You use the Control Center console to manage security for the Control Center repository. This section describes how you use the Control Center console to configure security.
The Control Center administrator controls user access to the Control Center console and the operations that users can perform. The administrator configures Control Center security in conjunction with standard Windows and SQL Server login account management. For more information about Windows and mixed mode authentication, see Using Windows Authentication Security and Using Mixed Mode Security.
NOTE:Members of the Control Center Administrator group have the sysadmin server role on the SQL Server that hosts the Control Center repository. If the same SQL Server hosts the primary QDB, members of the Administrator group also have the sysadmin server role on the QDB.
To configure security permissions in Control Center, you must add users and user groups, define permission sets, and then assign the user groups and permission sets to management groups. You must be a member of the Control Center Administrator group to modify the members of a user group or modify permission sets, but you do not have to be an administrator to assign user groups and permission sets to management groups.
Most organizations start with a few administrative users and add specialized user groups and permission sets over time. Initially, NetIQ Corporation recommends allowing only expert-level administrators to perform most tasks and limiting access to the Control Center console to a small number of people until you firmly establish user groups and permissions sets that suit your organization. After your production environment is stable and you refine threshold settings, job properties, event-handling, and data-handling policies to meet your organization’s needs, you might want to grant more operators and administrators access to the Control Center console.
In general, after you create the user groups and permissions sets appropriate to your organization, there is very little account maintenance required for managing user accounts.
To configure Control Center permissions:
Add Control Center users. For more information, see Adding a Control Center User.
Create or choose an existing user group and add the users to a group. For more information, see Creating, Copying, Modifying, or Removing a User Group.
Create or use an existing permission set. For more information, see Creating, Copying, Modifying, or Removing a Permission Set.
Associate a user group with a permission set and a management group. For more information, see Granting and Removing Access to Management Groups.
The Control Center console includes a set of default user groups you can use, modify, copy, or remove to help implement security for the console. The default user groups include the following:
Administrator
You cannot copy or delete the Administrator group. For more information about this group, see Understanding the Administrator Group.
Executives and Stakeholders
NOC Tier 1
NOC Tier 2
Trusted Application Admins
Trusted Application Owners
For information about modifying, copying, or removing user groups, see Creating, Copying, Modifying, or Removing a User Group.
Control Center includes a predefined Administrator user group. Only members of the Administrator user group can:
Manage Control Center security, including adding and removing Control Center users and configuring user groups and permission sets.
Configure the QDBs that Control Center manages, including adding and removing a QDB.
Configure Control Center preferences under Options on the Main tab.
View Control Center commands in the Queue Manager.
View AppManager license information under View Licenses on the Global Tasks tab.
Control Center users who belong to the Administrator user group have full access to Control Center, including all management groups. The Administrator user group does not need to be associated with any management groups or permission sets in order to grant its members access and privileges in the Control Center console.
By default, the command queue service account that you entered during installation and the netiq account belong to the Administrator user group.
When you add a user to the Control Center Administrator user group, Control Center automatically adds the user to the Microsoft SQL Server System Administrators (sysadmin) server role. Therefore, you should restrict the members of the Administrator group to users you want to belong to the Microsoft SQL Server System Administrators server role. After you remove a user from the Control Center Administrator group, Control Center automatically removes the user from the Microsoft SQL Server System Administrators server role.
You can set four types of permissions in Control Center. Three of these pertain to operational permissions and the fourth pertains to Knowledge Scripts:
Operational permissions.
Deployment permissions. These permissions allow you to perform tasks specific to remote deployment.
General permissions. These permissions allow you to add computers to the Control Center repository.
Management group and view permissions. These permissions allow you to perform tasks specific to management groups.
Knowledge Script permissions. These permissions determine which Knowledge Scripts can be used according to Knowledge Script category.
You can view a complete list of the permissions in the Control Center console.
To view the complete permission list:
On the Global Tasks tab, click Manage Security.
Click Permission Sets, and then click AppManager Administrator.
Click Modify, and then click the tabs to view the permissions.
A permission set is a collection of operational and Knowledge Script permissions that defines a group of activities that can be performed and Knowledge Scripts that can be used in the Control Center console. To apply a permission set, you associate the permission set with a user group and a management group. Users belonging to that particular user group can perform the activities that you define in the permission set for the associated management group. You can associate the same user group with different permission sets for different management groups. For more information about applying permission sets, see Granting and Removing Access to Management Groups.
The Control Center Console has a default set of permission sets. You can use these permission sets, copy or modify them to develop your own permission sets, or delete them if they do not meet your requirements. The default permission sets are:
AppManager Administrator
Deny Management Group Access
Event Operation
Management Group Administration
Monitoring Administration
Monitoring Operation
Read Only
You can view details about the specific operational permissions granted in the default permission sets in the Control Center console.
To view details for the default permission sets:
On the Global Tasks tab, click Manage Security.
Click Permission Sets, and then click the permission set you want to view.
Click Modify, and then click the tabs to view the permissions.
The same user can belong to more than one user group. Should this be the case, the most restrictive set of permissions is applied by combining the permissions with a logical OR. For example, if the same user is a member of two user groups associated with the same management group but with different permission sets, and is granted rights in one permission set but denied the same rights in the other permission set, then the rights are denied. If a permission is undefined (neither granted nor denied) for the same user in two different user groups, then the permission is denied. If a permission is granted for one user group and either undefined or granted in another group for the same user, then the permission is granted.
A global permission set is a permission set associated with a specific user group that applies to all management groups managed by the Control Center console. Since global permissions apply to all management groups, they do not depend on association with a specific management group to take effect.
You can use global permissions to set a common or base set of permissions for a user group for your entire environment. You can then refine these permissions by applying specific permission sets for the same user group to individual management groups.
The Control Center console applies any global permissions and any permissions specific to a management group to determine the security context for any objects in a management group. Control Center applies any global permissions and any permissions assigned to the management group in the following order:
If an operational or Knowledge Script permission is denied either globally or for a management group, the permission is denied.
If an operational or Knowledge Script permission is granted either globally or for a management group, the permission is granted.
If an operational or Knowledge Script permission is neither granted nor denied, the permission is denied.
The Control Center console provides a default set of global permissions:
|
User Group Name |
Permission Set Name |
|---|---|
|
Executives & Stakeholders |
Read Only |
|
NOC Tier 1 |
Event Operation |
|
NOC Tier 2 |
Monitoring Operation |
|
Trusted Application Admins |
Monitoring Administration |
|
Trusted Application Owners |
Management Group Administration |
For more information, see Setting Global Permissions.
Permissions assigned to a management group are inherited by any children of that management group, so any user group assigned to the management group will have the same permissions on any children of the management group. You do not need to assign user groups or permissions sets individually on each child management group.
If a user group has a global permission set assigned to it and the permission set includes management group permissions, members of the user group will have those permissions on all management groups and child management groups associated with the user group.
To add a Control Center user, you must be a member of the default Administrator user group in Control Center. You can import Windows user or group accounts, create new SQL Server logins, or add existing SQL Server logins.
You can import Windows users and user groups into the Control Center repository from the following domains:
Local system domain. You can import all the users and groups that are added in your local system domain.
Local domain. You can import users and groups from network domains that are available within your local area network.
One-way trust domain. You can import users and groups from another domain with which your domain has a one-way trust relationship.
To import user groups from the trusted domain, log in as the Administrator user of the trusted domain.
You can import user groups from trusted domains in the same forest if the groups are either global or universal.
Before you import a user group, ensure that all group members have access to SQL Server.
The import process adds the users to the SQL Server and gives the user or group the required permissions in the Control Center repository. You do not need to manually grant permissions on the SQL Server.
To import users or user groups into Control Center:
On the Global Tasks tab, click Manage Security, and then click the Users or User Groups tab.
Click Import, and then click Import again.
Click Locations, and then select the domain from which you want to import users or user groups.
Click Advanced, and then click Find Now.
Select the users or groups you want to add to Control Center, and then click OK.
You can select multiple users or groups.
Select the QDBs where you want to register the user or group, and then click OK.
This permits the users to manage the QDBs.
The Manage Security dialog box displays the user or group names along with their respective domains, and the user type displays Windows User. For example, if you import User1 from domain A and User2 from domain B, the Manage Security dialog box displays the user names as A\User1 and B\User2.
NOTE:Windows users who have already logged in to Control Center with a particular set of permissions can continue to perform all of their assigned activities even if you delete the user account from the domain. Control Center denies access to such users only when they log out and try to log on to the Control Center console again.
You can create new SQL Server logins or add existing SQL Server logins. If you enabled FIPs compliant security in the Control Center console, you cannot create SQL Server logins using Security Manager.
To create or add a SQL Server login:
On the Global Tasks tab, click Manage Security.
Click Users, and then click Create New.
Provide the following information:
|
Field |
Action |
|---|---|
|
User Name |
Specify a new or existing SQL login name. NOTE:
|
|
Password |
Specify the password of the SQL user account. If the account does not exist, it is created in the Control Center repository and is given public and CC_public permission in the Control Center repository. When you use the Control Center console to create a new SQL user account:
|
|
Register users with the selected repositories |
Select the QDBs you want the user to be able to manage. If you do not register a SQL login with a QDB when you first create the account, you cannot register the account with a QDB later using the Control Center console. You must use SQL Server Management Studio to give the SQL login proper permissions for a QDB. |
You can create a Control Center user group that contains local or domain Windows user accounts or SQL Server logins. You can create a user group and add SQL Server logins to the group and you can import Windows users and groups. A user can belong to more than one user group.
You can create new user groups by copying an existing user group and modifying it. When you copy a user group, all the members of the original user group are added to the duplicate user group. If you copy a Windows user group, Control Center creates a new user group in Control Center but not in the Active Directory. You cannot copy the Administrator user group.
You can modify an existing user group to add or remove users from the group or change the name or description of the group. You can only change user groups you created in the Control Center console. To modify user groups you imported from Windows, use administrative tools for Active Directory.
Removing a user group from the Control Center console prevents group members from logging in to the console. However, the group still has Operator Console access on each QDB if you configured this access. You cannot use the Control Center console to remove a Windows user group from the Active Directory. If you are removing all members of a user group from the Control Center console, NetIQ Corporation recommends deleting all members of the group before you delete the user group.
To create, copy, modify, or remove a user group:
On the Global Tasks tab, click Manage Security, and then click User Groups.
Complete the appropriate action:
|
To... |
Do this... |
|---|---|
|
Create a user group |
|
|
Copy or modify a user group |
|
|
Remove a user group |
Select the user group you want to remove, and then click Delete. |
You can associate user groups with permission sets when you create a management group and define the security of the management group. You can also directly associate user groups with permission sets as global permissions. For more information, see Setting Global Permissions.
You can create new permission sets based on a copy of an existing permission set.
You can delete unused permission sets. If the permission set is associated with a management group or with a user group as a set of global permissions, you cannot delete the permission set.
To create, copy, modify, or remove a permission set:
On the Global Tasks tab, click Manage Security, and then click Permission Sets.
In the Manage Security dialog box, click Permission Sets, and then click Create New.
Complete the appropriate action:
|
To... |
Do this... |
|---|---|
|
Create a permission set |
Click Create New, provide the required information, and then click OK. Double-click ta permission to deny it. If you do not want to grant or deny a permission, do not click it. |
|
Copy or modify a permission set |
|
|
Remove a permission set |
Select the permision set you want to remove, and then click Delete. |
Global permissions are permission sets that apply to specific user groups for all management groups in the Control Center console. For more information about global permissions, see Understanding Global Permissions.
To create, modify, or remove a global permission set:
On the Global Tasks tab of the ribbon, click Manage Security.
In the Manage Security dialog box, click the Global permissions tab.
(Conditional) If you want to create or modify a global permission set:
Select the user group for which you want to assign a global permission set, and then click Assign.
In the Assign Permissions dialog box, select a permission set from the Permission Set list, and then click OK.
(Conditional) If you want to remove a global permission set, select the user group you want, and then click Remove.
Click Close.
Control Center users must be given permission to access a management group. You must be a member of the Control Center Administrator group to modify the members of a user group or modify permission sets, but you do not have to be an administrator to assign user groups and permission sets to management groups.
You can configure each management group to give one or more user groups permissions to objects in the management group. The permission set that you associate with each user group determines what the members of the user groups can do with objects in the assigned management group.
AppManager users may be members in more than one user group assigned to a management group. If this is the case, the resulting set of permissions is based on combining all the applicable permission sets with a logical OR to produce the most restrictive permissions. That is, if a permission is denied in any permission set it is denied even if it is granted in another permission set. If a permission is neither granted nor denied in all the permission sets, the permission is denied.
If you assign a user group and a permission set to a management group and that user group also has a global permission set defined, the resultant set of permissions is also determined by combining the permissions with a logical OR to produce the most restrictive permissions. For more information about global permission sets, see Understanding Global Permissions.
You can only assign one permission set at a time to a user group for a management group. You can assign the same user group to a management group more than once with different permission sets. However, if you do this the resultant set of permissions for the members of the user group is the result of a logical OR of all the permissions defined across all associated permission sets to produce the most restrictive set of permissions.
You can organize management groups into a hierarchy, and permissions you assign to the top-level management group in the hierarchy are inherited by the children of that top-level management group. For more information about permission inheritance, see Understanding Permission Inheritance.
To grant or remove access to a management group:
Right-click the management group in the Enterprise Layout pane and choose Management Group Properties > Security.
(Conditional) If you want to grant access:
Click Add.
In the Assign Permissions dialog box, select a user group from the User Group list.
Select a permission set from the Permission Set list.
NOTE:You also have the option to modify an existing permission set by clicking Modify or creating a new permission set by clicking Create New.
Click OK.
(Conditional) If you want to remove access, select the user group you want to remove, and then click Remove.
If you want to change the permission set associated with a user group, you must first remove the user group and then add it back with the permission set you want.
Permissions in the Control Center console depend on user group, permission set, and management group assignments in the Control Center console as well as role assignments in Security Manager. In some instances, the permissions a Control Center console user has for a specific AppManager repository are limited by the permissions granted to that same user by Security Manager, regardless of the permissions they are granted in the Control Center console. The permissions granted a Control Center console user apply on a repository by repository basis. If a Control Center console is managing more than one AppManager repository, user permissions may need to be set for each repository in Security Manager.
By default, when you add a user in the Control Center console and register the user with one or more AppManager repositories, that user is granted Read Only permissions in Security Manager for each repository. This is true for both Windows users and SQL login accounts. In most cases Read Only permissions in Security Manager are adequate for any task a Control Center user might perform other than those performed by Control Center administrators.
In some instances, you may need to configure permissions in Control Center that require more than Read Only and less than full Administrator permissions in Security Manager. The following list indicates tasks in Control Center that require more than Read Only permissions in Security Manager:
To check Knowledge Scripts into an AppManager repository, a Control Center console user requires the Check In a Knowledge Script functional right assigned to them in Security Manager either through a custom role or by assigning the user to the Standard User role. This permission only needs to be set on the primary AppManager repository. Knowledge Script synchronization handles the replication of the new Knowledge Script to any secondary repositories.
To create jobs on managed resources, a Control Center user requires the Check In a Knowledge Script functional right on any AppManager repository where the user wants to create jobs.
To create a Knowledge Script Group in Control Center, the user requires the Administrator role in Security Manager on the primary AppManager repository.
To copy a Knowledge Script or a Knowledge Script Group in Control Center, the user requires the Administrator role in Security Manager on the primary AppManager repository.
To modify a Knowledge Script Group, such as removing Knowledge Scripts from a group, the user requires the Administrator role in Security Manager on the primary AppManager repository.
The restriction of permissions in the Control Center console based on an assigned role in the Operator Console does not apply to any user added to the default AppManager Administrator group in the Control Center console. Members of this group are granted the sysadmin role in SQL Server on any AppManger repository managed by the Control Center console. The sysadmin role overrides any limitations set by Operator Console roles on an AppManager repository. For more information about the Administrator group in the Control Center console, see Understanding the Administrator Group.