Role Based Access Control for Prolaborate – SAML SSO based Setup Guide

Purpose  

This article guides you through setting up Role-Based Access Control (RBAC) in Prolaborate using your configured Single Sign-On (SSO) authentication and existing SAML user groups. By integrating Prolaborate with an Identity Provider (IdP) via SAML, you can manage user access to your Enterprise Architect models based on the roles and groups already defined within your organization’s Identity and Access Management (IAM). This approach streamlines user management, leverages your existing SSO infrastructure, and ensures that users only have the necessary permissions (least privilege access) to view or edit, or collaborate on specific parts of your models. 

In this article, we show how to set up role-based access control for the following areas: 

Prerequisites  

Before you begin setting up role-based access control for SSO users, ensure the following exists: 

• Add Repository: Your Enterprise Architect model repository has been successfully added to Prolaborate. You can find instructions on how to do this in the Add Repositories documentation. 
• SAML User Group Creation in IdP: You should create user groups within your Identity Provider (e.g., Azure AD, Okta, ADFS) that correspond to the different roles in Prolaborate. These will be passed as SAML attributes/claims. 
• User Group Creation in Prolaborate: To map with SAML groups, you should create user groups in Prolaborate. In this guide, we need three groups (Read-Only / Read, Write and Collaborate / Read and Collaborate). You can find instructions on how to do this in the User group creation in Prolaborate. 
• Configured Single Sign-On in Prolaborate: Your SAML Single Sign-On connection should be successfully configured within Prolaborate, including the Service Provider and Identity Provider details, and Attribute Mapping (especially for user group claims). Refer to the Integrate Single Sign-On guide for detailed steps. 
• Access Control Profiles Created: You have created Access Control Profiles (ACPs) in Prolaborate that define the base permissions for different user roles (e.g., one for Read-Only, one for Read, Write and Collaborate, etc.).Refer to the Access Control Profiles guide for detailed steps. 

Now, let’s look at how to set up access permissions for different user roles defined by your SAML user groups. Here are three common options you can configure: 

Access Types 

Read-Only Read ,Write and Collaborate Read and Collaborate

Read-Only  

This option is for users who should only be able to view the models and related information in Prolaborate. Members of the SAML user group you designate for “Read-Only” access will have spectator-level permissions. 

Show/Hide Model Information using Sections. 

Definition: Sections in Prolaborate define which parts of your Enterprise Architect model are accessible to users. You select specific views (diagrams) or packages to include in a section.  

To configure Sections for “Read-only” users: 

• In Prolaborate, navigate to Menu and select Sections. 
• Drag and drop the desired items to the Sections area. 
• In the Repository Browser panel, navigate to the specific views (diagrams) or packages you want read-only users to see. 

Set Read-Only Permission using Access Permissions 

Definition:  

Access Permissions determine what actions users or groups can perform on the sections of the model you’ve defined. For read-only users, you will grant them the “Read-Only” permission. This is typically done by assigning the Prolaborate user group (which is mapped to your SAML group) this permission.  

To grant “Read-Only” access to the relevant Prolaborate user group (mapped to a SAML group): 

• Go to the Menu and select Access Permission. 
• In the Repository Browser panel, select the specific package, element, or diagram. 
• In the Access Permission tab, select the Prolaborate user group created for “Read-Only” access (which will be mapped to your SAML group later). 
• In the corresponding Type of Access dropdown, choose Read-Only. 
• Optionally select Apply Recursively. 
• Click the Add icon. 

Configure Access Control Profile  

Definition:  

Access Control Profiles (ACPs) allow you to configure repository access rules. For SSO users, an ACP will be linked directly to a SAML user group to automatically assign access upon login.  

To configure an ACP for “Read-Only” users: 

• Navigate to Menu and select Access Control Profiles. 
• Click Create Profile. 
• Give the profile a descriptive Name (e.g., “SSO Read-Only Profile”). 
• Under “Repository and User Groups Membership“:  
• Choose the needed repository. 
• Select the “Read-Only” Prolaborate user group you created. 
• Click Save. 

SAML User Group Mapping with Prolaborate Access Control Profiles 

Definition:  

This crucial step ensures that your SAML user groups from your Identity Provider are recognized and linked to the appropriate Access Control Profiles within Prolaborate, providing the role-based access.  

To map your “Read-Only” SAML group: 

• Navigate to Menu and select SAML Single Sign On under Portal Settings. 
• Scroll down to the “Access Control Profile” section. 
• Toggle the SAML Group based Restriction to Enable. 
• Choose the required Access Control Profile that is configured for “Read-Only” access (the ACP you created in step 3). 
• Add SAML user group(s): Enter the exact name of the SAML user group(s) from your Identity Provider that should receive “Read-Only” access. 
• Ensure the User group attribute and its claims are correctly entered as configured in your Identity Provider (from the general SSO setup). 
• Click Save. 

Note:

• If Just-in-Time (JIT) access provisioning is enabled user permissions will be dynamically updated based on their SAML group membership every time they log in

Properties & Inline Editor with Read-Only View  

Definition: 

 Modeling Language configuration lets you customize how model elements are displayed and what properties are visible to users.  

To Create and Configure a New Modeling Language Profile: 

• Navigate to the Menu and click Add Modeling Languages. 
• Enter a name and upload a compatible MDG XML file. 
• Enable the necessary checkbox options as per your requirements (e.g., disable inline editing). 
• From the User Group dropdown, select your “Read-only” Prolaborate user group (which is mapped to your SAML group). 
• Click Save.  

To Configure an Existing Modeling Language Profile: 

• Click on the Name of the existing Modeling Language. 
• Click Create Profile. 
• Provide a Name for the profile. 
• From the User Group dropdown, select your “Read-only” Prolaborate user group. 
• Click Save. 

Configure Dashboard Permissions  

Definition:  

Dashboards in Prolaborate display key model information through widgets.  

To assign dashboards for “Read-Only” users: 

• Navigate to the Menu and select Dashboards. 
• Click Create Dashboard and design a relevant widget as needed. 
• Locate the newly created dashboard, click More, and select Set as Default. 
• On the Dashboard List page, click “Edit” in the Access Permission column. 
• Select the Prolaborate user group that is mapped to your SAML group and has Read-Only access. 
• Click Save. 

Note:

• Users with read-only access can collaborate on assigned dashboards and default dashboards.

Join Reviews as Read-Only User  

Definition:  

Users in the “Read-only” SAML user group can participate as moderators, even though their general access to the model is view-only. They can still create and participate in reviews. So, there is not read-only access to the Reviews.  

Read and Collaborate  

This option allows users to view and edit the models but restricts their ability to participate in discussions or reviews.  

Show/Hide Model Information using Sections.  

Definition:  

Sections in Prolaborate define which parts of your Enterprise Architect model are accessible to users. You select specific views (diagrams) or packages to include in a section.

To configure Sections for “Read and Collaborate” users: 

• In Prolaborate, navigate to Menu and select Sections. 
• In the Repository Browser panel, navigate to the specific views (diagrams) or packages you want read and collaborate users to see. 
• Drag and drop the desired items to the Sections area. 

Set Read and Collaborate Permission Using Access Permissions  

Definition:  

Access Permissions determine what actions users or groups can perform on the sections of the model you’ve defined. For read and Collaborate users, you will grant them the “Read and Collaborate” permission.  

To grant “Read and Collaborate” access to the relevant Prolaborate user group (mapped to a SAML group): 

• Go to the Menu and select Access Permission. 
• In the Repository Browser panel, select the specific package, element, or diagram. 
• In the Access Permission tab, select the Prolaborate user group created for “Read and Collaborate” access. 
• In the corresponding Type of Access dropdown, choose Read and Collaborate. 
• Optionally select Apply Recursively. 
• Click the Add icon. 

Configure Access Control Profile  

Definition:  

Access Control Profiles can automatically assign this access level upon login for SSO users.  

To configure an ACP: 

• Navigate to Menu > Access Control Profiles. 
• Click Create Profile. 
• Enter a Name (e.g., “SSO Read-Collaborate Profile”). 
• Select repositories and the “Read and Collaborate” Prolaborate user group. 
• Click Save. 

SAML User Group Mapping with Prolaborate Access Control Profiles  

Definition: 

 This ensures your SAML user groups are recognized and linked to the appropriate Access Control Profiles within Prolaborate. 

To map your “Read and Collaborate” SAML group: 

• Navigate to Menu and select SAML Single Sign On under Portal Settings. 
• Scroll down to the “Access Control Profile” section. 
• Toggle the SAML Group based Restriction to Enable. 
• Choose the required Access Control Profile that is configured for “Read and Collaborate” access. 
• Add SAML user group(s): Enter the exact name of the SAML user group(s) from your Identity Provider that should receive this access. 
• Ensure the User group attribute and its claims are correctly entered. 
• Click Save. 

Properties & Inline Editor with Read and Collaborate  

Definition:  

Configure the display and editability of model properties.  

To Create and Configure a New Modeling Language Profile: 

• Navigate to the Menu and click Add Modeling Languages. 
• Enter a name and upload a compatible MDG XML file. 
• Enable the necessary checkbox options as per your requirements. 
• From the User Group dropdown, select your “Read and Collaborate” Prolaborate user group. 
• Click Save.  

To Configure an Existing Modeling Language Profile: 

• Click on the Name of the existing Modeling Language. 
• Click Create Profile. 
• Provide a Name for the profile. 
• From the User Group dropdown, select your “Read and Collaborate” Prolaborate user group. 
• Click Save. 

Configure Dashboard Permissions  

Definition:  

Dashboards in Prolaborate display key model information through widgets.  

To configure default dashboards for “Read and Collaborate” users: 

• Navigate to the Menu and select Dashboards. 
• Click Create Dashboard and design a relevant widget as needed. 
• Locate the newly created dashboard, click More, and select Set as Default. 
• On the Dashboard List page, click “Edit” in the Access Permission column. 
• Select the Prolaborate user group that is mapped to your SAML group and has Read and Collaborate access. 
• Click Save. 

Join Reviews as Read and Collaborate User  

Definition:  

Users with “Read and Collaborate” permissions can be involved in reviews if their SAML user group is given access or if they are tagged, typically as Reviewers or Contributors. To enable review access for “Read and Collaborate” users: 

• Ensure the Review feature is enabled in the Prolaborate user group “Read and Collaborate” that is mapped with your SAML group. 
• A Review Moderator needs to create a review under Menu > Reviews. 
• During creation, the Moderator includes the relevant model elements. 
• In the “Add Contributors” step, the Moderator can add the “Read and Collaborate” SAML user group (or individual SSO users) as Reviewers or Contributors. 
• Users in this group can then access the review under Menu > Reviews to view the items and provide feedback in the Discussion tab. Their ability to manage reviews or act as Approvers might be limited compared to the “Read, Write and Collaborate” group. 

Read, Write and Collaborate  

This option grants users comprehensive access to view, edit, participate in discussions, and initiate or contribute to reviews. Members of the SAML user group you designate for “Read, Write and Collaborate” will have access to all permissions and activities. 

Show/Hide Model Information using Sections.  

Definition:  

Sections in Prolaborate define which parts of your Enterprise Architect model are accessible to users. You select specific views (diagrams) or packages to include in a section.  

To configure Sections: 

• Navigate to Menu > Sections. 

• In the Repository Browser, locate the relevant views or packages. 

• Drag and drop them to the Sections area. 

Set Read, Write and Collaboration Permission using Access Permissions  

Definition:  

Access Permissions control the actions users can take. For this option, grant “Read, Write and Collaborate” permission to the associated Prolaborate user group.  

To provide “Read, Write and Collaborate” access: 

• Navigate to Menu > Access Permission. 

• Select the relevant item in the Repository Browser. 

• Select the appropriate Prolaborate user group (mapped to your SAML group). 

• Choose Read, Write and Collaborate. 

• Apply recursively and click Add. 

Configure Access Control Profile  

Definition:  

Access Control Profiles (ACPs) allow you to configure repository access rules. You will use them to set a “Read, Write and Collaborate” access for an SSO user group. 

To configure an ACP: 

• Navigate to Menu and select Access Control Profiles. 
• Click Create Profile. 
• Enter a Name for the profile (e.g., “SSO Read-Write-Collaborate Profile”). 
• Under “Repository and User Groups Memberships”:  
• Choose the needed repositories. 
• Choose the “Read, Write and Collaborate” Prolaborate user group. 
• Click Save. 

SAML User Group Mapping with Prolaborate Access Control Profiles  

Definition:  

This ensures your SAML user groups are recognized and linked to the appropriate Access Control Profiles within Prolaborate. To map your “Read, Write and Collaborate” SAML group: 

• Navigate to Menu and select SAML Single Sign On under Portal Settings. 
• Scroll down to the “Access Control Profile” section. 
• Toggle the SAML Group based Restriction to Enable. 
• Choose the required Access Control Profile that is configured for “Read, Write and Collaborate” access. 
• Add SAML user group(s): Enter the exact name of the SAML user group(s) from your Identity Provider that should receive this access. 
• Ensure the User group attribute and its claims are correctly entered. 
• Click Save. 

Properties & Inline Editor with Read, Write and Collaborate  

Definition:  

Configure the display and editability of model properties with discussion access.  

To Create and Configure a New Modeling Language Profile: 

• Navigate to the Menu and click Add Modeling Languages. 
• Enter a name and upload a compatible MDG XML file. 
• Enable the necessary checkbox options as per your requirements. 
• From the User Group dropdown, select your “Read, Write, and Collaborate” Prolaborate user group. 
• Click Save.  

To Configure an Existing Modeling Language Profile: 

• Click on the Name of the existing Modeling Language. 
• Click Create Profile. 
• Provide a Name for the profile. 
• From the User Group dropdown, select your “Read, Write, and Collaborate” Prolaborate user group. 
• Click Save. 

Configure Dashboard Permissions  

Definition:  

Dashboards in Prolaborate display key model information through widgets.  

To configure default dashboards for “Read, Write and Collaborate” users: 

• Navigate to the Menu and select Dashboards. 
• Click Create Dashboard and design a relevant widget as needed. 
• Locate the newly created dashboard, click More, and select Set as Default. 
• On the Dashboard List page, click “Edit” in the Access Permission column. 
• Select the Prolaborate user group that is mapped to your SAML group and has Read, Write and Collaborate access. 
• Click Save. 

Join Reviews as Read, Write and Collaborate User  

Definition:  

Users with this permission level can fully participate in the review process, potentially acting as Reviewers, Contributors, or even Moderators. 

To enable full participation in reviews: 

• Ensure the Review Model is enabled in the Prolaborate user group that is mapped with your SAML group. 
• Users in the “Read, Write and Collaborate” SAML group can access Menu > Reviews to view and participate in reviews where their group is given access or they are individually tagged. 
• A user from this group can also act as a Review Moderator. To create a review, they navigate to Menu > Reviews and click Create Review. They can then select the model elements for review, add their SAML user group (or individual SSO users within it) as Reviewers or Contributors, and manage the review process. They can also be assigned the role of Reviewer or Contributor by other Moderators. 

Conclusion  

By leveraging this guide, you’ll successfully implement robust role-based access control (RBAC) in Prolaborate. This ensures that user access to your Enterprise Architect models is seamlessly managed through your existing Single Sign-On (SAML) groups, perfectly aligning permissions with organizational roles. The outcome is a streamlined, secure, and centrally managed access system that integrates effortlessly with your Identity Provider.