Managing administrator access through security profiles
The Security Profile node provides the possibility to define a specific security profile for each administrator and administrator group in the database. This profile specifies the capabilities of the administrator/administrator group with regards to the different CM objects and to which of the individual objects the administrator/administrator group has access and which type of access. The types of access can either be Allow, Deny or Inherit for the base access types or Required, Not Required, Inherit or Deny for access requiring system credentials:
Parameter | Description |
---|---|
Read Access | Read access provides an administrator/administrator group with the respective rights to display the object in the console. Without read access assigned, write or assign access cannot be granted. Contains one of the following options:
|
Write Access | This access type allows the administrator/administrator group to manipulate the respective object, such as create children, modify or delete it. Contains one of the following options:
The administrator must have read access granted on the respective object to be able to be assigned write access. |
Assign Access | The access type assign provides the possibility to assign the respective object to another object, such as a transfer window to a device. Only those database objects that contain the assign capability are concerned by this right, such as operational rules, packages and transfer windows. It is obsolete for all other database objects. Contains one of the following options:
This type of access is only important for objects that also have Assign Access capability. If the object does not have Assign Access, the user will not have Assign Access either, regardless of this setting. The database objects affected by this parameter are operational rules, packages, and transfer windows. |
Direct Access Acknowledgement | Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Direct Access functionality. Possible values are:
|
Remote Control Acknowledgement | Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Remote Control functionality. Possible values are:
|
Remote Control Session | Contains one of the following options:
|
Real User Rights | Shows whether the administrator is accessing the local files and Windows Registry of a device with the access rights to a system account or only those of the local account.
This parameter applies only to devices. |
When assigning access rights to the database objects you must differentiate between static and dynamic objects:
Parameter | Description |
---|---|
Static Objects | All objects in the database are static objects. Static in this case means that the access is assigned to the object itself, for reasons of viewing, modification or assignment, and this access will always remain as defined until it is modified manually. For more information, see Managing static objects of a security profiles. |
Dynamic Objects | Access to a dynamic object means access not to the object itself, but to its "result", whereby the result might change, either when modifications made to the object as a static object or through changes in the environment the object applies to. All dynamic objects are at the same time static and dynamic, because they must be accessible "directly" to be editable themselves as well. For more information, see Managing access dynamically. |
Be aware that to be able to apply any of these access rights, an administrator/administrator group must also have the respective capabilities assigned, otherwise they will still not be able to view or manipulate the object in any way.
Comments
Log in or register to comment.