Unsupported content

 

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Managing access dynamically

Access to the dynamic objects is assigned indirectly though other objects, a query, a device group, or a folder. The result is that when access is assigned, the dynamic objects to which the administrator has access might not always be the same.

Query

Through its target type and criteria, a query defines to which objects the administrator has access. These objects can change under the following conditions:

  • Modifications are made to the query itself, such as adding new criteria or modifying one, or
  • Changes happen to the environment of the query, which in this case means the target type of the query. For example, a new device that meets the criteria is added to the network.

For example, administrator admin1 is given access to the query French. This query finds all administrators that are located in France, for example, AdminParis, AdminLyon, and AdminNantes . A new administrator, AdminNice joins the company at a new location and is added to the database. Because AdminNice's location is also in France , this administrator will be automatically added to the list of administrators admin1 has access to.

Device Group or Folder

When providing access via a device group or a folder, the administrator has access to all direct and indirect members of that group or folder. For example: the administrator admin is assigned the Group 1 device group  as a dynamic object. This group has the following members PC1, Group 2, and Group 3 . admin  now has access to PC1 (direct member) as well as all members of Group 2 and Group 3, that is PC2 and PC3 (indirect members). admin will also automatically have access to all PCs that are added to either of these groups. If members are removed from one of these groups admin will automatically lose access to the removed members.

The Dynamic Objects tab displays the following information about the dynamic objects to which the administrator is given access:

Parameter

Description

Members of

Displays the name of the object for which the right is assigned, for example, All Devices , All French Clients or Patch Job Reports.

Object Type

Displays the target type of the object. The possible values for this type are the main objects available in the BCM database , such as Administrators or Devices .

Via Administrator Group

Shows whether the access to the object is directly assigned to the administrator or is inherited through a group membership. The field is empty if it is directly assigned or it will contain the name of the group or groups from which the access was inherited.

Read Access

Contains one of the following values:

  • Allow to provide access
  • Deny to prevent access
  • Inherit to define access through group membership

Write Access

Contains one of the following options:

  • Allow to grant write access
  • Deny to prevent access

The administrator must have read access granted on the respective object to be able to be assigned write access.

Assign Access

Contains one of the following options:

  • Allow to grant write access
  • Deny to prevent access

The administrator must have read access granted on the respective object to be able to be assigned write access.

Direct Access
Acknowledgement

Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Direct Access functionality. Possible values are:

  • Required: Acknowledgement is needed to access.
  • Not Required: Acknowledgement is not required.
  • Respect Windows permissions: Access rights to the local files and the Windows Registry are restricted to those of the local account.

Remote Control Acknowledgement

Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Remote Control functionality. Possible values are:

  • Required: Acknowledgement is needed to access.
  • Not Required: Acknowledgement is not required with the specification on when they are not required, for an absent user, a closed session, or both.
Remote Control Session

Contains one of the following options:

  • Allow to provide access.
  • Deny to prevent access to a specific device of a group even if administrator has access to all other group members.
  • Inherit to provide access through group membership.
  • Required is the default access and applies only to devices.

Real User Rights

Shows whether the administrator is accessing the local files and Windows Registry of a device with the access rights to a system account or only those of the local account.

  • Yes limits access to a local account.
  • Empty or blank indicates access to the complete system.

This parameter applies only to devices.

To add the results of a query to the security profile

Any query can be added to the security profile of an administrator. In this case it is not the query in itself but the result of the query that defines to which objects the administrator has access.

Note

It is not necessary for the administrator to have read or write access assigned to the query through the query's Security tab.

  1. Click Edit> Add Results of Query.
    The Select Dynamic Objects dialog box appears on the screen. The contents of the list box displays the dynamic objects either in the hierarchy of all queries or a list of all existing queries, depending on the icon you click in the left box.
  2. In the drop-down box Object Type select the type of the database object to add.
    This list is pre-filtered according to your licenses.

  3. You can also search for a specific query via the Search tab.
  4. Click OK to confirm the selections.
    The Properties dialog box appears to define the type of access for the queries.
  5. Select the respective radio buttons.
    The option Inherited is only of interest if you are defining this profile for an individual administrator instead of a group. In this case you can select this radio button if the access rights are to be inherited from the administrator group(s) the administrator belongs to. Check the option Respect Windows permissions when accessing files and the Registry in the Direct Access Acknowledgement panel if the access rights to the local files and the Windows Registry are to be restricted to those those of the local account.

  6. Click OK to add the queries to the security profile.

To add the members of a device group to the security profile

Any device group can be added to the dynamic objects of an administrator's security profile. In this case it is, however, not the group in itself that is added but all its direct and indirect members on which the access rights are defined.

Note

It is not necessary for the administrator to have read or write access assigned to the device group through the groups's Security tab.

  1. Click Edit> Add Members of Device Group.
    The Select Dynamic Objects dialog box appears on the screen. The contents of the list box displays the available groups either in the hierarchy of all groups or a list of all existing groups, depending on the icon you click in the left box.
  2. Select the desired device group.
    You can also search for a specific group via the Search tab.

  3. Repeat this step until all device groups of which the members are to be assigned to the administrator/administrator group are selected.
    Only select those groups for which the same type of access is to be defined.

  4. Click OK to confirm the selections.
    The Properties dialog box appears to define the type of access for the groups.
  5. Select the respective radio buttons and options.
    The option Inherited is only of interest if you are defining this profile for an individual administrator instead of a group. In this case you can select this radio button if the access rights are to be inherited from the administrator group(s) the administrator belongs to. As long as the administrator is not a member of a group this option is interpreted as Deny. Check the option Respect Windows permissions when accessing files and the Registry in the Direct Access Acknowledgement panel if the access rights to the local files and the Windows Registry are to be restricted to those those of the local account.

  6. Click OK to add the device groups to the security profile.
  7. Repeat the preceding steps to add more groups with different access rights until the access is defined for all required group members.

To add the members of a folder to the security profile

Any folder can be added to the dynamic objects of an administrator's security profile. In this case it is, however, not the folder in itself that is added but all its direct and indirect members on which the access rights are defined.

Notes

  • It is not necessary for the administrator to have read or write access assigned to the folder through the folder's Security tab.
  • The term folder that is used in this context does refer to all BMC Client Management database objects with the exception of device groups for which specific access types must be defined.
  1. Click Edit > Add Members of Folder .
    The Select Dynamic Objects dialog box appears on the screen. The contents of the list box displays the dynamic objects either in the hierarchy of all folders or a list of all existing folders, depending on the icon you click in the left box.
  2. In the drop-down box Object Type select the type of the database object to add.
    This list is pre-filtered according to your licenses.

  3. You can also search for a specific folder via the Search tab.
  4. Click OK to confirm the selections.
    The Properties dialog box appears to define the type of access for the folders.
  5. Select the respective radio buttons.
  6. Click OK to add the folders to the security profile.

To modify the access rights of a dynamic object

  1. Select the dynamic object for which the access is to be modified in the table in the right window pane.
  2. Click Edit > Properties .
    The Properties dialog box appears.
  3. Select the radio buttons for the desired type of access.
  4. Click OK to confirm the modifications and to close the window.

To remove a dynamic object

When you remove a dynamic object from this list, the administrator will no longer be able to access any of the database objects to which this object gave him access, nor any of their children. To remove a dynamic object from the security profile, proceed as follows:

  1. Select the dynamic object to be removed from the list of security objects in the right window pane.
  2. Select Edit> Remove Query.
    A confirmation window appears.
  3. Click OK to confirm the removal.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments