Security

The Security view; select the Security navigation button, allows you to setup and manage user and group permissions on the Management Center. Security roles which specify different levels of access allow you to allocate server-wide security permissions or assign object security permissions in certain areas of the Management Console. For example, it may be necessary to lockdown access to specific deployment groups to geographically dispersed administrators so that they can only manage their own local managed endpoints whilst still being able to view (have read-only access) to other deployment groups.

In this Section:

Server Permissions

Server Permissions allow you to define the level of access for designated users and groups throughout the Management Center and specify rights for editing settings and performing actions.

You can add groups or users by browsing the local computer or domain and allocate a security level from the list of predefined Security Roles or allocate custom roles which you create.

You can add Server Permissions by active directory group or user.

Add by Group

Select Server Permissions > Groups > Add Group. The Select Groups dialog displays.

Browse and select from the local computer or domain.

Add by User

Select Server Permissions > Users > Add User. The Select Users dialog displays.

Browse and select from the local computer or domain.

Edit Assigned Roles

To edit the roles assigned to the groups or users select Server Permissions > Groups or Users > Edit Roles. The Global Security Roles dialog displays.

The Global Security Roles dialog displays the list of default Server Roles and any other

server roles that have been created.

Select Allow to assign a role to the group or user.

Object Permissions

Object Permissions are access rights which are allocated to users and groups to view and edit or perform actions for specific areas in the Management Center. Objects include any specific areas of the Management Center, settings or items such as the following:

  • Groups  – view and edit.
  • Packages – manage agents and configurations.
  • Reports – view and generate all reports or individual reports.
  • Alert Rules – view and edit all alert rules or individual alert rules.

Object permissions are granted to users or groups for specific objects by allocating Security Roles or assigning ownership.

Ownership

Displays the list of objects and the owner allocated to the object. You can change the current ownership assignments for each object.

The following are controlled objects:

  • Group – view and edit.
  • Package – manage agents and configurations.
  • Report – view and generate all reports or individual reports.
  • Alert Rule – view and edit all alert rules or individual alert rules.

You can toggle the display to group the objects by type, which is the default, or by owner. Select Group by Owner or Group by Type in the Actions pane to alter the display.

Ownership of an object grants full control and overrides any restrictions which might also apply to the user or group.

To change the object owner, highlight an object and select Change Ownership in the Actions pane. The Security Form dialog displays, select a group or user from the list, alternatively to select a group or user that is not listed, click Add to display the Select Users or Groups dialog, enter or browse to select the group or user that you want to be the object owner.

User Access

Displays the list of objects that have been modified for user access.

You can toggle the display to group the objects by type, which is the default, or by user. Select Group by User or Group by Type in the Actions pane to alter the display.

To change the user access highlight an object and select Edit Roles in the Actions pane. The Security for [object type name] dialog displays.

The Security for [object type name] dialog displays the following two tabs:

  • Permissions - Add or Remove groups or users permission to access the object. If you assign permissions to a group or user that does not have rights to the object area in the Management Console, a warning message displays.

    Click Yes to allow the user to login.

    Select the security role to assign to the group or user for the object type.

    Object Security Roles are created in Security > Security Roles > Object.

  • Owner - Change the owner of the object. You can select an owner from the list or Add a new group or user. The owner is granted full control over the object.

Security Examples

Example 1

Simply assigning a user with a role that has only the Deny Group Modifier permission achieves nothing substantive. This is because, by default, the user does not have permission to modify the group so there is no server permission to deny. Also, any object the user is an owner of will still be modifiable by that user. This is because the server and object roles are integrated. The server roles do not override object roles - they apply server-wide rather than on specific objects.

Example 2

The following example illustrates the relationship between Allow and Deny, and group and individual user roles assigned.

An Active Directory group is assigned a role that has Allow Group Modifier. A user within that group is then assigned a role that has the Deny Group Modifier permission. The resulting permissions will allow all group members to modify groups except for the one user who has had the right explicitly denied. Note that, as in the previous example, if the user is an owner of a group they will still be able to modify it.

Revoking Access Rights for a User

Revoking access permissions is a two-step process requiring you to remove access server-wide and at object level.

First, remove any relevant Server permissions from the user. Secondly, remove relevant Object permissions from the user (permission settings are under Ownership and User Access nodes).

Security Roles

Server Security Roles

Server Security roles are global settings across the whole of the Management Server.

Predefined Server Security Roles

 Modifier — permission to edit/modify Groups, Packages, Reports, and Alerts. You cannot create new ones Groups, Packages, Reports, or Alerts.

Server Administrator — full permission. You can see all objects and add, edit, delete objects, even if you are not the owner of the objects. This role is assigned by default to the user installing the Management Center and has Server Administrator permissions enabled, see Role Definition.

Viewer — permission only to view an object. 

Custom Server Security Roles

Select New Server Role from the Actions pane to define a new role. The Role Definition dialog displays.

The Role Definition dialog lists all server role permissions, select to enable which permissions you want to assign to the new role. The following permissions are available:

  • Server Administrator - which are assigned to the Server Administrator role.
  • Failover Server Administrator
  • Failover Server Viewer
  • Deployment Administrator

The following have Administrator, Creator, Modifier and Viewer permissions available:

  • Group
  • Security
  • Package
  • Report
  • Alert Rule

Object Security Roles

Object Security Roles are settings specific to objects.

Predefined Object Security Roles

  • Viewer — permission only to view the object.
  • Modifier — permission to perform edit actions, but not delete actions, on the object.
  • Full Control — permission to perform edit and delete actions on the object.

Server Roles override Object Roles.

Custom Object Security Roles

Select New Object Role from the Actions pane to define a new role. The Role Definition dialog displays.

The Role Definition dialog lists all object role permissions, select to enable which permissions you want to assign to the new role. The following permissions are available:

  • Full Control
  • Security
  • View
  • Modify
  • Change Ownership
  • Report Export
  • Computer Assignment
  • Alert Rule Assignment
  • Event View
  • Installation Schedule Modify
  • Package Assignment

Configuring Security

Related topics