Security Considerations

Before you start to create administrators and groups you should sketch your system and the people administrating it as well as establish a list of all tasks to be executed and by whom to define which administrators and groups to create and which capabilities and access rights to assign to them.

Considerations to be taken into account when defining the access rights to the objects for each administrator are the following:

Capabilities

• Which object types is the administrator or group concerned with?
• Which other objects are implicated through the original object, such as when you create or modify queries, do you also need to be able to see the queries' object type?
• What operations is the administrator or group to execute on the object type: only see it or be able to do something with it, such as creating new objects of this type, modify existing ones or deleting them, being able to assign them to object of other types, etc.?

Access Rights

• Which top nodes does the administrator need access to, is it easier to provide access via a group and then populate it accordingly?
• For which objects types is it necessary to create queries to make sure any newly created objects of the type will be accessible by administrators through the dynamic objects?
• To which other object types do you need at least read access, for example, for reports you need at least read access to some queries, devices and device groups, for operational rules and packages you need read access to some device groups and devices.
• No general security is specified for the following main nodes: Administrators , Administrator Groups and Directory Servers , the security is specified via its members. All these nodes are located under the Global Settings.