Understanding security operations and principles
The following list shows which capability and access types are needed for which basic operation. The capabilities and access rights listed are the minimum requirements to execute these operations, but, of course the administrator can have more extensive permissions than those. For example, when specified Write Access Deny , this means that no write access is necessary to execute this operation, but of course the administrator can be assigned write access to these objects anyway.
Groups are divided in two different types: those with and those without the capability populate. User and device groups have the additional capability populate. The capabilities for administrator groups are the same as for administrators, thus they do not have the capability populate. Administrator groups are treated not as groups but as folders, to learn about their basic operating principles see the explanations concerning folders in the following paragraphs.
Also, be aware, that to be able to assign or modify access rights for other administrators you also must be assigned the capability Manage Security.
The following topics are provided:
Creating or delete an object in a folder
When you want to create an object within a folder or delete one from a folder you need the following capabilities and access rights:
- View and manage capabilities of the object type,
Write access on the object under which the new one is created.
By default the administrator creating the new object has read/write/assign access on this new object.
Example
To create a new operational rule under a folder called Your Operational Rules or to delete it you need:
Capabilities | Access Rights |
|---|---|
View Operational Rules | Read Allow, Write Deny on the Operational Rules top node, |
Manage Operational Rules | Read Allow and Write Allow on the folder Your Operational Rules . |
Creating or deleting an object in/from a group
To create an object within a group or to delete it from there you need the following capabilities and access rights:
- View and populate capabilities on the group.
- Write access on the object itself and its parent.
Example
To delete a device called Your Device from the group called AllYourDevices you need:
Capabilities | Access Rights |
|---|---|
View Devices and Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Manage Devices | Read Allow and Write Allow on the group AllYourDevices and the device called Your Device . |
Populate Device Groups |
Modifying an object
To modify the attributes of an object you need the following capabilities and access rights:
- View and manage capabilities of the object type,
- Read and write access on the object.
Exporting an object
To export an object from the console you need the following capabilities and access rights:
- View capability of the object type,
- Read access on the object to be exported.
Importing an object
When you want to import an object you need the following capabilities and access rights:
- View and manage capabilities of the object type,
Write access on the object under which the new one is imported (created).
By default the administrator importing the object has read/write/assign access on this new object.
Managing access rights (security) of an object
To be able to modify the security profile of an object you need the following capabilities and access rights:
- View and manage Security Profile capabilities,
- View capability on administrators,
- View capability on the object type,
- Write access on the object for which the access rights are to be modified.
Example
To modify the access rights administrator France has on a specific device, the Master Server you need the following permissions:
Capabilities | Access Rights |
|---|---|
View and Mange Security Profile | Read Allow, Write Deny on the Device Groups top node, |
View Administrators | Read Allow and Write Allow on the group AllYourDevices and the device called Master Server . |
View Devices |
Adding or removing an object to/from a folder
To add an object to or remove an object from a folder you need the following capabilities and access rights:
- View and manage capabilities on the object type,
- Read and write access on the parent object to/from which the child object is to be added/removed and Read access on the child
Example
To add a query All Devices to an existing folder, General Queries you need:
Capabilities | Access Rights |
|---|---|
View Queries | Read Allow, Write Deny on the Queries top node, |
Manage Queries | Read Allow and Write Allow on the folder General Queries and Read Allow on the query All Devices . |
Adding or removing an object to/from a group
To add an object to or remove it from a group you need the following capabilities and access rights:
- View and populate capabilities on the group (parent object type), and view capability on the member (child object type),
- Read and write access on the group (parent object) to/from which the member (child object) is to be added, and read access on the child.
Example
To add a device Your Device to an existing device group, Your Device Group you need:
Capabilities | Access Rights |
|---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Populate Device Groups | Read Allow and Write Allow on the device group Your Device Group and |
View Devices | Read Allow on the device Your Device . |
Moving (cutting and pasting) an object
The cut and paste operation on an object is divided into two different actions: the cut action and the paste action, as cut objects, depending on their type, can be pasted under more than one parent object.
- View and manage or populate (for device and user groups) capabilities on the object type
- Read and write access on the old and new parent object, read access on the object to be cut and pasted.
Example
In this example we will cut the Your Operational Rule object from its current parent, the Your Operational Rules folder and paste it under a new folder called Test Rules :
Capabilities | Access Rights |
|---|---|
View Operational Rules | Read Allow, Write Deny on the Operational Rules top node, |
Manage Operational Rules | Read Allow and Write Allow on the objects Your Operational Rules and Test Rules, as well as Read Allow on the object Your Operational Rule. |
Duplicating (copying and pasting) an object
Similar to the cut and paste operation the copy and paste also is split in two operations. Only administrators, devices, users and device and user groups can be copied from one location to another (be duplicated), as they can be members of more than one group. You can also duplicate members of folders, but in this case the pasted member must be given a new name.
- View and manage or populate (for device and user groups) capabilities of the object type,
- Read and write access on both, the old and new, and read access on the object to be copied,
A duplicating operation on an object requires the exact same permissions regarding capabilities and access rights as the copy and paste operation.
Example
For the following example we want to copy a device, which belongs to a group called HQ Devices to another group called Servers :
Capabilities | Access Rights |
|---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Populate Device Groups | Read Allow and Write Allow on the groups HQ Devices and Servers , |
View Devices | as well as Read Allow on the device. |
Synchronize with a directory server
All groups, including the administrator groups can be synchronized with a directory server in Client Management . For this administrator needs the following capabilities and access rights:
- View, manage and populate capabilities on device/user groups (parent), or view and manage capabilities on administrators (parent),
- View capability on devices/users,
- View and manage capability on directory servers (child)
- Read and Write access on the device/user group (parent), or Read and Assign access on the administrator group (parent)
- Read access on the administrators/device/users and
- Read and Write access on the directory server (child), if it populates a device or user group or Read and Assign access, if it populates an administrator group.
Example 1
For the following example we synchronize our new device group called MyNewGroup with an existing directory server, for example called AllLabClients :
Capabilities | Access Rights |
|---|---|
View Device Groups | Read Allow, Write Deny on the Device Groups top node, |
Manage Device Groups | Read Allow and Write Allow on the group MyNewGroup , |
Populate Device Groups | Read Allow and Write Allow on the directory server AllLabClients , |
View Devices | Read Allow on (some) clients of the directory server. |
View Directory Servers | |
Manage Directory Servers |
The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server. The Manage capability for the devices is not required, because it is the system which will create the new objects that are added to the group. Therefore you will also not be able to see these new group members, if you do not have at least Read access to the children of the synchronized group.
Example 2
For the following example we synchronize an administrator group called MyNewAdmins with an existing directory server, for example called AllLabAdmins :
Capabilities | Access Rights |
|---|---|
View Administrators | Read Allow and Write Allow on the administrator group MyNewAdmins , |
Manage Administrators | Read Allow and Write Allow on the directory server AllLabAdmins , |
View Directory Servers | Read Allow on (some) administrators of the directory server. |
Manage Directory Servers |
The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server.
Comments
Log in or register to comment.