| | |
| ||
| ||
     |
Admin account groups and permissions are managed on the Manage admin groups and permissions page. To access the page, click Settings → Admin groups. On this page, new admin groups can be created, and existing ones can be edited and removed. Members and permissions of admin groups can be edited.
There are two main types of access-controlled management actions that admins can perform with the SSH Tectia Manager administration interface:
global system actions (System Permissions)
host-group-specific actions (Host-Group Management Rights)
Permissions to perform actions are given to admin groups. Each group has permissions to perform the selected global actions and host-group-specific actions to selected hosts. One admin account can be a member of any number of admin groups.
There is one built-in and read-only admin group called Superusers. Members of this group are superusers, and have the permission to do anything. The initial superuser account configured with the initial configuration wizard is added to this group. Members can be added to and removed from the group, but the last member cannot be removed to ensure there is always at least one working superuser account.
Global system actions do not directly involve any specific hosts. These actions are:
Changing the global settings of the Management Server (superuser group only)
Editing admin account permissions (superuser group only)
Deploy Management Agent: deploying Management Agent remotely via SSH Tectia Manager to Unix hosts
Manage ICBs: creating and editing Initial Configuration Blocks (ICB)
Edit Configurations: creating, editing, and deleting Management Agent and managed software configurations (without deploying the changes)
View Configurations: viewing Management Agent and managed software configurations (without deploying the changes)
Administer Configurations: commiting or reverting pending changes made by other users to SSH Tectia 5.x configurations
Edit Connector Configurations: editing SSH Tectia Connector configurations
License Administration: administering licenses for managed software
Manage Server Hierarchy: managing the Management Server hierarchy (Distribution Servers)
Manage host views and groups: creating, editing, and deleting host views and host groups
Edit auto assign rules: editing auto-assign rules
Manual grouping: manually grouping hosts
View and generate reports: viewing and generating reports
View event log: viewing the SSH Tectia Manager event log
View Audit Log: viewing the SSH Tectia Manager audit log
Delete log entries: deleting log entries
Each admin group has a list of host-group-specific rights that the members of the group have. The permissions are represented as a table with one column for each of the views and one column for the access rights. See Figure 3.10. Each row in the table adds to the permissions of the group. An empty table means that the group has no host-group-specific permissions.
On a row, a host group can be selected for each view, or any can be selected to apply the access rights to all host groups. If a host group different from any is selected, the access rights in the Access rights column apply only to hosts that are in the specified host group.
Note that the Assign configurations access right can be set for groups only in the fixed configuration view. However, the Deploy configurations access right can be set for group combinations, for example the Workstation group in the fixed configuration view and the Windows group in the OS view.
SSH Tectia Manager has the following access right sets:
Approve host changes: Permission to approve pending host info changes.
Assign configurations: Permission to assign Management Agent and managed software configurations to hosts. Effective only if set for a group in the configuration view.
Deploy configurations: Permission to deploy Management Agent and managed software configuration changes to hosts.
Full rights: Permission to perform any host-group-specific management actions. All access rights are included in this set.
Manage certificates: Permission to enroll, renew, and revoke host certificates.
Manage software: Permission to upgrade and uninstall the Management Agent software on hosts. Permissions to install, upgrade, and uninstall managed software on hosts.
View only: Permission to only view and search host information and logs. Hosts in those groups for which the logged-in administrator does not have view permissions are hidden.
Table 3.1. Access rights
Rights sets / Allowed actions | Approve host changes | Assign configurations | Deploy configurations | Full rights | Manage certificates | Manage software | View only |
|---|---|---|---|---|---|---|---|
| Approve host changes | x | x | |||||
| Assign configurations | x | x | |||||
| Deploy configurations | x | x | |||||
| Manage certificates | x | x | |||||
| Manage software | x | x | |||||
| View host | x | x | x | x | x | x | x |
If you want to assign an admin group rights based on the host groups, you should create the relevant host views and groups before creating the admin group. This is described in Managing Host Views and Groups.
To create a new admin group:
Click Settings → Admin groups on the menu.
On the Manage admin groups and permissions page, click the Create new group button.
On the New admin group page, enter the Name and Description of the group. Also make the following settings:
Click Add to add host-group management rights. Select the Access rights level for each host group. Click Show help to see a short description of each access-right level.
Select the System permissions for the admin group. Click Show help texts to view a short description of the permitted action. Click Hide help texts to hide it.
To add members to the group, select an administrator from the Others box and click the Add button. To remove members from the group, select an administrator from the Members box and click the Remove button.
Click OK when finished.
The admin group is now ready to be used.
| |
Copyright 
2008 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Contact Information
