SSH Tectia

Managing Admin Groups and Permissions

Admin account groups and permissions are managed on the Manage admin groups and permissions page. To access the page, click Settings → Admin groups. On this page, new admin groups can be created, and existing ones can be edited and removed. Members and permissions of admin groups can be edited.

There are two main types of access-controlled management actions that admins can perform with the SSH Tectia Manager administration interface:

Permissions to perform actions are given to admin groups. Each group has permissions to perform the selected global actions and host-group-specific actions to selected hosts. One admin account can be a member of any number of admin groups.

Admin groups and permissions

Figure 3.9. Admin groups and permissions

There is one built-in and read-only admin group called Superusers. Members of this group are superusers, and have the permission to do anything. The initial superuser account configured with the initial configuration wizard is added to this group. Members can be added to and removed from the group, but the last member cannot be removed to ensure there is always at least one working superuser account.

System Permissions

Global system actions do not directly involve any specific hosts. These actions are selectable per admin group in the System permissions settings:

  • Changing the global settings of the Management Server (superuser group only)

  • Editing admin account permissions (superuser group only)

  • Delete log entries: deleting entries from SSH Tectia Manager logs

  • Edit Connector Configurations: editing SSH Tectia Connector configurations

  • Manual grouping: manually grouping hosts

  • Edit auto assign rules: editing auto-assign rules

  • Manage host views and groups: creating, editing, and deleting host views and host groups

  • License Administration: administering licenses for managed software

  • View Configurations: viewing Management Agent and managed software configurations (without deploying the changes)

  • Administer Configurations: commiting or reverting pending changes made by other users to SSH Tectia 5.x configurations

  • Edit Configurations: creating, editing, and deleting Management Agent and managed software configurations (without deploying the changes)

  • View and generate reports: viewing and generating reports

  • Manage Server Hierarchy: managing the Management Server hierarchy (Distribution Servers)

  • Deploy Management Agent: deploying Management Agent remotely via SSH Tectia Manager to Unix hosts

  • View Audit Log: viewing the SSH Tectia Manager audit log

  • View event log: viewing the SSH Tectia Manager event log

  • Manage ICBs: creating and editing Initial Configuration Blocks (ICB)

  • Edit admin accounts, groups and permissions: administering the admin accounts and groups, editing their permissions. This does not give the permission to touch the superuser accounts, nor to elevate the administrators' own permissions to superuser level.

Host-Group Management Rights

Each admin group has a list of host-group-specific rights that the members of the group have. The permissions are represented as a table with one column for each of the views and one column for the access rights. See Figure 3.10. Each row in the table adds to the permissions of the group. An empty table means that the group has no host-group-specific permissions.

Editing host-group management rights

Figure 3.10. Editing host-group management rights

On a row, a host group can be selected for each view, or any can be selected to apply the access rights to all host groups. If a host group different from any is selected, the access rights in the Access rights column apply only to hosts that are in the specified host group.

Note that the Assign configurations access right can be set for groups only in the fixed configuration view. However, the Deploy configurations access right can be set for group combinations, for example the Workstation group in the fixed configuration view and the Windows group in the OS view.

SSH Tectia Manager has the following access right sets:

  • Approve host changes: Permission to approve pending host info changes.

  • Assign configurations: Permission to assign Management Agent and managed software configurations to hosts. Effective only if set for a group in the configuration view.

  • Deploy configurations: Permission to deploy Management Agent and managed software configuration changes to hosts.

  • Full rights: Permission to perform any host-group-specific management actions. All access rights are included in this set.

  • Manage certificates: Permission to enroll, renew, and revoke host certificates.

  • Manage software: Permission to upgrade and uninstall the Management Agent software on hosts. Permissions to install, upgrade, and uninstall managed software on hosts.

  • View only: Permission to only view and search host information and logs. Hosts in those groups for which the logged-in administrator does not have view permissions are hidden.

Table 3.1. Access rights

Rights sets /

Allowed actions

Approve host changesAssign configurationsDeploy configurationsFull rightsManage certificatesManage softwareView only
Approve host changesx  x   
Assign configurations x x   
Deploy configurations  xx   
Manage certificates   xx  
Manage software   x x 
View hostxxxxxxx

Creating a New Admin Group

If you want to assign an admin group rights based on the host groups, you should create the relevant host views and groups before creating the admin group. This is described in Managing Host Views and Groups.

To create a new admin group:

  1. Click Settings → Admin groups on the menu.

  2. On the Manage admin groups and permissions page, click the Create new group button.

    Creating a new admin group

    Figure 3.11. Creating a new admin group

  3. On the New admin group page, enter the Name and Description of the group. Also make the following settings:

    • Click Add to add host-group management rights. Select the Access rights level for each host group. Click Show help to see a short description of each access-right level.

    • Select the System permissions for the admin group. Click Show help texts to view a short description of the permitted action. Click Hide help texts to hide it. For a description of the options, refer to System Permissions

    • To add members to the group, select an administrator from the Others box and click the Add button. To remove members from the group, select an administrator from the Members box and click the Remove button.

      Click OK when finished.

The admin group is now ready to be used.

Editing an Admin Group

To edit an existing admin group, click Edit next to the group on the Manage admin groups and permissions page. The Edit admin group page opens. This page is similar to the New admin group page described above.

Edit the values as necessary and click OK when finished.

Deleting an Admin Group

To delete an existing admin group, click Delete next to the group on the Manage admin groups and permissions page.

You will be asked for confirmation. Click Yes to proceed with the deletion.