Role Based Access Control – Setup Guide (for Active Directory) 

Purpose

This article guides you through setting up role-based access control (RBAC) in Prolaborate using your existing Active Directory (AD) infrastructure. By integrating Prolaborate with Active Directory, you can manage user access to your Enterprise Architect models based on the roles and groups already defined within your organisation. This approach streamlines user management and ensures that users only have the necessary permissions to view, edit, or collaborate on specific parts of your models. 

In this article, we shown how to set up role-based access control for the following areas: 

Prerequisites 

Before you begin setting up role-based access control, ensure the following exists: 

• Add Repository: Your Enterprise Architect model repository has been successfully added to Prolaborate. You can find instructions on how to do this in the Add Repositories documentation. 
• User Group Creation in AD: You should create user groups within your Active Directory that correspond to the different roles in Prolaborate. 
• User Group Creation in Prolaborate: To map with AD groups, you should create user groups in prolaborate. In this guide, we need three groups (Read-Only / Read, Write and Collaborate / Read and Collaborate ).You can find instructions on how to do this in the User group creation in Prolaborate. 
• Configured Active Directory in Prolaborate: You should successfully configure your Active Directory connection within Prolaborate. Refer to the How to Setup Active Directory in Prolaborate guide for detailed steps. 

Now, let’s look at how to set up access permissions for different user roles defined by your Active Directory groups. Here are three common options you can configure: 

Access Types

Read-Only Read ,Write and Collaborate Read and Collaborate

Read-Only

This option is for users who should only be able to view the models and related information in Prolaborate. Members of the Active Directory group you designate for “Read” access have spectator-level permissions. 

Show/ Hide Model Information using Sections. 

Definition: Sections in Prolaborate define which parts of your Enterprise Architect model are accessible to users. You select specific views (diagrams) or packages to include in a section. 

To configure Sections for “Read-only” users: 

1. In Prolaborate, navigate to Menu and select Sections. 
2. In the Repository Browser panel, navigate to the specific views (diagrams) or packages you want read-only users to see. 
3. Drag and drop the desired items to the Sections area.

Set Read-only permission using Access Permissions 

Definition: Access Permissions determine what actions users or groups can perform on the sections of the model you’ve defined. For read-only users, you will grant them the “Read-Only” permission. 

To grant “Read-Only” access to the relevant Active Directory group: 

1. Go to the Menu and select Access Permission. 
2. In the Repository Browser panel, select the specific package, element, or diagram. 
3. In the Access Permission tab, select the Active Directory user group for “Read-Only” access. 
4. In the corresponding Type of Access dropdown, choose Read-Only. 
5. Optionally select Apply Recursively. 
6. Click the Add icon. 

Configure Access Control Profile 

Definition: Access Control Profiles (ACPs) allow you to configure repository access rules. You can use them to set a “Read-Only” access for an AD group. 

To configure an ACP for “Read-Only” users: 

1. Navigate to Menu and select Access Control Profiles. 
2. Click Create Profile. 
3. Give the profile a descriptive Name. 
4. Under “Repository and User Groups Membership“. 
5. Choose the needed repository and select the “Read-Only” Prolaborate user group 
6. Click Save.

Active Directory Group Mapping with Prolaborate User Groups 

Definition: AD Mapping ensures that your Active Directory user groups are recognized and usable within Prolaborate. 

To ensure your “Read” AD group is mapped: 

1. Navigate to the Menu and select User and License Management. 
2. Go to the AD Groups tab. 
3. Click Add Group and choose the appropriate AD Domain. 
4. In the Browser tab, select the relevant Path and choose the required Active Directory groups. 
5. Assign the appropriate Access Control Profile that is configured for the Read-Only Prolaborate user group. 

Properties & Inline Editor with Read-Only view 

Definition: Modeling Language configuration lets you customize how model elements are displayed and what properties are visible to users. 

To Create and Configure a New Modeling Language Profile: 

1. Navigate to the Menu and click Add Modeling Languages. 
2. Enter a name and upload a compatible MDG XML file. 
3. Enable the necessary checkbox options as per your requirements. 
4. From the User Group dropdown, select your “Read-only” Prolaborate user group. 
5. Click Save. 

To Configure an Existing Modeling Language Profile: 

1. Click on the Name of the existing Modeling Language. 
2. Click Create Profile. 
3. Provide a Name for the profile. 
4. From the User Group dropdown, select your “Read-only” Prolaborate user group. 
5. Click Save. 

Configure Dashboard Permissions 

Definition: Dashboards in Prolaborate display key model information through widgets. 

To assign dashboards for “Read-Only” users: 

1. Navigate to the Menu and select Dashboards. 
2. Click Create Dashboard and design a relevant widget as needed. 
3. Locate the newly created dashboard, click More, and select Set as Default. 
4. On the Dashboard List page, click “Edit” in Access Permission column. 
5. Select the AD-mapped Prolaborate user group that has Read-Only access. 
6. Click Save. 

Note:

• Users with read-only access can collaborate on assigned dashboards and default dashboards

Join Reviews as Read-Only User 

Definition: Users in the “Read-only” AD group can participate in reviews as Reviewers or Contributors, even though their general access to the model is view-only. 

To enable review access for “Read” users: 

1. Make sure Review model is enabled on in Prolaborate user group that mapped with ad groups (Repository Menu > Users groups). 
2. Someone with Review Moderator permissions needs to create a review (Menu > Reviews > Create Review). 
3. During review setup, they need to select the specific parts of the model for review. 
4. In the step to add reviewers, the Moderator can:  
   • Add the entire “Read” Active Directory user group and assign them the role of Reviewer or Contributor. 
   • Invite specific users from the “Read” AD group and give them the role of Reviewer or Contributor. 
5. Once added, users in the “Read-only” group can open the review (Menu > Reviews), see the items, and add their feedback in the Discussion tab. They won’t be able to manage the review or approve items. 

Read, Write and Collaborate 

This option grants users comprehensive access to view, edit, participate in discussions, and initiate or contribute to reviews. 

This option is for users who can view and edit and collaborate on the models and related information in Prolaborate. Members of the Active Directory group you designate for “Read, Write and Collaborate ” have access to all permissions and activities. 

Show/ Hide Model Information using Sections. 

Definition: Sections define the parts of the model these users can access. 

To configure Sections: 

1. Navigate to Menu > Sections. 
2. In the Repository Browser, locate the relevant views or packages. 
3. Drag and drop them to the Sections area. 

Set Read,Write and Collaboration permission using Access Permissions 

Definition: Access Permissions control the actions users can take. For this option, grant “Read, Write and Collaborate” permission. 

To provide “Read, Write and Collaborate” access: 

1. Navigate to Menu > Access Permission. 
2. Select the relevant item in the Repository Browser. 
3. Select the appropriate Active Directory user group. 
4. Choose Read, Write and Collaborate. 
5. Apply recursively and click Add. 

Configure Access Control Profile  

Definition: Access Control Profiles (ACPs) allow you to configure repository access rules. You can use them to set a “Read, Write and Collaborate ” access for an AD group. 

To configure an ACP: 

1. Navigate to Menu and select Access Control Profiles. 
2. Click Create Profile. 
3. Enter a Name for the profile. 
4. Under “Repository and User Groups Memberships” 
5. Choose the needed repositories and choose the “Read, Write and Collaborate” Prolaborate user group. 
6. Click Save. 

Active Directory Group Mapping with Prolaborate User Groups 

Definition: AD Mapping ensures that your Active Directory user groups are recognized and usable within Prolaborate. 

To ensure your “Read, Write and Collaborate” AD group is mapped: 

1. Navigate to Menu and select User and License Management. 
2. Go to the AD Groups tab 
3. Click Add Group and choose the appropriate AD Domain. 
4. In the Browser tab, Select the relevant path and choose the required Active Directory groups. 
5. Assign the appropriate Access control profile that is configured for “Read, Write and Collaborate” Prolaborate user groups that mapped with AD groups. 

Properties & Inline Editor with Read, Write and Collaborate 

Definition: Configure the display and editability of model properties with discussion access. 

To Create and Configure a New Modeling Language Profile: 

1. Navigate to the Menu and click Add Modeling Languages. 
2. Enter a name and upload a compatible MDG XML file. 
3. Enable the necessary checkbox options as per your requirements. 
4. From the User Group dropdown, select your “Read, Write, and Collaborate” Prolaborate user group. 
5. Click Save. 

To Configure an Existing Modeling Language Profile: 

1. Click on the Name of the existing Modeling Language. 
2. Click Create Profile. 
3. Provide a Name for the profile. 
4. From the User Group dropdown, select your “Read, Write, and Collaborate” Prolaborate user group. 
5. Click Save. 

Configure Dashboard Permissions  

Definition: Dashboards in Prolaborate display key model information through widgets. 

To configure default dashboards for “Read, Write and Collaborate” users: 

1. Navigate to the Menu and select Dashboards. 
2. Click Create Dashboard and design a relevant widget as needed. 
3. Locate the newly created dashboard, click More, and select Set as Default. 
4. On the Dashboard List page, click “Edit” in Access Permission column. 
5. Select the AD-mapped Prolaborate user group that has Read, write and collaborate access. 
6. Click Save. 

Join Reviews as Read, Write and Collaborate User 

Definition: Users with this permission level can fully participate in the review process, potentially acting as Reviewers, Contributors, or even Moderators. 

To enable full participation in reviews: 

1. Ensure the Review Model is enabled in Prolaborate user group that mapped with AD groups. 
2. Users in the “Read, Write and Collaborate” AD group can access Menu > Reviews to view and participate in reviews where their group is given access or they are individually tagged. 
3. A user from this group can also act as a Review Moderator. To create a review, they navigate to Menu > Reviews and click Create Review. They can then select the model elements for review, add their AD user group (or individual users within it) as Reviewers or Contributors, and manage the review process. They can also be assigned the role of Reviewer or Contributor by other Moderators. 

Read and Collaborate 

This option allows users to view and edit the models but restricts their ability to participate in discussions or reviews. 

Show/ Hide Model Information using Sections. 

Definition: Sections in Prolaborate define which parts of your Enterprise Architect model are accessible to users. You select specific views (diagrams) or packages to include in a section. 

To configure Sections for “Read and Collaborate” users: 

1. In Prolaborate, navigate to Menu and select Sections. 
2. In the Repository Browser panel, navigate to the specific views (diagrams) or packages you want read and collaborate users to see. 
3. Drag and drop the desired items to the Sections area. 

Set Read and Collaborate permission using Access Permissions 

Definition: Access Permissions determine what actions users or groups can perform on the sections of the model you’ve defined. For read and Collaborate users, you will grant them the “Read and Collaborate” permission. 

To grant “Read and Collaborate” access to the relevant Active Directory group: 

1. Go to the Menu and select Access Permission. 
2. In the Repository Browser panel, select the specific package, element, or diagram. 
3. In the Access Permission tab, select the Active Directory user group for “Read and Collaborate” access. 
4. In the corresponding Type of Access dropdown, choose Read and Collaborate. 
5. Optionally select Apply Recursively. 
6. Click the Add icon. 

Configure Access Control Profile  

Definition: Access Control Profiles can automatically assign this access level upon login. 

To configure an ACP: 

1. Navigate to Menu > Access Control Profiles. 
2. Click Create Profile. 
3. Enter a Name. 
4. Select repositories and the “Read and Collaborate” AD group with a suitable license. 
5. Click Save. 

Active Directory Group Mapping with Prolaborate User Groups 

Definition: AD Mapping ensures that your Active Directory user groups are recognized and usable within Prolaborate. 

To ensure your “Read and Collaborate” AD group is mapped: 

1. Navigate to Menu and select User and License Management. 
2. Go to the AD Groups tab 
3. Click Add Group and choose the appropriate AD Domain. 
4. In the Browser tab, Select the relevant path and choose the required Active Directory groups. 
5. Assign the appropriate Access control profile that is configured for “Read and Collaborate” Prolaborate user groups that mapped with AD groups. 

Properties & Inline Editor with Read and Collaborate 

Definition: Configure the display and editability of model properties. 

To Create and Configure a New Modeling Language Profile: 

1. Navigate to the Menu and click Add Modeling Languages. 
2. Enter a name and upload a compatible MDG XML file. 
3. Enable the necessary checkbox options as per your requirements. 
4. From the User Group dropdown, select your “Read and Collaborate” Prolaborate user group. 
5. Click Save. 

To Configure an Existing Modeling Language Profile: 

1. Click on the Name of the existing Modeling Language. 
2. Click Create Profile. 
3. Provide a Name for the profile. 
4. From the User Group dropdown, select your “Read and Collaborate” Prolaborate user group. 
5. Click Save. 

Configure Dashboard Permissions

Definition: Dashboards in Prolaborate display key model information through widgets. 

To configure default dashboards for “Read and Collaborate” users: 

1. Navigate to the Menu and select Dashboards. 
2. Click Create Dashboard and design a relevant widget as needed. 
3. Locate the newly created dashboard, click More, and select Set as Default. 
4. On the Dashboard List page, click “Edit” in Access Permission column. 
5. Select the AD-mapped Prolaborate user group that has Read and Collaborate access. 
6. Click Save. 

Join Reviews as Read and Collaborate User 

Definition: Users with “Read and Collaborate” permissions can be involved in reviews if their AD user group is given access or if they are tagged, typically as Reviewers or Contributors. 

To enable review access for “Read and Collaborate” users: 

1. Ensure the Review feature is enabled in Prolaborate user group “Read and Collaborate” that mapped with AD group. 
2. A Review Moderator needs to create a review under Menu > Reviews. 
3. During creation, the Moderator includes the relevant model elements. 
4. In the “Add Contributors” step, the Moderator can add the “Read and Collaborate” AD user group (or individual users) as Reviewers or Contributors. 
5. Users in this group can then access the review under Menu > Reviews to view the items and provide feedback in the Discussion tab. Their ability to manage reviews or act as Approvers might be limited compared to the “Read, Write and Collaborate” group. 

Conclusion 

By following the steps outlined in this guide, you can effectively implement role-based access control in Prolaborate using your existing Active Directory groups. Remember to adjust these configurations to fit your organisation’s specific needs and roles.