Permissions on Trusts

At Administration > Security, you can manage access to the functionality in the Console. Because any set of changes to the IT environment of your organization can be delivered from the Console, it is important to prevent unauthorized access, in order to prevent that these changes lead to unexpected and undesired results.

Before Console users can start working with Trusts, you need to specify which Console users are allowed to do this, and on which items they are allowed to configure Trusts. Because "ownership" of customer-specific Agents, Modules and Resources often lies with customer representatives in multi-tenant sites, you may want to delegate control over Trusts to these representatives first, before you enable Trusts in your environment. This prevents situations in which unauthorized personnel can configure Trusts. You can delegate control over Trusts by assigning permissions to Trusts to specific administrative roles.

The permissions on Trusts in an administrative role define the level at which a Console user is allowed to manage Trusts. This allows for a granular delegation of control of Trusts and allows you to set up administrative role for owners of specific Teams, Agents, Modules and Resources, with specific permissions on these items. For example, you can configure an administrative role for the owner of a specific Team that only allows him to configure Trusts for this Team. Other administrative roles may only see whether a Trust has been configured for the Team.

Permissions to Trusts can be assigned in the various Trusts columns on the Permissions tab of an administrative role, available at Administration > Security. Please note that the Trusts columns are only available when the global setting Trusts Security has been set to Enabled or to Disabled, configure only AND the Console user has logged in with administrative role Full Access. This setting is available at Setup > Global Settings.

Configuration

• You can configure Trusts on Team folders, Teams, Agents, Resource folders, Resources, Module folders and Modules.

  	Deny: If this permission has been assigned, it is not possible to configure Trusts for the item. This is the default setting. This setting applies to new administrative roles and when upgrading your version to Ivanti Automation Manager 2014 or higher.
  	Read: If this permission has been assigned, a Console user can only view which Trusts are configured for the item. It is not possible to modify these Trusts.
  	Modify: If this permission has been assigned, a Console user has all permissions to configure Trusts for the item.
  	Inherit: If no particular permissions have been assigned (blank check box), the item will inherit the permissions from the above lying item, if applicable. If no above lying item exists, the default setting applies: Deny.

• Team folders and Resource folders show the name of the parent folder and the items they contain. This makes it easier to assign permissions to Trusts on these items. For consistency, Project folders and Run Book folders also show the name of the parent folder and the items they contain. It is not possible to configure Trusts on these items.
• Console users can only configure Trusts for items in the Console to which their administrative role grants access, so if they either have Read or Modify access to this item. When configuring an administrative role, you can use the Access column on the Permissions tab to assign access permissions to items:
  • If an administrative role denies access to a specific Resource, the Resource will not be shown when a Console user logs on with this administrative role: it will thus not be possible for him to configure Trusts on this Resource.
  • If an administrative role grants Read access to a specific Resource, it will not be possible for a Console user who logs on with this administrative role to modify any settings of the Resource EXCEPT configure Trusts.
  • If an administrative role grants Modify access to a specific Resource, a Console user who logs on with this administrative role can modify all settings of the Resource, including Trusts.