Multiple administrative roles
At Administration > Security, you can manage access to the functionality in the Console. Because any set of changes to the IT environment of your organization can be delivered from the Console, it is important to prevent unauthorized access, in order to prevent that these changes lead to unexpected and undesired results.
You can assign a login account to multiple administrative roles. If so, the permissions of all assigned administrative roles are added up, in which Modify takes precedence over Read, and Read takes precedence over Deny.
Example 1
Suppose 3 administrative roles have been assigned to a login account:
Administrative role 1 |
|
Topology node |
Read |
Library node |
Modify |
Jobs node |
Deny |
Administrative role 2 |
|
Topology node |
Deny |
Library node |
Read |
Jobs node |
Read |
Administrative role 3 |
|
Topology node |
Deny |
Library node |
Modify |
Jobs node |
Modify |
Result |
|
Topology node |
Read |
Library node |
Modify |
Jobs node |
Modify |
Example 2
You may have configured a Module that contains a Task Create Local User, which uses parameters for the logon name, full name and password of the user. If you then create an administrative role with Read access to the Topology nodes and the Library nodes, and Modify access to the Jobs nodes, any user with the administrative role will be able to schedule the Module in a Job and provide values for all parameters, but cannot edit the Module itself.
Example 3
You may have configured a Module that contains a Task Change Service Parameters that restarts a print spooler. If you then create an administrative role with Read access to this Module, and Modify access to the Jobs nodes, any user with the administrative role will only be able to schedule the Module in a Job, but no other Modules.