Managing roles and access restrictions

You can use roles to apply sets of restrictions to users according to their group memberships. This structure enables users to interact with the system at their level of authority but restricts them from interactions that fall outside of their authority. Users can belong to more than one group.

Roles are associated with LDAP and Microsoft Active Directory (MSAD) groups. You apply roles to a group, whose users are then subject to the roles. When creating roles, remember that they are "positively additive." That is, if a user is associated with one role that has the authority to perform an interaction but also is associated with another role that prohibits the interaction, the role granting the authority takes precedence over the role prohibiting the authority.

You can also assign optional roles to the existing users. If users enable the optional role by turning it on, they gain access to the authority granted by that optional role.

To add a new role

  1. Click the System tab.
  2. In the left menu, click Roles.
  3. After the list of existing roles, click New Role.
  4. Enter an appropriate name for the role.
  5. Select the groups to which the role will apply.
  6. Select the access restrictions that will apply to the role.
  7. Click Create.

To assign a role to the user

  1. Open the role you want to assign the user to:
    1. In the System tab, click Roles.
    2. Click the role name to open the role for editing.
      The Summary tab opens automatically.
  2. In the Group area, type in the user name that should have this role assigned, and then click Update.
  3. Log on as the specified user.

To add an optional role

  1. Click the System tab.
  2. In the left menu, click Roles.
  3. After the list of existing roles, click New Role.
  4. Enter the name of the existing role, which you want to make optional for the selected users.
  5. In the Groups field, specify the users to which the optional role will apply.
    Enter each user in a new line, preceding with the minus "-" sign each user to whom you want to assign the role as optional.
  6. Click Create.

To enable an optional role

  1. Log in under the user, for whom you assigned an optional role.
  2. Click the name of the user in the upper right corner of the application interface.
  3. Click the Optional Roles tab.
  4. Enable the optional role by changing the Off status to On.

Once you are done with performing the activities under the optional role, turn the optional role off to resume your default role. To do so, under the Optional Roles tab, change the status of the role back to Off.

To modify access restrictions for a role

The access restrictions associated with a role identify which interactions the role cannot perform.

  1. Click the System tab.
  2. In the left menu, click Roles.
  3. Locate the role to modify, and in the associated Actions menu on the right, click Access.
  4. To specify the restrictions that you want for this role, select or clear check boxes as necessary.
     The changes are automatically saved.

After roles are fully defined, you manage roles for individual users within their LDAP or MSAD group memberships.

Related Topic

Types-of-access-restrictions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*