|
|
|
|
|
|
Permissions are used to control access to the pasGuard system.
Permissions can be granted at the System level or at the more specific Category, Customer, Product, and Credential levels as detailed below. Permissions are granted to Windows Principals (either groups or users) as defined in Active Directory Domain Services.
To assign permissions using the permission editor the interactive user must check the boxes of the types of permission they wish to grant from the Permissions list. Next, highlight the name of a group principal or user principal to grant the permission(s) to from the Groups list. Finally, click the assignment button to move the group and permission(s) to the Configured Permissions grid and make them permanent.
To remove group permissions, highlight the row in the Configured Permissions grid and press the delete key on the keyboard.
pasGuard subscribes to an additive model in which permissions can only be granted or revoked - denials cannot be placed. For example: There are three Credentials on a pasGuard system. User A should have full access to the first two credentials and no access to the third. To achieve this, a group for which User A is a member should be granted Full permission at the Credential level for both the first and second Credentials. No action is necessary on the third as no permissions are implicit.
Permissions function in a cumulative manner. For example: User B's group is granted Read permission at the System level and Full permission at the Credential level. User B will have Read access to the pasGuard system and Read and Update access for the specific Credential.
System Level
•Read: Group members can use pasGuard to create credentials. Currently, Read permissions are not required to add credentials.
•Security Manager: Group members can assign Permissions at all levels with the exception of Full System Administrator.
•Full: Group members can view, edit, and delete information from the entire System. This includes all Credentials.
Credential Level
•Read: Group members can view Credentials at the credential level.
•Update: Group members can update Credentials at the credential level.
•Delete: Group members can delete Credentials at the credential level.
•Security: Group members can assign Category Permissions at the credential level with the exception of Full permissions.
•Full: Group members can view, edit, and delete information from Credentials in the credential.
Category Level
•Delete: Group members can delete the Category.
•Read Credentials: Group members can view Credentials at the category level.
•Add Credentials: Group members can add Credentials at the category level.
•Update Credentials: Group members can update Credentials at the category level.
•Delete Credentials: Group members can delete Credentials at the category level.
•Security: Group members can assign Category Permissions at the category level with the exception of Full permissions.
•Full: Group members can view, edit, and delete information from Credentials in the category.
Customer Level
•Delete: Group members can delete the Customer.
•Read Credentials: Group members can view Credentials at the customer level.
•Add Credentials: Group members can add Credentials at the customer level.
•Update Credentials: Group members can update Credentials at the customer level.
•Delete Credentials: Group members can delete Credentials at the customer level.
•Security: Group members can assign Category Permissions at the customer level with the exception of Full permissions.
•Full: Group members can view, edit, and delete information from Credentials in the customer.
Product Level
•Delete: Group members can delete the Product.
•Read Credentials: Group members can view Credentials at the product level.
•Add Credentials: Group members can add Credentials at the product level.
•Update Credentials: Group members can update Credentials at the product level.
•Delete Credentials: Group members can delete Credentials at the product level.
•Security: Group members can assign Category Permissions at the product level with the exception of Full permissions.
•Full: Group members can view, edit, and delete information from Credentials in the product.
Through the inheritance chain, a user will receive the highest level permission(s) that exist for any of the groups the user is a member of. If group A is granted full system permissions, group B is granted read system permissions, and the user is a member of both groups A and B, the user will have full system permissions. If group A is then revoked all permissions, the user will still have system read permissions. Likewise, if group A is assigned read credential permissions for a category and group B is assigned update permissions for a specific credential, the user will have read and update permissions for that specific credential.
Copyright © 2024 pasUNITY, Inc.
Send comments on this topic.
