The Security Profile node provides the possibility to define a specific security profile for each administrator and administrator group in the database. This profile specifies the capabilities of the administrator/administrator group with regards to the different CM objects and to which of the individual objects the administrator/administrator group has access and which type of access.
Read access provides an administrator/administrator group with the respective rights to display the object in the console. Without read access assigned, write or assign access cannot be granted.
This access type allows the administrator/administrator group to manipulate the respective object, such as create children, modify or delete it.
The access type assign provides the possibility to assign the respective object to another object, such as a transfer window to a device. Only those database objects that contain the assign capability are concerned by this right, such as operational rules, packages and transfer windows. It is obsolete for all other database objects.
Direct Access Acknowledgement
This access type provides the possibility to request system credentials when trying to access a device remotely via the Direct Access functionality. The default access is Required . This type of access is only applicable to devices.
Remote Control Acknowledgement
This access type provides the possibility to request system credentials when trying to access a device remotely via the Remote Control functionality. The default access is Required . This type of access is only applicable to devices.
These types of access can either be Allow , Deny or Inherit for the base access types or Required , Not Required , Inherit or Deny for access requiring system credentials:
This value allows the specified access type. Be aware however, that if access to an object is allowed for an object for one group and denied for another the administrator is a member of the access will be denied, because this value is stronger than allowed.
This value denies the type of access, it is the strongest value and will prevail in cases of conflict.
This value defines that any user trying to access the device remotely must provide system credentials.
This value defines that the device can be remotely accessed without credentials. In this case the following two specific situations must be defined additionally. If both options are activated no system credentials are ever required.
This value is neutral, and can be overridden by any other definition. If this setting is specified for an administrator for a specific object access, and the same access is allowed for the group the administrator is a member of, he will inherit the permission to access. The same is valid for denying access.
Respect Windows permissions when accessing files and the Registry
This check box only applies to Direct Access Acknowledgement of devices. It defines if the access rights to the local files and the Windows Registry are to be restricted to those those of the local account.
When assigning access rights to the database objects you must differentiate between static and dynamic objects:
All objects in the database are static objects. Static in this case means that the access is assigned to the object itself, for reasons of viewing, modification or assignment, and this access will always remain as defined until it is modified manually.
Access to a dynamic object means access not to the object itself, but to its "result", whereby the result might change, either when modifications made to the object as a static object or through changes in the environment the object applies to. All dynamic objects are at the same time static and dynamic, because they must be accessible "directly" to be editable themselves as well.
Be aware that to be able to apply any of these access rights, an administrator/administrator group must also have the respective capabilities assigned, otherwise they will still not be able to view or manipulate the object in any way.