Security
The Security view; select the Security navigation button, allows you to setup and manage user and group permissions on the Management Center. Security roles which specify different levels of access allow you to allocate server-wide security permissions or assign object security permissions in certain areas of the Management Console. For example, it may be necessary to lockdown access to specific deployment groups to geographically dispersed administrators so that they can only manage their own local managed endpoints whilst still being able to view (have read-only access) to other deployment groups.
In this Section:
Server Permissions
Server Permissions allow you to define the level of access for designated users and groups throughout the Management Center and specify rights for editing settings and performing actions.
You can add groups or users by browsing the local computer or domain and allocate a security level from the list of predefined Security Roles or allocate custom roles which you create.
You can add Server Permissions by active directory group or user.
Add by Group
Select Server Permissions > Groups > Add Group. The Select Groups dialog displays.
Browse and select from the local computer or domain.
Add by User
Select Server Permissions > Users > Add User. The Select Users dialog displays.
Browse and select from the local computer or domain.
Edit Assigned Roles
To edit the roles assigned to the groups or users select Server Permissions > Groups or Users > Edit Roles. The Global Security Roles dialog displays.
The Global Security Roles dialog displays the list of default Server Roles and any other
server roles that have been created.
Select Allow to assign a role to the group or user.
Add User/Add Group - Launches the Select Users or Select Groups dialog boxes for adding users or groups to the list.
Edit Roles - Launches the Global Security Roles dialog box in which you can change the Allow/Deny settings in the list of available Security Roles.
Remove - Deletes the highlighted groups and users from the list.
Object Permissions
Object Permissions are access rights which are allocated to users and groups to view and edit or perform actions for specific areas in the Management Center. Objects include any specific areas of the Management Center, settings or items such as the following:
- Groups – view and edit.
- Packages – manage agents and configurations.
- Reports – view and generate all reports or individual reports.
- Alert Rules – view and edit all alert rules or individual alert rules.
Object permissions are granted to users or groups for specific objects by allocating Security Roles or assigning ownership.
Ownership
Displays the list of objects and the owner allocated to the object. You can change the current ownership assignments for each object.
The following are controlled objects:
- Group – view and edit.
- Package – manage agents and configurations.
- Report – view and generate all reports or individual reports.
- Alert Rule – view and edit all alert rules or individual alert rules.
You can toggle the display to group the objects by type, which is the default, or by owner. Select Group by Owner or Group by Type in the Actions pane to alter the display.
Ownership of an object grants full control and overrides any restrictions which might also apply to the user or group.
To change the object owner, highlight an object and select Change Ownership in the Actions pane. The Security Form dialog displays, select a group or user from the list, alternatively to select a group or user that is not listed, click Add to display the Select Users or Groups dialog, enter or browse to select the group or user that you want to be the object owner.
User Access
Displays the list of objects that have been modified for user access.
You can toggle the display to group the objects by type, which is the default, or by user. Select Group by User or Group by Type in the Actions pane to alter the display.
To change the user access highlight an object and select Edit Roles in the Actions pane. The Security for [object type name] dialog displays.
The Security for [object type name] dialog displays the following two tabs:
-
Permissions - Add or Remove groups or users permission to access the object. If you assign permissions to a group or user that does not have rights to the object area in the Management Console, a warning message displays.
Click Yes to allow the user to login.
Select the security role to assign to the group or user for the object type.
Object Security Roles are created in Security > Security Roles > Object.
- Owner - Change the owner of the object. You can select an owner from the list or Add a new group or user. The owner is granted full control over the object.
Ownership Actions
Group by Owner - Orders the list of objects by owner.
Group by Type - Orders the list of objects by object type.
Change Ownership - Allows you to assign or change ownership of the current object.
User Access Actions
Group by User - Orders the list of objects by user.
Group by Type - Orders the list of objects by object type.
Delete - Deletes the highlighted groups and users from the list.
Edit Roles - Launches the Security for {ObjectName} dialog box in which you can change the Allow/Deny settings in the list of available Security Roles and change the owner of the current object.
Security Examples
Example 1
Simply assigning a user with a role that has only the Deny Group Modifier permission achieves nothing substantive. This is because, by default, the user does not have permission to modify the group so there is no server permission to deny. Also, any object the user is an owner of will still be modifiable by that user. This is because the server and object roles are integrated. The server roles do not override object roles - they apply server-wide rather than on specific objects.
Example 2
The following example illustrates the relationship between Allow and Deny, and group and individual user roles assigned.
An Active Directory group is assigned a role that has Allow Group Modifier. A user within that group is then assigned a role that has the Deny Group Modifier permission. The resulting permissions will allow all group members to modify groups except for the one user who has had the right explicitly denied. Note that, as in the previous example, if the user is an owner of a group they will still be able to modify it.
Revoking Access Rights for a User
Revoking access permissions is a two-step process requiring you to remove access server-wide and at object level.
First, remove any relevant Server permissions from the user. Secondly, remove relevant Object permissions from the user (permission settings are under Ownership and User Access nodes).
Security Roles
Server Security Roles
Server Security roles are global settings across the whole of the Management Server.
Predefined Server Security Roles
Modifier — permission to edit/modify Groups, Packages, Reports, and Alerts. You cannot create new ones Groups, Packages, Reports, or Alerts.
Server Administrator — full permission. You can see all objects and add, edit, delete objects, even if you are not the owner of the objects. This role is assigned by default to the user installing the Management Center and has Server Administrator permissions enabled, see Role Definition.
Viewer — permission only to view an object.
Custom Server Security Roles
Select New Server Role from the Actions pane to define a new role. The Role Definition dialog displays.
The Role Definition dialog lists all server role permissions, select to enable which permissions you want to assign to the new role. The following permissions are available:
- Server Administrator - which are assigned to the Server Administrator role.
- Failover Server Administrator
- Failover Server Viewer
- Deployment Administrator
The following have Administrator, Creator, Modifier and Viewer permissions available:
- Group
- Security
- Package
- Report
- Alert Rule
Example 1
If an administrator wants to delegate the administration of the groups
to someone else they can create a Restricted Group Administrator role with the following
permissions:
- Group Administrator
- Package Viewer
- Package Creator
- Report Viewer
- Alert Rule Viewer
- Deployment Administrator
A user that is assigned the Restricted Administrator role will be able to do the following:
- Create, modify and delete groups and assign computers to those groups.
- Deploy the Deployment Agent to computers.
- View all the packages and be able to assign them to the groups.
- Add new packages and be able to delete those packages.
- Produce reports.
However, the user will not be able to do the following:
- Delete any existing packages.
- Delete any alerts or events.
- Remove or add any reports.
- Change the security for any objects other than the ones they created, or added.
Example 2
If there are individuals that are responsible for creating and maintaining product configurations but do not
require any access to the management console itself then the administrator can create a Package Editor role with the following permission:
- Package Administrator
A user that is assigned this role will be able to open, edit and save configurations to the Management Server using the product consoles.
Object Security Roles
Object Security Roles are settings specific to objects.
Predefined Object Security Roles
- Viewer — permission only to view the object.
- Modifier — permission to perform edit actions, but not delete actions, on the object.
- Full Control — permission to perform edit and delete actions on the object.
Server Roles override Object Roles.
Custom Object Security Roles
Select New Object Role from the Actions pane to define a new role. The Role Definition dialog displays.
The Role Definition dialog lists all object role permissions, select to enable which permissions you want to assign to the new role. The following permissions are available:
- Full Control
- Security
- View
- Modify
- Change Ownership
- Report Export
- Computer Assignment
- Alert Rule Assignment
- Event View
- Installation Schedule Modify
- Package Assignment
If an administrator wants to delegate the responsibility for assigning packages to a particular group they can create a Package Manager object role with the following permissions:
- View
- Package Assignment
If a user is then added to the Security for a group and given the Package Manager role, the user will only be able to see that group (assuming they have no other roles assigned to them). They will be able to see all of the settings for the group but the only thing they can change would be the packages assigned to the group.
Server
- New Server Role - Define a new server role.
- Properties - View role details.
Object
- New Object Role - Define a new object role.
- Properties - View role details.
Configuring Security
You can configure security for groups or users that are allowed to log onto the Management console. You can grant Server Administrator permission (full permission), Modifier or Viewer permission.
- Select the Security button in the navigation pane.
- To configure security for a group, expand the Server Permissions node and select the Groups node.
- To configure security for a user, expand the Server Permissions node and select the Users node.
- Select a group or user.
- Select Edit Roles on the Actions menu. The Global Security Roles dialog box displays.
- Select whether to allow or deny Modifier, Server Administrator or Viewer permissions.
- Click OK.
You can configure security for groups that are allowed to log onto the Management console. You can grant permission to only view elements in the console.
- Select the Security button in the navigation pane.
- Expand the Server Permissions node and select the Groups node.
- Select Add Group on the Actions menu. The Select Groups dialog box displays.
- Locate the group that you want to specify view permission for and click OK.
- Select the group in the work area.
- Select Edit Roles on the Actions menu. The Global Security Roles dialog box is display.
- Select the Viewer option in the Allow column.
- Select the Modifier and Server Administrator options in the Deny column.
-
Click OK.
You can configure security for users that are allowed to log onto the Management console. You can grant permission to a group or user to have access to only a particular deployment group.
- Select the Security button in the navigation pane.
- Expand the Server Permissions node and select the Users node.
- Click Add User on the Actions menu. The Select Users dialog box display.
- Locate the user you want to provide access to a certain deployment group and click OK.
- Select the Home button in the navigation pane.
- Navigate to the [Server] > Deployment Groups node.
- Select the deployment group to which you want to provide access.
- Select Security in the Actions panel. The Security for [Deployment Group] dialog box displays.
- Select the Permissions tab and click Add. The Select Users or Group dialog box displays.
- Locate the user specified in Step 4 and click OK.
- In the Roles area select the Viewer, Modifier and Full Control options in the Allow column.
- Click OK.