   • If no profile is configured in the permission set of a portal user, Portal User Profile is used by default.
   • If a profile is assigned to the permission set of a portal user, the configuration in the permission set is used. Portal User Profile is no longer used.
   • If multiple profiles are assigned to the permission set of a portal user, select Overwrite Profile, all permissions are combined and all permission sets are used. If you do not select this option, the first profile in the permission set is used.