Permissions control activities that a console user can perform through Secure Configuration Manager. You can assign permissions to run a report, perform an action, or maintain security checks and task suites. You can also assign permissions to run individual task suites or categories of task suites. Permissions also let you allow or deny access to specific Secure Configuration Manager features.
To quickly and easily assign permissions, consider grouping permissions into roles. Roles let you assign a set of permissions that represent a particular job function while enforcing consistent console security. For more information, see Section 3.5, Managing Roles.
NOTE:Each console user requires the Access IT Assets permission to run reports or perform actions on endpoints in your asset map.
You can specify permissions according to the type of tasks you expect a role or console user to perform. For example, if a role performs one or more tasks, specify the All Tasks permission. If the user prints reports, specify the Reports Only permission. Refer to the following table when allowing or denying permissions from the list of actions, activities, and reports.
|
To assign these permissions ... |
Complete the following steps ... |
|---|---|
|
Allow selected permissions on all endpoints |
Under All Endpoints, click Allow for All. |
|
Allow selected permissions on individual endpoints |
Click Assign Individual Permissions, select Endpoints, and then click Allow for each endpoint. |
|
Allow selected permissions on individual groups |
Click Assign Individual Permissions, select Groups, and then click Allow for each group. |
|
Deny selected permissions on all endpoints |
Under All Endpoints, click Deny for All. |
|
Deny selected permissions on individual endpoints |
Click Assign Individual Permissions, select Endpoints, and then click Deny for each endpoint. |
|
Deny selected permissions on individual groups |
Click Assign Individual Permissions, select Groups, and then click Deny for each group. |
You can verify how Secure Configuration Manager applies the selected permissions by clicking Show Effective Permissions. For more information, see Section 3.6.1, Resolving Permission Conflicts and Inheritance. Be aware that permissions explicitly assigned to a console user can override permissions implicitly granted through roles.
Console users receive permissions from assigned roles as well as individual permissions you explicitly allow or deny. When a console user attempts to run a policy template or task suite, Secure Configuration Manager checks the roles and permissions assigned to the account. Permissions explicitly assigned to a console user override permissions implicitly granted through roles.
As you assign multiple roles or explicitly grant multiple permissions to a console user, conflicts can occur. You can verify how Secure Configuration Manager applies assigned permissions by reviewing the effective permissions for each user and role. Effective permissions represent the permissions in effect for the console user, as well as any permissions inherited from assigned console roles. For more information about changing permissions, see Section 3.6.2, Modifying Permission Assignments and the Help.
NOTE:
If you assign permissions to a group of endpoints, and then later add a child group, Secure Configuration Manager applies those permissions to the endpoints in the child group.
If you assign permissions to one or more activities in a category, and then later assign additional permissions to the entire category, Secure Configuration Manager applies both sets of permissions. If the permissions assigned to the category conflict with the permissions assigned to the activities, Secure Configuration Manager applies the permissions assigned to the category.
The following table shows how Secure Configuration Manager applies permissions in response to particular permission settings. Use this table to help you identify and resolve permission conflicts and inheritance.
|
If you assign ... |
Secure Configuration Manager applies as ... |
|---|---|
|
No permissions |
Deny |
|
One or more permissions that allow the same activity |
Allow |
|
One or more permissions that deny the same activity |
Deny |
|
One permission that allows the activity and another permission that denies the same activity |
Deny |
|
One or more permissions set on a category of tasks, reports, or actions |
Allow or deny each task, report, or action in the category |
|
One or more permissions set on a group of endpoints |
Allow or deny activities for each endpoint in the group |
|
One or more permissions set on a group of endpoints that contains another group |
Allow or deny activities for each endpoint in the parent group |
|
Conflicting permissions set on two or more groups that contain the same endpoint |
Deny |
|
Two or more roles that contain conflicting permissions for the same activity |
Deny |
You can add or remove permission assignments from console users and roles. For more information, see Section 3.7.3, Assigning Permissions to a Console User and Section 3.5.2, Creating, Modifying, and Deleting Roles.