When a user logs on using the LifeCycle Manager Client, the user ID and password are sent over an encrypted SSL connection to the LifeCycle Manager Server. The server authenticates the user against an LDAP server and checks if the user is a member of the LifeCycle Manager user group. If no such group has been defined, all users that can be found in LDAP using the defined user search filter are allowed to log on. The Client only displays the tasks that the user is allowed to perform. Therefore, for a viewer user, only a few or no tasks at all will be displayed when the user is positioned on a node in the tree.
There are three levels of users in an LifeCycle Manager environment:
LifeCycle Manager Administrators
Members of this group are allowed to execute all tasks throughout the server environment.
Product Installation Administrators
Members of this group are allowed to administer and perform tasks on a specific product installation, as well as on all product installations that are children to it.
An administrator group can be defined for each product installation.
To be able to set the administrator group for a product installation, you need to be administrator for the parent of that product installation (or be a LifeCycle Manager administrator). This exception also applies to the Adding a Path and Removing a Path tasks.
All users that can log on to LifeCycle Manager can view information about managed servers and installed applications. The users, however, are not allowed to perform any task, unless the task is explicitly defined as a "viewer task".
On an M3 Business Engine (BE) installation, the administrator group BEAdmins is defined. On the PROD environment under the M3 BE installation, the administrator group ProdAdmins is defined.
Alice is a member of the BEAdmins group. Therefore, she is allowed to administer both the BE installation and all environments under it. She can also create new BE environments and set administrator groups for them.
Bob is a member of the ProdAdmins group. He is allowed to administer the PROD environment, but not the BE installation, nor any other environments under it. Bob is not allowed to change the administrator group for the PROD environment.