Setting up access by using the Security Profile Wizard
The Security Profile Wizard wizard guides you thought the creation and definition and scheduling of new administrators or administrator group
The wizard is available directly on the main Wizards menu from anywhere in the console, and in the specific functionalities of the Administrators and Administrator Groups.
To create administrators or groups with the maximum possible access rights and capabilities you must preferably be logged on as an administrator with super admin rights yourself.
At the bottom of the last page of the wizard you will always find an option that moves the focus of the console to the newly created object. Check this box if you want to do so. This option is not explained in the individual windows.
To define the security profile to create
In this first wizard window, Security Group Type, you must define which type of profile you want to create. You can either let the system automatically create and synchronize a new group that has all the necessary capabilities and access rights to execute most of the daily tasks, as shown in the wizard window. Or you can create an administrator with the same type of rights. You can also creater either administrator or group and custom configure their profile.
- Under the first question, What do you want to create?, define which type of object you want to create by selecting the corresponding radio button either for the administrator or the administrator group. If you are creating a group, it is by default marked as being synchronized with a directory server. If you do not want to populate the group in this way clear the From Directory Server box.
Under question What do you want to create? define if you want to let CM automatically create a full administrator or group or if you want to configure the object's profile yourself by selecting the corresponding radio button.
Be aware that any administrator or group that you create with the automatic configuration cannot have more rights than the administrator account with which you are currently logged on. This means that, even though the explanation says that the new administrator can create, edit and delete all objects, he will not be able to create, modify and delete operational rules, for example, if you do not have these capabilities. Neither will you be able to assign these capabilities to him via the manual configuration.
- If you are using the automatic creation for all options click Finish now.
The wizard closes and the new administrator or group is immediately created with the maximum rights possible.
If you are configuring at least part of the options or synchronizing the group with an active directory server click Next to continue with the configuration.
Make sure you made the correct selections in this window, because once you clicked the Next button you cannot come back to it. If you want to change your selection you must cancel with wizard and start again.
To define the new administrator properties
In this wizard window, Create Administrator, you can define specific properties of the new administrator.
- Enter the login name with which the new administrator is to log on to the console into the Login box.
(Optional) Enter the following information
Field Description First Name Enter the first name of the new administrator. Last Name Enter the family name of the new administrator. Office Phone Enter the office phone number of the new administrator. Home Phone Enter the home phone number of the new administrator, if available. Mobile Phone Enter the mobile phone number of the new administrator, if available. Enter the email address of the new administrator. Company Enter the company name the new administrator works for. Department Enter the department name or ID in which the new administrator works. Title Enter the job title of the new administrator. Employee ID Enter the employee ID of the new administrator. Location Enter the office or town or country in which the new administrator is based. Account Enabled Clear this box if the administrator should only be created but not yet activated. In this case the administrator will be created but he cannot yet log on to the console and the database In this case the icon of the administrator will appear dimmed in the console. Locked Account If the administrator account is locked, the Locked Account check box is selected. If the BCM administrator has the permission, they can unlock the account. The account is unlocked after the period defined in Account Automatically Unlocked the system variable after the first successful login. For more information, see Security settings. Modify Personal Information If the new administrator should be able to modify part of the personal data of his account, such as the optional items above, even though he does not have write access to his account check the Modify Personal Information box. Notes Enter some additional explanation into the Notes box.
- (Optional) If you do not want the focus of the console to move to the newly created administrator, clear the Go to the new administrator after clicking the Finish button box.
- If you are using the automatic creation for this administrator click Finish now.
The wizard closes and the new administrator is immediately created with the maximum rights possible.
- If you are configuring at least part of the options click Next to continue with the configuration.
To define the new administrator group properties
In this wizard window, Create Administrator Group, you can define specific properties of the new administrator group.
Enter the name for the new group into the Name box.
If you are synchronizing the new group with a directory server this text box is dimmed, as the name of the group is automatically updated with the name of the selected OU.
- (Optional) Enter some additional explanation into the Notes box.
- If you are using the automatic creation for this administrator group without synchronization click Finish now.
The wizard closes and the new administrator group is immediately created with the maximum rights possible.
- For synchronization you need to enter the DN entry of the directory server with which to synchronize into the Group Entry DN box, click Select a Directory Server.
The Select a Directory Server window appears.
The dialog box lists all available directory servers with their organizational units (all available user groups).
- If the directory server you want to synchronize with is not displayed in this list, that is, it has not yet been created in CM, you can directly create it from here as follows:
- Click the Create and connect to a new directory server button.
The Properties dialog box appears on the screen.
- Enter the required information into the respective boxes (see topic Creating a Directory Server for more information).
- Click OK to confirm the new directory server.
The window closes and the new directory server is added to the list of available servers in the Select a Directory Server dialog box.
- Click the Create and connect to a new directory server button.
- Select an entry from the list, you can either select the directory server itself or one of its children. You have the following options:
- (Optional) Select a directory server root and the check the box Synchronize All Administrators to synchronize all administrators of this active directory server.
- Select an OU of a listed server to synchronize all administrators below this OU, including all those of existing sub-OUs.
(Optional) Check the Include Users with Specific Primary Group box to include all user for which the default primary group was modified.
Be aware that this type of synchronization does not recreate the directory structure of the OUs in CM, it will import all administrators in a flat list into the new group (contrary to the other types of groups in CM administrator groups cannot have subgroups).
- Click OK to confirm.
The Properties window appears.
- Select the authentication type from the Authentication list and the login type from the Login Type list.
- Click OK.
The window closes and the group name above is automatically updated to the name of the selected OU of the server.
- Click Next.
To define the capabilities of a new administrator or administrator group
The Capabilities step provides the list of available capabilities, which are grouped by their functionality type. These capabilities define which of the the CM functionalities administrators and administrator groups can access in the console. A granted access is indicated via a green check symbol, refused access via a red , and granted access that is inherited via a group an administrator is a member of with this symbol .
Be aware, that when an administrator is assigned a capability twice, once directly and once via a group, the group capability "overwrites" the individual one.
To assign the new administrator or group a specific capability mark the respective check box.
Checking the Manage capability automatically also checks the View capability.
For more information about the individual capabilities and what type of access they provide see topic The Capabilities node of Security Profiles.
- (Optional) Click Select All Capabilities to assign the new object all available capabilities.
- Click Next.
To define the access via static or dynamic objects
This window enables defining which of all existing database object types and objects an administrator is to be able to access and in which way. Be aware, that to access an individual object the administrator must be assigned at least read access to the respective top node. For example, the administrator must be have at least view access to the Reports top node, to access a specific report.
By default this tab will always contain one entry, the respective administrator himself. When an administrator is created he will automatically be added here to provide him with the possibility to check his access rights. The default access defined at creation time is Read Access access allowed, any other access denied.
When adding objects to the security profile, be careful to always include the complete hierarchy to the target object including the object’s top node, otherwise the administrators might still not be able to access the object.
To add a database object, proceed as follows:
- Click Add Object
The Select Static Objects dialog box appears on the screen. .
In the drop-down box Object Type select the type of the database object to add.
This list is pre-filtered according to your licenses.
- The box to the left will now display the options in the form of icons, according to which you can select static objects, that is, you can chose between the Hierarchy, All and Search, for devices and groups you also have the option Topology. If you selected the option Top Nodes the field displays the complete list of all top nodes available in the console, so they can be added directly.
The contents of the following Available Objects list box will change to display the list of all objects of this type.
- Select one or more objects from this window, or search for specific objects through the Search tab.
- Click Add
The Properties dialog box appears to define the type of access for the selected objects. to move the selected objects to the Selected Objects box.
Select the respective radio buttons and then click OK.
Check the option Respect Windows permissions when accessing files and the Registry in the Direct Access Acknowledgement panel if the access rights to the local files and the Windows Registry are to be restricted to those those of the local account.
This option is only applicable to devices.
The objects will be added to the Selected Objects box in which they will be listed with their name and their type.
If you would like to add objects of another type as well, repeat the preceding steps.
Click OK to add all selected objects to the list of security objects of the security profile.
For information on defining the access via dynamic access, see Managing access dynamically.
To synchronize an administrator group with the directory server
It is possible to only synchronize the group once initially, but you can also schedule regular synchronizations at specific times.
- Select from the first list, When do you want this group to be synchronized with the directory server?, when you want to schedule the synchronization.
Depending on your choice, the window content below this box changes.
- Define the synchronization schedule by selecting the desired values from the boxes below.
Depending on the choices you make, the window content below changes.
The text in blue on top of the window updates with the selections and changes you make and explains the scheduling choices you made in more detailed form.
- Check Run a first synchronization immediately box, if you want to run a first synchronization right now before the defined schedule is applied.
- Click Finish when your schedule is defined.
The wizard closes, the synchronization information is sent and is then executed according to the defined schedule.
If you are synchronizing immediately you can follow the synchronization process on the Members tab of the new group as it populates.