Understanding security operations and principles

The following list shows which capability and access types are needed for which basic operation. The capabilities and access rights listed are the minimum requirements to execute these operations, but, of course the administrator can have more extensive permissions than those. For example, when specified Write Access Deny , this means that no write access is necessary to execute this operation, but of course the administrator can be assigned write access to these objects anyway.

Groups are divided in two different types: those with and those without the capability populate. User and device groups have the additional capability populate. The capabilities for administrator groups are the same as for administrators, thus they do not have the capability populate. Administrator groups are treated not as groups but as folders, to learn about their basic operating principles see the explanations concerning folders in the following paragraphs.

Also, be aware, that to be able to assign or modify access rights for other administrators you also must be assigned the capability Manage Security.

The following topics are provided:

Creating or delete an object in a folder

When you want to create an object within a folder or delete one from a folder you need the following capabilities and access rights:

  • View and manage capabilities of the object type,
  • Write access on the object under which the new one is created.
    By default the administrator creating the new object has read/write/assign access on this new object.

Example

To create a new operational rule under a folder called Your Operational Rules or to delete it you need:

Capabilities

Access Rights

View Operational Rules

Read Allow, Write Deny on the Operational Rules top node,

Manage Operational Rules

Read Allow and Write Allow on the folder Your Operational Rules .

Creating or deleting an object in/from a group

To create an object within a group or to delete it from there you need the following capabilities and access rights:

  • View and populate capabilities on the group.
  • Write access on the object itself and its parent.

Example

To delete a device called Your Device from the group called AllYourDevices you need:

Capabilities

Access Rights

View Devices and Device Groups

Read Allow, Write Deny on the Device Groups top node,

Manage Devices

Read Allow and Write Allow on the group AllYourDevices and the device called Your Device .

Populate Device Groups

Modifying an object

To modify the attributes of an object you need the following capabilities and access rights:

  • View and manage capabilities of the object type,
  • Read and write access on the object.

Exporting an object

To export an object from the console you need the following capabilities and access rights:

  • View capability of the object type,
  • Read access on the object to be exported.

Importing an object

When you want to import an object you need the following capabilities and access rights:

  • View and manage capabilities of the object type,
  • Write access on the object under which the new one is imported (created).
    By default the administrator importing the object has read/write/assign access on this new object.

Managing access rights (security) of an object

To be able to modify the security profile of an object you need the following capabilities and access rights:

  • View and manage Security Profile capabilities,
  • View capability on administrators,
  • View capability on the object type,
  • Write access on the object for which the access rights are to be modified.

Example

To modify the access rights administrator France has on a specific device, the Master Server you need the following permissions:

Capabilities

Access Rights

View and Mange Security Profile

Read Allow, Write Deny on the Device Groups top node,

View Administrators

Read Allow and Write Allow on the group AllYourDevices and the device called Master Server .

View Devices

Adding or removing an object to/from a folder

To add an object to or remove an object from a folder you need the following capabilities and access rights:

  • View and manage capabilities on the object type,
  • Read and write access on the parent object to/from which the child object is to be added/removed and Read access on the child

Example

To add a query All Devices to an existing folder, General Queries you need:

Capabilities

Access Rights

View Queries

Read Allow, Write Deny on the Queries top node,

Manage Queries

Read Allow and Write Allow on the folder General Queries and Read Allow on the query All Devices .

Adding or removing an object to/from a group

To add an object to or remove it from a group you need the following capabilities and access rights:

  • View and populate capabilities on the group (parent object type), and view capability on the member (child object type),
  • Read and write access on the group (parent object) to/from which the member (child object) is to be added, and read access on the child.

Example

To add a device Your Device to an existing device group, Your Device Group you need:

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Populate Device Groups

Read Allow and Write Allow on the device group Your Device Group and

View Devices

Read Allow on the device Your Device .

Moving (cutting and pasting) an object

The cut and paste operation on an object is divided into two different actions: the cut action and the paste action, as cut objects, depending on their type, can be pasted under more than one parent object.

  • View and manage or populate (for device and user groups) capabilities on the object type
  • Read and write access on the old and new parent object, read access on the object to be cut and pasted.

Example

In this example we will cut the Your Operational Rule object from its current parent, the Your Operational Rules folder and paste it under a new folder called Test Rules :

Capabilities

Access Rights

View Operational Rules

Read Allow, Write Deny on the Operational Rules top node,

Manage Operational Rules

Read Allow and Write Allow on the objects Your Operational Rules and Test Rules, as well as Read Allow on the object Your Operational Rule.

Duplicating (copying and pasting) an object

Similar to the cut and paste operation the copy and paste also is split in two operations. Only administrators, devices, users and device and user groups can be copied from one location to another (be duplicated), as they can be members of more than one group. You can also duplicate members of folders, but in this case the pasted member must be given a new name.

  • View and manage or populate (for device and user groups) capabilities of the object type,
  • Read and write access on both, the old and new, and read access on the object to be copied,

A duplicating operation on an object requires the exact same permissions regarding capabilities and access rights as the copy and paste operation.

Example

For the following example we want to copy a device, which belongs to a group called HQ Devices to another group called Servers :

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Populate Device Groups

Read Allow and Write Allow on the groups HQ Devices and Servers ,

View Devices

as well as Read Allow on the device.

Synchronize with a directory server

All groups, including the administrator groups can be synchronized with a directory server in Client Management . For this administrator needs the following capabilities and access rights:

  • View, manage and populate capabilities on device/user groups (parent), or view and manage capabilities on administrators (parent),
  • View capability on devices/users,
  • View and manage capability on directory servers (child)
  • Read and Write access on the device/user group (parent), or Read and Assign access on the administrator group (parent)
  • Read access on the administrators/device/users and
  • Read and Write access on the directory server (child), if it populates a device or user group or Read and Assign access, if it populates an administrator group.

Example 1

For the following example we synchronize our new device group called MyNewGroup with an existing directory server, for example called AllLabClients :

Capabilities

Access Rights

View Device Groups

Read Allow, Write Deny on the Device Groups top node,

Manage Device Groups

Read Allow and Write Allow on the group MyNewGroup ,

Populate Device Groups

Read Allow and Write Allow on the directory server AllLabClients ,

View Devices

Read Allow on (some) clients of the directory server.

View Directory Servers

Manage Directory Servers

The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server. The Manage capability for the devices is not required, because it is the system which will create the new objects that are added to the group. Therefore you will also not be able to see these new group members, if you do not have at least Read access to the children of the synchronized group.

Example 2

For the following example we synchronize an administrator group called MyNewAdmins with an existing directory server, for example called AllLabAdmins :

Capabilities

Access Rights

View Administrators

Read Allow and Write Allow on the administrator group MyNewAdmins ,

Manage Administrators

Read Allow and Write Allow on the directory server AllLabAdmins ,

View Directory Servers

Read Allow on (some) administrators of the directory server.

Manage Directory Servers

The Manage capability and Write access to the group are necessary, because the group name changes to the name of the directory server group as soon as it is synchronized with the server.

Related topics

Was this page helpful? Yes No Submitting... Thank you

Comments