Online Help > Role Based Security System > Scenarios

Advanced Security

Description

 

This feature is only available when using an Advanced Data Source.

 

The following scenario is designed for large enterprises. For a scenario more suited for small enterprises, please consult our Simplified Security scenario.

 

While this example fits for large enterprises, please keep in mind that any privilege should be granted only as necessary. Be extremely careful when granting permissions to a user or a role.

 

Our fictional company, Windjammer, has three roles: HelpDesk, ServiceDesk, and Consultants. There are two client companies: Downhill Pro and Telemark.

 

The following tree view structure represents entries which users have access to once all permissions are set:

 

 

User Configuration

Here is an example of user configuration. To create users, navigate to Administration - Users.

 

Ribbon - Administration - Users

Ribbon - Administration - Users

 

In this scenario, all the options in the Privileges section of the User Management are set to None.

 

 

Here we select the user type to give them the most basic rights (Add, Edit, and Delete).

 

ServiceDesk users are Restricted Users. They have the Add and Edit rights. However, they cannot add entries into the root folder.

 

User Management - ServiceDesk - Restricted User

User Management - ServiceDesk - Restricted User

 

 

HelpDesk users are Restricted Users as well. They only have the Add right. However, they cannot add entries into the root folder.

 

User Management - HelpDesk - Restricted User

User Management - HelpDesk - Restricted User

 

 

Consultants are Read Only Users and can only view a subset of entries. They cannot add or edit anything.

 

User Management - Consultants - Read Only User

User Management - Consultants - Read Only User

 

 

Role Configuration

Now that the users are created, we will add the roles which we will later grant the permissions to. We need to create the roles and assign the respective user to each role. There is no need to grant any privilege to these roles since they are mainly empty shells used to group multiple users. This allows for controlling multiple users at once instead of granting permissions to each users, one at a time.

 

ServiceDesk

HelpDesk

Consultants

 

To add a role, click the Add Role button, enter a name for the role, and click Ok.

To assign users to a role, select a role and click the Assign roles button. Use the Is Member check boxes to add users to the role.

 

User and Security Management - Roles

User and Security Management - Roles

 

 

Entry Configuration

Now, everything is ready to grant or deny access to the roles.

 

All root folder permissions are set to Never. By inheritance, this denies the child items default access to everyone.

The ServiceDesk has the permission to view and open all entries but is able to edit only the entries in the client's groups/folders.

The HelpDesk has the permission to view and open entries in the client's groups/folders only and is not able to edit them.

The Consultants have the permission to view and open entries in the Montreal folder only but is not able to edit it or its child items.

 

 

Root

As mentioned above, ALL root folder permissions are set to Never. This denies the default access to other users.

 

Root - Permissions

Root - Permissions

 

 

Windjammer Downhill Pro, and Telemark, the root level groups/folders

The permission to view the Windjammer folder is set for the ServiceDesk only since we want them to be able to use the child entries. We don’t want the ServiceDesk to add, edit or delete anything. We leave the Add, Edit and Delete permissions to Default so only the administrators can perform these action on the Windjammer folder and its child items.

 

Windjammer - Permissions

Windjammer - Permissions

 

View: Custom; ServiceDesk.

Add: Default; Never inherited from Root. Only the administrator can add entries.

Edit: Default; Never inherited from Root. Only the administrator can edit entries.

Delete: Default; Never inherited from Root. Only the administrator can delete entries.

 

 

For Downhill Pro, we grant permissions to the ServiceDesk and the HelpDesk.

 

Downhill Pro - Permissions

Downhill Pro - Permissions

 

View: Custom; HelpDesk, ServiceDesk.

Add: Custom; ServiceDesk.

Edit: Custom; ServiceDesk.

Delete: Default; Never inherited from Root. Only the administrator can delete entries.

 

We already have a good example of the flexibility of Remote Desktop Manager Security. ServiceDesk and HelpDesk users can view and use all the entries in the Downhill Pro folder, even the credential entries, but they will never see any passwords since the ServiceDesk and HelpDesk users do not have the privilege to reveal passwords.

 

 

Next, for the Telemark folder, we grant permissions to the ServiceDesk, the HelpDesk and the Consultants. This is where things get complex. If we want the Consultants to be able to view only the Montreal folder, which is a child item of Telemark, we must grant Consultants the permission to view the parent folder, thereby the entire Telemark content. Then we will grant permissions on child items only to the role that should have access to these items. This last step will deny the view permission for the Consultants on the child items.

 

Telemark - Permissions

Telemark - Permissions

 

View: Custom; Consultants, HelpDesk, ServiceDesk.

Add: Custom; ServiceDesk.

Edit: Custom; ServiceDesk.

Delete: Default; Never inherited from Root. Only the administrator can delete entries.

 

 

Telemark Child Items

Since we want the users to be able to use the credential entries, we grant the ServiceDesk and the HelpDesk the permission to view the Credentials folder. Therefore, the ServiceDesk and HelpDesk are able to use the entries in the folder without revealing the passwords. By specifying that only the HelpDesk and ServiceDesk have the View permission, we deny the view access to any role or user that is not on the list of the permission.

 

The Add and Edit permissions are set to Never and the Delete permission can be left to Default since it inherits the Never settings from the Root. Only the administrators can perform these actions in groups/folders containing credentials.

 

Telemark/Credentials - Permissions

Telemark/Credentials - Permissions

 

View: Custom; HelpDesk, ServiceDesk.

Add: Never; Only administrators can add credential entries.

Edit: Never; Only administrators can edit entries.

Delete: Default; Never inherited from Root. Only administrators can delete entries.

 

 

We want the ServiceDesk to be able to use the Domain ladmin credential entry, but not the HelpDesk. For this, we must grant the View permission to the ServiceDesk. The ServiceDesk is still be able to use the credential entry but will never see the password.

 

Telemark\Credentials\Admin - Permissions

Telemark\Credentials\Admin - Permissions

 

View: Custom; ServiceDesk.

Add: Default; Never inherited from Root. Only administrators can add credential entries.

Edit: Default; Never inherited from Root. Only administrators can edit credential entries.

Delete: Default; Never inherited from Telemark\Credentials. Only administrators can delete credential entries.

 

 

The last step for the Telemark child items is to set the View permission to the ServiceDesk and the HelpDesk on the Boston folder and leave every other permissions of this folder to Default. This denies the Consultants to view the Boston folder. Now, the Consultants are able to view and open entries only in the Montreal folder.

 

Telemark\Boston - Permissions

Telemark\Boston - Permissions

 

View: Custom; HelpDesk, ServiceDesk.

Add: Default; ServiceDesk inherited from Telemark.

Edit: Default; ServiceDesk inherited from Telemark.

Delete: Default; Never inherited from Root.

 

Every time a new folder is added as a child of the Telemark folder, the View permission must be set for ServiceDesk and/or HelpDesk to hide the new folder and its content from the Consultants.

 

 

There is no need to set any permissions on the Montreal folder, since they all inherit values from parent folders.

 

Telemark\Montreal - Permissions

Telemark\Montreal - Permissions

 

 

In Conclusion

The permissions are now correctly set. Note that every entry added at root level have no security by default. This means they would be available for anyone, even the consultants. This can be confirmed by looking at the screenshot below, in which the entry Daily routine is available for everyone. Here is what each user should see in the tree view:

 

Side by Side Tree View

Side by Side Tree View

 

You can go further with granting permissions by using the Security and Attachments tabs of the Permissions section when editing entries. As always, a great care must be taken when granting permissions.

 

If you need more details on each permission, please consult our Common Settings – Permissions topic.