Space banner

   

TEST - please delete me.

Managing administrator access through security profiles

The Security Profile node provides the possibility to define a specific security profile for each administrator and administrator group in the database. This profile specifies the capabilities of the administrator/administrator group with regards to the different CM objects and to which of the individual objects the administrator/administrator group has access and which type of access. The types of access can either be AllowDeny or Inherit for the base access types or RequiredNot RequiredInherit or Deny for access requiring system credentials:


Parameter

Description

Read Access

Read access provides an administrator/administrator group with the respective rights to display the object in the console. Without read access assigned, write or assign access cannot be granted.

Contains one of the following options:

  • Allow to grant read access.
  • Deny to prevent access, in which case the administrator cannot see the object nor any of its children in the console.

Write Access

This access type allows the administrator/administrator group to manipulate the respective object, such as create children, modify or delete it.

Contains one of the following options:

  • Allow to grant write access.
  • Deny to prevent access.

The administrator must have read access granted on the respective object to be able to be assigned write access.

Assign Access

The access type assign provides the possibility to assign the respective object to another object, such as a transfer window to a device. Only those database objects that contain the assign capability are concerned by this right, such as operational rules, packages and transfer windows. It is obsolete for all other database objects.

Contains one of the following options:

  • Allow to grant assign access.
  • Deny to prevent access.

This type of access is only important for objects that also have Assign Access capability. If the object does not have Assign Access, the user will not have Assign Access either, regardless of this setting.

The database objects affected by this parameter are operational rules, packages, and transfer windows.

Direct Access Acknowledgement

Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Direct Access functionality. Possible values are:

  • Required: Acknowledgement is needed to access.
  • Not Required: Acknowledgement is not required.
  • Respect Windows permissions: Access rights to the local files and the Windows Registry are restricted to those of the local account.

Remote Control Acknowledgement

Defines whether an acknowledgment by the end user is required when the end user is trying to access a device remotely via the Remote Control functionality. Possible values are:

  • Required: Acknowledgement is needed to access.
  • Not Required: Acknowledgement is not required with the specification on when they are not required, for an absent user, a closed session, or both.
Remote Control Session

Contains one of the following options:

  • Allow to provide access.
  • Deny to prevent access to a specific device of a group even if administrator has access to all other group members.
  • Inherit to provide access through group membership.
  • Required is the default access and applies only to devices.

Real User Rights

Shows whether the administrator is accessing the local files and Windows Registry of a device with the access rights to a system account or only those of the local account.

  • Yes limits access to a local account.
  • Empty or blank indicates access to the complete system.

This parameter applies only to devices.

When assigning access rights to the database objects you must differentiate between static and dynamic objects:

Parameter

Description

Static Objects

All objects in the database are static objects. Static in this case means that the access is assigned to the object itself, for reasons of viewing, modification or assignment, and this access will always remain as defined until it is modified manually. For more information, see Managing static objects of a security profile.

Dynamic Objects

Access to a dynamic object means access not to the object itself, but to its "result", whereby the result might change, either when modifications made to the object as a static object or through changes in the environment the object applies to. All dynamic objects are at the same time static and dynamic, because they must be accessible "directly" to be editable themselves as well. For more information, see Managing access dynamically.

Be aware that to be able to apply any of these access rights, an administrator/administrator group must also have the respective capabilities assigned, otherwise they will still not be able to view or manipulate the object in any way.

Was this page helpful? Yes No Submitting... Thank you

Comments