For security purposes, individual users should be assigned the minimum required
privileges. Security Center features many
templates with predefined sets of privileges, such as Operator, Investigator,
Supervisor, and so on.
What you should know
Users have a set of basic privileges that are granted
to them, or inherited from parent user groups. They also have a set of privileges for every
partition in which they are an authorized user. Privileges granted or denied at the partition
level replace the basic privileges.
Best Practice: Individual users should only have the
minimum required privileges. When assigning privileges, Security Center offers templates with predefined sets of
privileges that can be applied to users or groups.
To help you better understand what your users can do, Security Center includes a Privilege troubleshooter. Use the troubleshooter to verify access rights and help you fix issues.
Procedure
-
From the Config Tool home page, open the User
management task.
-
Select the user to configure, and click the
Privileges tab.
-
Use one of the predefined privilege configurations as your starting point.
At the bottom of the page, click (
), and
select one of the following:
- Apply template
- Select one of the privilege templates to apply.
Privilege templates can be
combined. This means that when you apply a privilege template, you always add
privileges. Existing privileges can never be removed as a result of applying a
privilege template. To start with a clean slate, go to the top of the privilege
hierarchy (All privileges) and click
Undefined.
- Set configuration to read-only
- Set all entity configuration privileges found under the Administrative
privileges group to View properties with Modify properties
denied.
- Set configuration to read-write
- Set all entity configuration privileges found under the Administrative
privileges group to View, Modify, Add, and
Delete.
-
Fine tune the user privileges by changing the individual privilege settings if
necessary.
Keep in mind that if your user has a parent user group, the privilege inheritance
rules apply.
- Allow
- Grant the privilege to the user. You cannot select this option if the privilege is
denied to the parent user group.
- Deny
- Deny the privilege to the user.
- Undefined
- Inherit this privilege from the parent user group. If there is not parent user
group, this privilege is denied.
-
If necessary, configure the privilege exceptions for each partition the user has access
to.
-
At the bottom of the page, click Exceptions ().
The Privilege exception dialog box opens.
-
In the Create an exception for list, select a
partition.
-
Change the user's basic privileges as required.
-
Click Create.
The privilege exceptions are added at the bottom of the privilege
list.
-
Click Apply.
-
(Optional) Allow the user to move entities from one partition to another to which they
have access.
If you do not want to grant the full Add and Delete privileges to the
user but still want to allow them to move entities between partitions, enable the
Manage partition memberships option as follows.
-
Click the Advanced tab.
-
Enable the Manage partition memberships option.
If necessary, switch Inherit from parent to
Override to change this setting.
-
Click Apply.
NOTE: When you grant All privileges to a user, the Manage partition
memberships option is also enabled. However, if you disable the Manage
partition memberships option, it does not affect the other privileges the
user has.