Page 1 of 27 “Rational Support Whitepaper”

Implement access restrictions to your EA

Artifacts Using Rational System Architect

Catalog Manager

Mirtunjay Kumar Sharma

August 1, 2011

Page 2 of 27 “Rational Support Whitepaper”

Table of Content

INTRODUCTION .................................................................... 3

WHAT IS A CATALOG MANAGER ........................................... 4

NEED FOR A CATALOG MANAGER .......................................... 5

CONFIGURE A CATALOG ....................................................... 8

PERMISSION MAPPING ...................................................... 10

BUSINESS REQUIREMENT 1: .................................................................................. 10

BUSINESS REQUIREMENT 2: .................................................................................. 10

SOLUTION FOR BUSINESS REQUIREMENT 1: ........................................................ 11

SOLUTION FOR BUSINESS REQUIREMENT 2: ........................................................ 19

COMMON ISSUES AND SOLUTIONS ..................................... 22

CONCLUSION ...................................................................... 26

REFERENCES ....................................................................... 27

Page 3 of 27 “Rational Support Whitepaper”

Introduction

The ever increasing challenges of modern day enterprises demand organization to

design effective Enterprise Architecture (EA) for them to succeed and stay

competitive. For EA to be effective, it requires collaboration from many

professionals, some of them directly designing/modifying the EA and while others

are stakeholders who use the EA to make critical strategic decisions. These

decisions in turn define the direction of the organization.

To deliver effective EA, many users have to collaborate. It then becomes equally

important to have proper "Visibility" to all users to avoid "reinventing of wheel".

However at the same time it opens the doors for accidental modifications from

inexperienced users creating inconsistency in the system. The after-effects are

hard to imagine/foresee and sometimes unexpectedly destructive.

In this critical environment where "Visibility" and "Security" form two faces of the

same coin, how do you manage effective delivery of EA? While there are many

tools which allow creation of EA, IBM Rational System Architect (SA) comes

bundled with answers to many more questions than just EA. While Rational

System Architect gives you the platform and also forms the tool to design the EA,

the Catalog Manager with its "Instance Level" and "Type Level" access Control

capabilities complements, completes and addresses the key requirements of

"Visibility" and "Security". There is more that catalog manager helps you with.

Rational System Architect also offers a thin client known as System Architect XT

(Extended Team) which helps sharing EA through browser. For an encyclopedia

that contains EA artifacts to be made accessible by Rational System Architect XT,

it must be an Enterprise encyclopedia controlled by Rational System Architect

Catalog Manager.

This whitepaper talks about what Rational System Architect Catalog Manager is

and how it can be used to addresses the concerns of "Visibility" and "Security".

The paper also provides problem scenarios and their related solutions to help with

your understanding of these capabilities.

Page 4 of 27 “Rational Support Whitepaper”

What is a Catalog Manager

Catalog Manager in Rational System Architect is a utility which enables systems

administrator to grant permission access to model artifact types and instances in

an encyclopedia, based on user roles. It can be used to provide more granular

level of access controls on the information stored in IBM Rational System

Architect encyclopedias. System Architect Catalog Manager stores users and their

associated permissions in a database known as TelelogicEnterpriseCatalog.

The TelelogicEnterpriseCatalog database is also known as Catalog in Rational

System Architect terminology. You can create a catalog on Microsoft SQL Server

or on Oracle database server. The database server can be configured on the same

machine where Rational System Architect Catalog manager is installed or it may

be on any other machine in the same network.

The foremost requirement to create a catalog on a database server instance is

that you should have a sys admin rights on a database instance. On a single

database instance, you can create only one catalog and you can control user

access on all Rational System Architect databases which exist on that instance.

Rational System Architect databases are known as Encyclopedias in Rational

System Architect terminology.

To control the permissions for a user on Rational System Architect encyclopedias,

those encyclopedias need to be attached in the catalog in Rational System

Architect Catalog Manager.

Rational System Architect Catalog Manager controls the permissions for users on

encyclopedias by forming three way relationships between users, encyclopedias,

and roles. The permissions are first assigned to Roles and the users are assigned

to encyclopedias. Then the users are assigned one or more roles for each

encyclopedia in the catalog.

Page 5 of 27 “Rational Support Whitepaper”

Need for a Catalog Manager The best modeling environment for a team is a shared storage area with

concurrent multi-user access. There are many advantages of using shared

repository in your organization for enterprise design and modeling. Few of the

advantages are shown mentioned below:

All model information in the repository is visible and reusable at all times.

There is no threat of any users „reinventing the wheel‟.

Concurrent access allows potential conflicts to be identified quickly.

Administration is minimized. Users don‟t have to waste time and effort in

producing conflicting partial models, and then have to reconcile them

when merging the projects together.

The current state of the Enterprise Architecture information is readily

available to all users, so that questions can be asked of the enterprise

information.

Progress of the enterprise architecture, or a particular project within it, is

easily monitored since the current state of information in the repository is

visible. Rational System Architect automatically timestamps modifications

to the model, and also records the Audit ID of the user who made the

modification

Page 6 of 27 “Rational Support Whitepaper”

Using disconnected storage areas that are worked on simultaneously, and

subsequently merged, requires additional administration and management in

order to resolve conflicts. The shared storage areas are known as encyclopedias

in Rational System Architect. Rational System Architect provides built in

automatic locking facilities so that users can work on related areas with minimal

conflict.

For example: When a user opens a definition for editing, it is automatically locked

and provided in read-only form to any other user trying to open it while the first

user has it open. When the first user closes that definition, it becomes available

for editing by any other user.

There could be many instances of a diagram, definition or symbol type in Rational

System Architect encyclopedias. However to control permissions at an instance

level, you need to create a catalog in Rational System Architect Catalog Manager.

In Rational Catalog Manager, you can assign a read only access to a user on an

instance of a definition, diagram or symbol however at the same time other user

can enjoy read-write access on the same instance of these artifacts.

Rational System Architect Catalog Manager provides two levels of access control

to encyclopedia objects. The first level, Role-based access control, lets you

control permission to object types. This is a general level of control that makes no

distinction among objects of the same type. If you grant permission to Use Case

diagrams for example, then you grant permission to all Use Case diagrams.

Instance Level Access Control (ILAC) provides a higher, more specific level of

access control, letting you choose different permissions for objects of the same

type. For example, you can grant the Read permission to one Use Case diagrams,

and also grant the Write permission to a different Use Case diagram.

Another purpose of attaching an encyclopedia in Rational System Architect

Catalog Manager is to access Rational System Architect encyclopedias using

Rational System Architect XT.

Page 7 of 27 “Rational Support Whitepaper”

In other words, for an encyclopedia to be made accessible by Rational System

Architect XT, it must be an Enterprise encyclopedia controlled by Rational System

Architect Catalog Manager.

An administrator who is responsible to manage Rational System Architect

deployment in an organization can create user defined roles in Rational System

Architect Catalog Manager. A user defined role may contain specific diagram,

definition, macro and menu permissions to fulfill your business requirement to

access specific areas of your enterprise architecture.

You can also control permissions on a user defined artifacts created in the

encyclopedia using a USRPROPS or by a visual basic macro. An administrator for

Rational System Catalog needs to map the permissions using an option in

Rational System Architect Catalog Manager as shown below:

Once you select the encyclopedia where you have user defined artifacts from the

drop down, those artifacts will be listed under the appropriate category like

Diagram Permissions or Definition Permissions.

Page 8 of 27 “Rational Support Whitepaper”

Configure a Catalog Rational System Architect supports only Microsoft SQL Server and Oracle as a

backend database management system to hold the enterprise architecture

design. A catalog in Rational System Architect Catalog Manager can either be

created on Microsoft SQL Server or on an Oracle database management system.

The method to create a catalog in Rational System Architect Catalog Manager on

Microsoft SQL Server or on an Oracle database Management system is same. You

can follow the step mentioned below to create a catalog in Rational System

Architect Catalog Manager:

Launch Rational System Architect Catalog Manager from Start > All Programs >

IBM Rational > IBM Rational Lifecycle Solutions Tools > IBM Rational System

Architect > SA Catalog Manager

Click on Catalog > Create. The screen shown below will appear. Select the

database management system from the drop down list

Once you select the database management system type, you need to select the

database instance name. For example: If you select SQL Server as your database

management system, put one of available instance name under Server name

option as shown below:

Page 9 of 27 “Rational Support Whitepaper”

Once you put the database instance name, select the appropriate authentication

mode to login to the database instance and click on OK.

Once the catalog created, Catalog Manager will appear as shown below:

The next step is to attach those encyclopedias in Catalog Manager on which the

permissions need to be granted to different users. You also need to decide

whether the default roles available in Rational System Architect Catalog will fulfill

you business requirements or do you have to create few custom roles.

Page 10 of 27 “Rational Support Whitepaper”

Permission Mapping Rational System Architect Catalog Manager Administrator has to make a decision

to choose from role based access control (RBAC) and instance level access control

(ILAC). The decision can easily be made understanding the business requirement

and the kind of permissions that needs to be granted for each user in an

organization.

Let us make use of two business requirements to understand role based access

control and instance level access control in Rational System Architect Catalog

Manager.

Business Requirement 1:

There are five users (U1 and U2 who need to be given access on an encyclopedia

E1. The encyclopedia E1 contains a set of Business Process diagrams, class

diagrams and Entity Relationship diagrams. The requirement is in such a way that

user U1 should have only read access on Business Process diagrams and Entity

relationship diagrams. The user U2 needs to be given full access on the

encyclopedia.

Business Requirement 2:

There is a user U3 who needs to be given access on an encyclopedia E2. The

encyclopedia E2 also contains ER1 and ER2 instances of entity relationship

diagrams. The requirement is in such a way that user U3 should be given read

access on ER1 diagram in the encyclopedia and the user U3 should be given read

write access on ER2.

To address these requirements, you can either make use of existing roles or you

can create new roles. You can learn the usage of existing roles from Rational

System Architect Catalog Manager help.

The Business Requirement 1 can easily be implemented using role based

access control in Rational System Architect however, to implement the Business

Requirement 2; you need to implement instance level access control.

Page 11 of 27 “Rational Support Whitepaper”

Solution for Business Requirement 1:

You need to first attach the encyclopedia E1 in Rational System Architect Catalog

Manager. The following steps help you attach the encyclopedia in Rational System

Architect Catalog and assign the required permissions to fulfill the business

requirement:

1. Launch Rational System Architect Catalog Manager

2. Click on Catalog > Connect.

Select the Server type, Server name and authentication and click OK.

3. Right mouse click on Encyclopedias node in Rational System Architect

Catalog Manager and click Attach

Page 12 of 27 “Rational Support Whitepaper”

4. Select the encyclopedia name from the list of encyclopedias exist on the

database instance. You want to assign the permissions on an encyclopedia

E1, select the same encyclopedia from the drop down list and click OK.

5. Once the encyclopedia is attached, it will appear under Encyclopedias

Node in Rational System Architect Catalog Manager.

6. Now, import the users into Rational Catalog Manager. To import the users,

right mouse click on User & Groups node and click on Import Users

Page 13 of 27 “Rational Support Whitepaper”

7. You can import Active directory users, domain users, computer users and

Microsoft SQL Server Database users into Rational System Architect

Catalog Manager

8. Consider that you have a computer by name mirsharm and you want to

import users from the same computer into Rational System Architect

Catalog Manager. Select the users and click OK.

Page 14 of 27 “Rational Support Whitepaper”

9. Once you import the users in Rational System Architect Catalog, the users

will appear under Users & Groups node.

10. Create a user defined role to fulfill your business requirement to assign

appropriate permissions.

To create a user defined role, right mouse click on Roles node and click on

New.

Give a name to the new role as “Business Requirement 1-Read only”.

Page 15 of 27 “Rational Support Whitepaper”

11. Once the role is created, you need to add different permissions to this

role. To add diagram, definition, symbol and macro permissions to

“Business Requirement 1-Read Only” role, expend the first node

Encyclopedia Permissions.

12. Right mouse click on Definition Permissions and click on Copy. Once the

permissions are copied, expand the “Business Requirement 1-Read Only”

role > Encyclopedia Permissions and right mouse click on Definitions

Permissions and click on Paste.

13. Repeat the step 12 for diagram permissions, macro permissions and

menu permissions.

14. To make Business Process and Entity relationship diagrams read only,

expand “Business Requirement 1-Read Only” role and Encyclopedia

Permissions node. Click on Diagram Permissions. Select Business Process

and Entity Relation and right mouse click on the selection. Give only Read

access to these diagrams.

Page 16 of 27 “Rational Support Whitepaper”

15. Once the read only role is created, let‟s map the permissions for the users

U1 and U2 on the encyclopedia E1. Right mouse click on “Business

Requirement 1-Read Only” role and click on copy.

16. Paste this role on the Role node under Encyclopedia E1

17. Similarly, copy the user U1 under “Users & Groups” and paste it under

“Users & Groups” under encyclopedia E1.

18. Now, drag user U1 and drop it on “Business Requirement1-Read Only”

role under encyclopedia. Once you drop the user name on the role, the

mapping will be completed for user U1 on an encyclopedia E1.

Page 17 of 27 “Rational Support Whitepaper”

19. Similarly, you can map the permissions to the user U2. Since user U2

should be given full access on the encyclopedia, you can use a default role

Administrator. The mapping for both the users will look like as:

Now, the role based access is assigned to the users on an encyclopedia. Let‟s

verify the permissions mapping on the encyclopedia in Rational System

Architect. When user U1 opens the encyclopedia E1, you will observe that U1

can just read business process and entity relation diagrams.

Page 18 of 27 “Rational Support Whitepaper”

You can observe the user U1 does not have permissions to edit the business

process diagram. You can also observe that the user U1 is not allowed to

create a new Business Process diagrams as well.

Similarly, you can observe in the screen shown below that the user U1 can not

edit/create entity relation diagrams too.

Note: Ensure that the user has also been given minimum access rights in

Rational System Architect Encyclopedia Manager (SAEM). You can refer the

following technical document to assign minimum permissions for a user in SAEM:

How to apply the minimum permissions to share Professional

Encyclopedias

If you are using Oracle as a backend repository, you can take help from your

Oracle DBA to assign these access rights to a user on an encyclopedia.

Page 19 of 27 “Rational Support Whitepaper”

Solution for Business Requirement 2:

Let‟s attach another encyclopedia E2 in Rational System Architect Catalog

Manager to understand the implementation of business requirement 2. You can

follow the step mentioned above to attach the encyclopedia in Rational System

Architect Catalog manager.

Since you need to control the permissions on the instance of a diagram, you need

first enable the instance level access control (ILAC) option in Rational System

Architect Catalog Manager.

Once the instance level access control option is enabled in Rational System

Architect Catalog Manager, you need to configure the respective encyclopedia to

use instance level access control options. You can follow the steps mentioned

below to assign the permissions to user U1 on an encyclopedia E2:

1. Right mouse click on the encyclopedia E2 and click on Enable ILAC option.

Page 20 of 27 “Rational Support Whitepaper”

2. Once the ILAC is enabled on an encyclopedia, you can verify the same by

clicking on the Encyclopedias node.

3. As Instance Level Access Control can only be applied on a group, let‟s add

user U3 to a group.

4. Right mouse click on the group and click on Copy

5. Right-mouse click ILAC Group Default for Encyclopedia, and select Paste

6. To assign the instance level access control, open the encyclopedia E2 in

Rational System Architect. Let‟s create two Entity Relation diagrams ER1

and ER 2 and map the permissions to U3 to meet the business

requirement 2.

7. Right mouse click on diagram area for ER1 and ER 2 to assign instance

level access control:

Page 21 of 27 “Rational Support Whitepaper”

ER1 is read only to everyone and given read write permissions on Test

Group. Since U3 is a part of Business Requirement 2 group, he has been

given only read access.

All the user group have been given read and read/write access.

Page 22 of 27 “Rational Support Whitepaper”

Common issues and Solutions

Error message: "The Catalog on SQL Server needs to be

upgraded in Catalog Manager" when opening an Enterprise

Encyclopedia.

Solution:

This error is displayed when the encyclopedia is being opened in a later version of

System Architect than that of the SA Catalog Manager utility. After upgrading

your System Architect installation, you must open the catalog with the SA Catalog

Manager. The SA Catalog Manager will detect if an upgrade is required and

automatically upgrade the catalog. After the catalog has been upgraded in SA

Catalog Manager, you may then open the Enterprise Encyclopedia in System

Architect.

Page 23 of 27 “Rational Support Whitepaper”

Error message: No catalog on SQL server while creating an

encyclopedia.

Solution:

You may get this error message "No catalog on SQL server while creating an

encyclopedia" when creating an encyclopedia having the 'Enterprise Encyclopedia'

option checked. This happens if you try creating 'Enterprise Encyclopedia' without

having a Catalog created on the database server.

Scenario 1: If you just want to create an encyclopedia, uncheck 'Enterprise

Encyclopedia' option in the create encyclopedia window. This will create a

Professional encyclopedia. To create an 'Enterprise Encyclopedia', you would first

have to open the System Architect Catalog Manager and create a Catalog. Please

check System Architect online help for more information on creating

encyclopedia.

Scenario 2: Even if the Catalog is created, this error would still occur in a shared

environment. Consider the following example to understand this scenario:

You have a shared instance of SQL Server/Express and you would like to allow

users to create Enterprise Type encyclopedias. Though the Catalog is created

however other user still would not be able to create an enterprise type of

encyclopedia until you follow the set of steps mentioned below:

A. Add the user login in SAEM (System Architect Encyclopedia Manager) and

assign "DBCreator" Server role to his login id.

B. Add the user's login in Catalog manager and give CRWD (Create, Read, Write

and Destroy) or appropriate right on the System Architect Catalog.

Once this is done, user should be able to create an enterprise encyclopedia in a

shared environment.

Page 24 of 27 “Rational Support Whitepaper”

Error Message: Error Message: "An error occurred while

initializing Error:-2147217900, Source: Microsoft OLE DB

Provider for SQL Server, Description: The user does not have

permission to perform this action"

Solution:

The login ID is not set with appropriate permissions on the SQL Server where the

Catalog resides. Lack of database Data Reader permission is results in failure to

connect to existing catalog. Refer to the following knowledge base article to

resolve this error:

http://www.ibm.com/support/docview.wss?uid=swg21427259

Page 25 of 27 “Rational Support Whitepaper”

Unable to import users in IBM Rational System Architect

Catalog Manager without SYS ADMIN permissions.

Solution:

To be able to import other users into System Architect Catalog Manager you must

have 'SYSADMIN' or 'Security Admin' privileges.

However, if you do not want to give Sys Admin permissions and give Security

Admin, then you will need to perform a few additional tasks as mentioned below:

A. Make sure to give the user GRANT VIEW SERVER STATE to login and GRANT

EXECUTE on sp_lock on the Master encyclopedia.

For example if Test User you are trying to use, then the commands would look

like:

GRANT VIEW SERVER STATE to "Test User"

GRANT EXECUTE on sp_lock to "Test User"

B. Also you have to give "Public access" on all the encyclopedias present on the

instance.

C. Make sure that the User has "CRWD" (Create, Read, Write, Execute) on the

Catalog Manager

Page 26 of 27 “Rational Support Whitepaper”

Conclusion

Enterprise architecture is a conceptual blueprint that defines the structure and

operation of an organization. The intent of enterprise architecture is to determine

how an organization can most effectively achieve its current and future

objectives.

To capture different states of your enterprise architecture efficiently, you can

make use of IBM Rational System Architect which is an industry leading

Enterprise Architecture design and modeling tool.

To design architecture for your organization, it is also important to create specific

views of artifacts for different people in hierarchy. Also, in case of distributed

environment where in more than one architect is working on a single project,

administrator needs to provide restricted work area in the repository for each

architect.

Rational System Architect Catalog Manager provides a complete solution to

administer different artifacts stored in encyclopedias in Rational System Architect.

You can apply role based access control or an instance level access control based

on your business requirements.

This paper explained role based access control and instance level access control

with the help of two scenarios. The Business Requirement 1 is used to describe

the usage of role based access control in Rational System Architect Catalog

Manager. Similarly, the Business Requirement 2 is used to explain how an

instance level access control can be helpful to restrict an access to different

users on different instances of an artifact.

Page 27 of 27 “Rational Support Whitepaper”

References

Rational System Architect Information Center

Rational System Architect Catalog Manager online help

Rational System Architect Support Portal

How to apply the minimum permissions to share Professional

Encyclopedias