Online Help > Role Based Security System > Scenarios

Simplified Security

Description

 

This feature is only available when using an Advanced Data Source.

 

While the following scenario is relevant for small to medium enterprises, it is not recommended for a larger business. For a scenario more suited for large enterprises, please consult the Advanced Security scenario.

 

 

Our fictional company, Windjammer, has four roles: HelpDesk, ServiceDesk, Administrations, and Consultants. There are two client companies: Downhill Pro and Telemark.

 

The following tree structure represents entries which users have access to once all permissions are set:

 

 

User Configuration

Here is an example for user configuration. To create users, navigate to Administration - Users.

The following rights are enabled in the Permissions section of the User Management.

 

User Management - Permissions Section

User Management - Permissions Section

 

Administrators: administrators have a lot more access than regular users. When creating these users, check the Administrator box to give them access to everything. The administrator can access all entries, regardless of the permissions.

 

User Management - Administrator

User Management - Administrator

 

Regular users: these users have fewer rights than administrators. Here we give them the most basic rights (Add, Edit, and Delete) while specifying that they can’t add anything into the root folder. Later, we will deny these rights by specifying which users can actually perform these actions.

 

User Management - Regular Users

User Management - Regular Users

 

Consultants: consultants can only view a subset of entries. They cannot add nor edit anything.

 

User Management - Consultants

User Management - Consultants

 

Roles Configuration

Now that the users are created, we will add the roles which we will later grant the permissions to. We need to create the roles to assign users to them. There is no need to grant any privileges to these roles.

 

ServiceDesk

HelpDesk

Consultants

 

User and Security Management - Roles

User and Security Management - Roles

 

Entries Configuration

Now, everything is ready to grant or deny access to the roles.

 

The ServiceDesk will have the permission to view and open all entries but will be able to edit only the entries in the customer groups/folders.

The HelpDesk will have the permission to view and open entries in the customer groups/folders only and will not be able to edit them.

The Consultants will have the permission to view and open entries in the Montreal folder only but will not be able to edit it nor its child items.

 

We will begin with the root level groups/folders: Downhill Pro, Telemark and Windjammer.

 

The permission to view the Windjammer folder will be set for the ServiceDesk only since we want them to be able to use its child entries. We don’t want the ServiceDesk to add or edit anything. We will set the Add, Edit and Delete permissions to Never. Only the administrator will be able to add or edit entries in the Windjammer folder.

 

Windjammer - Permissions

Windjammer - Permissions

 

View: Custom; ServiceDesk.

Add: Never; Only the administrator can add entries.

Edit: Never; Only the administrator can edit entries.

Delete: Never; Only the administrator can delete entries.

 

 

For Downhill Pro, we will grant permissions to the ServiceDesk and the HelpDesk.

 

Downhill Pro - Permissions

Downhill Pro - Permissions

 

View: Custom; HelpDesk, ServiceDesk.

Add: Custom; ServiceDesk.

Edit: Custom; ServiceDesk.

Delete: Never; Only the administrator can delete entries.

 

 

We already have a good example of the flexibility of Remote Desktop Manager’s Security. A ServiceDesk user can view and use all the entries in the Downhill Pro folder, even the credential entries, but it will never be able to see any password since the ServiceDesk users do not have the right to reveal passwords.

 

Next, for the Telemark folder, we will grant permissions to the ServiceDesk, the HelpDesk and the Consultants. This is where things get complex. If we want the Consultants to be able to view only the Montreal folder which is a child item of Telemark, we must grant to consultants the permission to view the entire Telemark content. Then we will grant permissions on child items only to the role that should have access to these items. This last step will deny the view permission for the consultants on the child items.

 

Telemark - Permissions

Telemark - Permissions

 

View: Custom; Consultants, HelpDesk, ServiceDesk.

Add: Custom; ServiceDesk.

Edit: Custom; ServiceDesk.

Delete: Never; Only the administrator can delete entries.

 

 

Since we want the users to be able to use the credential entries, we will grant the ServiceDesk and the HelpDesk the permission to view the Credentials folder. This way, the ServiceDesk and HelpDesk will be able to use the entries in the folder without revealing the passwords. Therefore, by specifying that only the HelpDesk and ServiceDesk have the View permission, we deny the view access to any role or user that is not in the list of the permission.

 

The Add, Edit and Delete permissions can be left to Default since they inherit the settings from the Telemark parent folder. The ServiceDesk is the only role that has been granted the Add and Edit permission in the parent folder and the Delete permission inherits the Never setting.

 

Telemark\Credentials - Permissions

Telemark\Credentials - Permissions

 

View: Custom; HelpDesk, ServiceDesk.

Add: Default; ServiceDesk inherited from Telemark folder.

Edit: Default; ServiceDesk inherited from Telemark folder.

Delete: Default; Never inherited from Telemark folder.

 

 

We want the ServiceDesk to be able to use the Domain Admin credential entry as well but not the HelpDesk. For this we must grant the View permission to the ServiceDesk. The ServiceDesk will still be able to edit the credential entry but will never see the password. The delete permission is set to Never.

 

 

 

The last step for the Telemark child items is to set the View permission to the ServiceDesk and the HelpDesk on the Boston folder and leave every other permission of this folder to Default. This denies the Consultants to view the Boston folder. Now, the Consultants will be able to view and open entries only in the Montreal folder.

 

Telemark\Boston - Permissions

Telemark\Boston - Permissions

 

Every time a new folder is added, the View permission must be set for ServiceDesk and HelpDesk to hide the new folder and its content from the Consultants.

 

 

No need to set any permissions on the Montreal folder, since they are inherited from the parent folders.

 

Telemark\Montreal - Permissions

Telemark\Montreal - Permissions

 

In Conclusion

The permissions are now correctly set. Note that every entry added at root level will have no security by default. This means they would be available for anyone, even the consultants. This can be confirmed by looking at the screenshot below in which the entry Daily routine is available for everyone. Here is what each user should see in the tree view:

 

Side by Side Tree View

Side by Side Tree View

 

You can go further with granting permissions by using the Security and Attachments tabs of the permissions section when editing entries. As always, a great care must be taken when granting permissions.

 

If you need more details on each permission, please consult our Common Settings – Permissions topic.