Defining the security access for administrators

The Device Topology node is not an object in the database and as such does not have a specific Security tab defining its accessibility and it cannot be included in the Security Profile either. It will thus always be part of the directory tree of every administrator, even if some of them cannot see anything under the top node. To view devices under this node:

• The administrator has at least the View Devices capability. The administrator must have at least read access to the devices. Be aware that he needs read access to the complete hierarchy to these devices, that is, to the master as well as all the relay hierarchy under which the devices are located.

To provide your administrator with read access to all devices in the system in the Device Topology node, the following steps must be executed.

To create query

For the first step, how to create a query. For more information, see Managing queries. The query All Devices was imported with the predefined objects.

To define the security access

The action which remains to be done is to create the appropriate access rights for the administrator to be able to see them in the topology.

1. Connect as the superadministrator admin to the console.
2. Go to the administrator's node, and select its Security Profile node.
   The Capabilities tab will be displayed.
3. Select a row in the table and then click Edit> Properties  .
   The Properties dialog box appears.
4. Check at least the View capability for devices, then click the OK button to confirm.
5. Select the Dynamic Objects tab.
6. Click Edit> Add Results of Query  .
   The Select Dynamic Objects dialog box appears, displaying all queries.
7. Select again the All Devices query from the list.

8. In the Properties dialog box leave the Allow radio button for Read , Write and Assign Access selected.
   Remember here you are not assigning access to the query itself, but to its result, that is, the devices it will collect.

9. Click OK to add the object and close the dialog box.

To verify the assignment and access rights

Now to check if everything works as intended proceed as follows:

1. Log off the console.
2. Re-logon to the console as the new administrator.
   When the console opens on your screen, you should see at least the following top nodes, depending on which capabilities you assigned additionally:
   
   • Search
   • Global Settings
   • Device Topology
3. Now select the Device Topology node.
4. In its Members tab you can see the same list of devices as in the group.
5. If you select the Graph tab, you will see all your devices in the form of the graph.

Having executed all these operations your administrator can see all managed devices in your system. However, this complete view can be limited by removing access to all devices which he is not supposed to see. This can be done via the query through more restrictive criteria.

• View Administrators
• View Security
• Manage Security
• View Object Type
• Manage Object Type

Access Rights

• Read and write access on the object itself.

It is strongly recommended to not provide the general administrators with the possibility to modify their security settings, only the superadministrator should have this option. If administrators can modify their own settings they might gain access to objects, to which they should not.