Restricting user privileges (Advanced) - Security Center 5.11

Security Center Hardening Guide 5.11

Applies to
Security Center 5.11
Last updated
2022-10-12
Content type
Guides > Administrator guides
Language
English (United States)
Product
Security Center
Version
5.11

For security purposes, individual users should be assigned the minimum required privileges. Security Center features many templates with predefined sets of privileges, such as Operator, Investigator, Supervisor, and so on.

What you should know

Users have a set of basic privileges that are granted to them, or inherited from parent user groups. They also have a set of privileges for every partition in which they are an authorized user. Privileges granted or denied at the partition level replace the basic privileges.
Best Practice: Individual users should only have the minimum required privileges. When assigning privileges, Security Center offers templates with predefined sets of privileges that can be applied to users or groups.

To help you better understand what your users can do, Security Center includes a Privilege troubleshooter. Use the troubleshooter to verify access rights and help you fix issues.

Procedure

  1. From the Config Tool home page, open the User management task.
  2. Select the user to configure, and click the Privileges tab.
  3. Use one of the predefined privilege configurations as your starting point.
    At the bottom of the page, click (), and select one of the following:
    Apply template
    Select one of the privilege templates to apply.

    Privilege templates can be combined. This means that when you apply a privilege template, you always add privileges. Existing privileges can never be removed as a result of applying a privilege template. To start with a clean slate, go to the top of the privilege hierarchy (All privileges) and click Undefined.

    Set configuration to read-only
    Set all entity configuration privileges found under the Administrative privileges group to View properties with Modify properties denied.
    Set configuration to read-write
    Set all entity configuration privileges found under the Administrative privileges group to View, Modify, Add, and Delete.
  4. Fine tune the user privileges by changing the individual privilege settings if necessary.
    Keep in mind that if your user has a parent user group, the privilege inheritance rules apply.
    Allow
    Grant the privilege to the user. You cannot select this option if the privilege is denied to the parent user group.
    Deny
    Deny the privilege to the user.
    Undefined
    Inherit this privilege from the parent user group. If there is not parent user group, this privilege is denied.
  5. If necessary, configure the privilege exceptions for each partition the user has access to.
    1. At the bottom of the page, click Exceptions ().
      The Privilege exception dialog box opens.
    2. In the Create an exception for drop-down list, select a partition.
    3. Change the user's basic privileges as required.
    4. Click Create.
      The privilege exceptions are added at the bottom of the privilege list.
  6. Click Apply.
  7. (Optional) Allow the user to move entities from one partition to another to which they have access.

    If you do not want to grant the full Add and Delete privileges to the user but still want to allow them to move entities between partitions, enable the Manage partition memberships option as follows.

    1. Click the Advanced tab.
    2. Enable the Manage partition memberships option.
      If necessary, switch Inherit from parent to Override to change this setting.
    3. Click Apply.
    NOTE: When you grant All privileges to a user, the Manage partition memberships option is also enabled. However, if you disable the Manage partition memberships option, it does not affect the other privileges the user has.