Admin account groups and permissions are managed on the Manage admin groups and permissions page. To access the page, click Settings → Admin groups. On this page, new admin groups can be created, and existing ones can be edited and removed. Members and permissions of admin groups can be edited.
There are two main types of access-controlled management actions that admins can perform with the SSH Tectia Manager administration interface:
Permissions to perform actions are given to admin groups. Each group has permissions to perform the selected global actions and host-group-specific actions to selected hosts. One admin account can be a member of any number of admin groups.
There is one built-in and read-only admin group called Superusers. Members of this group are superusers, and have the permission to do anything. The initial superuser account configured with the initial configuration wizard is added to this group. Members can be added to and removed from the group, but the last member cannot be removed to ensure there is always at least one working superuser account.
Global system actions do not directly involve any specific hosts. These actions are selectable per admin group in the System permissions settings:
Changing the global settings of the Management Server (superuser group only)
Editing admin account permissions (superuser group only)
Delete log entries: deleting entries from SSH Tectia Manager logs
Edit Connector Configurations: editing SSH Tectia Connector configurations
Manual grouping: manually grouping hosts
Edit auto assign rules: editing auto-assign rules
Manage host views and groups: creating, editing, and deleting host views and host groups
License Administration: administering licenses for managed software
View Configurations: viewing Management Agent and managed software configurations (without deploying the changes)
Administer Configurations: commiting or reverting pending changes made by other users to SSH Tectia 5.x configurations
Edit Configurations: creating, editing, and deleting Management Agent and managed software configurations (without deploying the changes)
View and generate reports: viewing and generating reports
Manage Server Hierarchy: managing the Management Server hierarchy (Distribution Servers)
Deploy Management Agent: deploying Management Agent remotely via SSH Tectia Manager to Unix hosts
View Audit Log: viewing the SSH Tectia Manager audit log
View event log: viewing the SSH Tectia Manager event log
Manage ICBs: creating and editing Initial Configuration Blocks (ICB)
Edit admin accounts, groups and permissions: administering the admin accounts and groups, editing their permissions. This does not give the permission to touch the superuser accounts, nor to elevate the administrators' own permissions to superuser level.
Each admin group has a list of host-group-specific rights that the members of the group have. The permissions are represented as a table with one column for each of the views and one column for the access rights. See Figure 3.10. Each row in the table adds to the permissions of the group. An empty table means that the group has no host-group-specific permissions.
On a row, a host group can be selected for each view, or any can be selected to apply the access rights to all host groups. If a host group different from any is selected, the access rights in the Access rights column apply only to hosts that are in the specified host group.
Note that the Assign configurations access right can be set for groups only in the fixed configuration view. However, the Deploy configurations access right can be set for group combinations, for example the Workstation group in the fixed configuration view and the Windows group in the OS view.
SSH Tectia Manager has the following access right sets:
Approve host changes: Permission to approve pending host info changes.
Assign configurations: Permission to assign Management Agent and managed software configurations to hosts. Effective only if set for a group in the configuration view.
Deploy configurations: Permission to deploy Management Agent and managed software configuration changes to hosts.
Full rights: Permission to perform any host-group-specific management actions. All access rights are included in this set.
Manage certificates: Permission to enroll, renew, and revoke host certificates.
Manage software: Permission to upgrade and uninstall the Management Agent software on hosts. Permissions to install, upgrade, and uninstall managed software on hosts.
View only: Permission to only view and search host information and logs. Hosts in those groups for which the logged-in administrator does not have view permissions are hidden.
Table 3.1. Access rights
Rights sets /
|Approve host changes||Assign configurations||Deploy configurations||Full rights||Manage certificates||Manage software||View only|
|Approve host changes||x||x|
If you want to assign an admin group rights based on the host groups, you should create the relevant host views and groups before creating the admin group. This is described in Managing Host Views and Groups.
To create a new admin group:
Click Settings → Admin groups on the menu.
On the Manage admin groups and permissions page, click the Create new group button.
On the New admin group page, enter the Name and Description of the group. Also make the following settings:
Click Add to add host-group management rights. Select the Access rights level for each host group. Click Show help to see a short description of each access-right level.
Select the System permissions for the admin group. Click Show help texts to view a short description of the permitted action. Click Hide help texts to hide it. For a description of the options, refer to System Permissions
To add members to the group, select an administrator from the Others box and click the Add button. To remove members from the group, select an administrator from the Members box and click the Remove button.
Click OK when finished.
The admin group is now ready to be used.
To edit an existing admin group, click Edit next to the group on the Manage admin groups and permissions page. The Edit admin group page opens. This page is similar to the New admin group page described above.
Edit the values as necessary and click OK when finished.