Online Help >

Role Based Security System

Description

 

Remote Desktop Manager role-based security system allows to create a granular protection system that is quite flexible. However, flexibility comes at a price and sometimes making the wrong choices could increase the time involved in managing the system.

 

The following recommendations are based on our experience with the system and the ideas shared by our community. Follow these guidelines, as they will help you to use the role-based security system efficiently.

 

Here are the main key points of the role based security system:

 

Security is inherited: child items and folders are covered by a parent folder’s security.

Permissions can be overridden: a permission set on a sub folder will override the parent item’s permission.

Permissions are granular: Multiple permissions can be set on entries at once.

 

Enhance the security

While the role based security system is a great feature to secure access to entries, many other features can be used to add more security layers. For more information, please consult the following topics:

 

Security provider

Credential repository

Password complexity

Two-factor authentication

One-time password

 

 

Scenarios

 

Because of the great flexibility of our system, it becomes difficult to describe how to achieve the exact security system that matches your needs. For this reason, we have elected to describe the most popular systems that we have seen in use in our current community of users. We hope that one of them will closely match what you require, and obviously you can mix and match the various strategies used in our scenarios to achieve your requirements.

 

Please consult the following:

 

Advanced security

Simplified security

 

 

Role configuration

 

When using the role-based security system, roles are mostly used to control user access for multiple users at once.

 

Common roles can be:

 

Service Desk: a single point of contact to handle incidents, problems and questions from staff and customers. Provide an interface for activities such as change requests, software licences, configuration management, and more.

Help Desk: manage, co-ordinate and resolve support requests.

Consultants: employed externally on a temporary basis, they usually are read-only users and can use only a subset of entries.

 

To be more specific, we will use these team names in our scenarios.

 

Create the role

To create roles, navigate to Administration – Roles, then click Add Role.

 

Create a role

Create a role

 

All settings can be left to default unless the role contains only administrators. In this case, check the Administrator box when configuring the role. Enter a Name for the role, then click Ok.

 

Configure a role

Configure a role

 

To assign users to the role, click , then check the Is Member box of the respective user.

 

Assign a user to the role

Assign a user to the role

 

User configuration

 

User template

It is possible to change the default user template. To do so, navigate to File – Options – Security – User Template. These settings control the default settings of a new user. The best practice is to disable all privileges.

 

Create the user

To create users, navigate to Administration – Users, then click Add User. Enter a Login and Password for the user and select the User type.

 

Create a user

Create a user

 

A user can be assigned to multiple roles at once by checking the Is Member box of the respective roles in the Roles section of the User Management.

 

Assign a user to a role

Assign a user to a role

 

Administrators

Administrators can do everything, regardless of the security. These users are usually the chief officers and senior management.

 

Restricted users

Restricted users have limited access to resources. They usually have the Add and Edit rights only. These users can be mid or first level executives, such as service desk and help desk.

 

Users

Users also have limited access to resources much like Restricted users. However, Users have by default the Add, Edit and Delete rights and can perform these actions on all unsecured entries.

 

Read only users

Read only users can only view and use resources, but cannot edit them. These users are usually external consultants.

 

Select the appropriate user type

When creating users, some key points must be taken into consideration. Ask yourself the following questions while configuring a new user:

 

Should they be able to access any resource without restriction?

Administrators can access any resource without restriction.

Make a user administrator by selecting Administrator as the User type when creating the user.

 

Administrator user

Administrator user

 

Should they be able to add, edit, or delete entries?

Make a restricted user by selecting Restricted user as the User type when creating the user.

Set up manually which rights are granted to the user.

 

Restricted user

Restricted user

 

Should they be able to see sensitive information, or import and export entries?

Configure the Privileges section when creating the user. Users should never be able to see passwords in clear text.

 

User privileges

User privileges

 

Entry configuration

 

Access is granted or denied to users by setting permission on entries. Permissions can be set to users or roles. The best practice is to grant permissions to roles to control access for multiple users at once.

 

To set permissions on an entry, edit any entry, then navigate to the Security – Permissions section.

 

Entry's permissions

Entry's permissions

 

Permissions are usually set on folders, and apply to all child entries. A best practice is to set all the permissions of the root folder to Never. As a result, all permissions of all entries are denied by default.

 

Root permissions

Root permissions

 

Access is denied to users by expressly granting the access to other users. In other words, all users that are not on the list of a permission have the access denied.

For a user to have access to a sub folder, the user must have at least the view permission on all parent folders.

 

Consider the following structure:

 

 

There are three levels of folders: the root, Telemark, and child items of Telemark.

 

Suppose that a user, such as a consultant, must have access to the Montreal folder only. The consultant must be granted the view permission on the Telemark folder as well. However, granting the view access to the Telemark folder gives to the consultant the permissions to view all child items of Telemark. To deny the view permissions for the consultant on specific child items, the view permissions of these items must be expressly set for other users.