Since both the AppManager repository and Control Center repository are SQL Server databases, AppManager security relies on SQL Server security. Every user who needs access to the Operator Console or Control Center console must have a valid SQL Server login name and password for the SQL Server where the AppManager repository or the Control Center repository database is running. The creation and authentication of the SQL Server login accounts at connection time depends on the SQL Server security mode you use.
Control Center console users also need access to the QDBs that connect to the Control Center repository. Regardless of the authentication method, Control Center users cannot access a QDB if they are not added as a user in the QDB.
By default, Control Center console users are granted Read Only permissions for every QDB you register them with in the Control Center console. However, depending on the tasks a user needs to perform in the Control Center console, you may need to modify the permissions the user has on the primary QDB. You need to make these modifications using Security Manager. For more information about defining security for the Control Center console, see Managing Control Center Security.
If you use Windows-only authentication, use Windows administrative tools to create and manage user and group accounts and then use the Control Center console to map those groups and users to SQL Server logins. A SQL account can be a Windows group or user.
For more information see Adding a Control Center User.
If you are using mixed mode security, you can create and maintain SQL Server login accounts independently of any Windows accounts or groups. With this mode, you can manage login accounts through SQL Server and authorize which accounts should have access to the AppManager Operator Console or Control Center console. You can also create new SQL Server logins with access to an AppManager repository or Control Center repository using the AppManager Security Manager or the Control Center console.
NOTE:You must be a SQL Server administrator to create SQL Server logins using Security Manager or the Control Center console.
If you are using mixed mode security, inform users whether they should use Windows authentication or SQL Server authentication to log on to an AppManager or Control Center repository, depending on how you configured the account.
In addition to understanding SQL Server security modes, you should also consider using Windows groups to manage user accounts most effectively. You can create groups using standard Windows administrative tools, then map an entire group to a single SQL Server login. When you have created the SQL Server login for the group, all privileges assigned to that login through SQL Server and AppManager apply to all of the member user accounts within that Windows group.
Once you grant the SQL Server login account permission to access the AppManager repository, you can use Security Manager or the Control Center console to add the group account as a new AppManager user.
Although it is common for a user to belong to more than one Windows group, you should avoid this when using Windows groups for AppManager users. If a user belongs to more than one Windows group that is mapped to a SQL Server login account and added to AppManager, maintaining security can become difficult. For example, if the user SPeters belongs to two Windows groups, ExchAdmins and JrAdmins, that have been given different privileges or assigned different AppManager roles, the user may have unexpected or conflicting rights or restrictions.
The best way to ensure consistency and manageability is to create new Windows groups specifically for each Security Manager role or Control Center user group you plan to define. Using Security Manager, you can specify the individual functional rights for viewing information and performing tasks you want available for each role. For example, if there are two AppManager roles available, Read-Only User and SrAdmin, you can create two corresponding Windows groups called AppManager ReadOnly and AppManager Senior Admins and assign the corresponding role to each group of users. Using the Control Center console, you can define user groups and then add the Windows groups to the Control Center user groups. You then assign user groups and permission sets to management groups to define security for the Control Center console. For more information about managing security using the Control Center console, see Managing Control Center Security and Adding a Control Center User.
NOTE:In creating Windows user accounts and groups to access AppManager, you need to consider that specific privileges may be required to perform certain tasks. For example, any Windows user account or group that is used to log on to the Operator Console must be granted Write permission for the NetIQ\AppManager\bin\cache folder.