A role is a set of permissions that controls access to specific Secure Configuration Manager features. You can use roles to allow or deny a console user the ability to perform particular actions or run particular reports. A role allows you to quickly and easily assign permissions related to a specific job function or workflow, such as auditing all UNIX servers. You can use a single role multiple times by assigning the role to different console users. This approach ensures that consistent application of permissions, enforcing the same level of security across your organization. Likewise, when you update the role, all assigned console users automatically receive the same change.
Secure Configuration Manager provides several default roles that allow you to quickly and easily set up your system administrators. These default roles include the following administrator and platform-specific roles:
Provides administrative rights to any console user assigned this role. Assign this role to console users responsible for Secure Configuration Manager configuration and security activities, such as creating policy templates and setting console passwords. For more information, see Section 3.2.2, Understanding Console Administrators.
Provides permissions to run all reports across all platforms, agents, and systems. Assign this role to console users responsible for network-wide reporting. This role lets you immediately begin identifying vulnerabilities.
Provides permissions to run all reports and actions on the legacy database platforms. Assign this role to console users who are responsible for database security.
Provides permissions to approve or disapprove security check exceptions created in Secure Configuration Manager. Assign this role to console users who are responsible for approving and disapproving exceptions.
Provides permissions to manage security check exceptions created in Secure Configuration Manager. Assign this role to console users who are responsible for maintaining exceptions.
Provides permissions to run all reports and actions related to Help Desk activities. Assign this role to console users who are responsible for Help Desk activities.
Provides permissions to run all reports and actions on an iSeries platform. Assign this role to console users who are responsible for iSeries security.
Provides permissions to run all reports and actions on a UNIX platform. Assign this role to console users who are responsible for UNIX security.
Provides permissions to run all reports and actions on a Windows platform. Assign this role to console users who are Domain Admins or are responsible for Windows security.
You can create, modify, and delete custom roles or copy the default NetIQ roles to create new roles. You can also create a new role by copying an existing role. Copying a role provides a quick and easy way to create multiple new roles. For example, you can create a template role that contains particular platform security settings, and then copy this role to ensure consistent settings across multiple roles. You can modify role assignments by adding or removing console users from an existing role. You can also add permissions to a role. Deleting a role removes a set of permissions granted to console users assigned to this role. You can also remove permissions from console users by modifying the role assignments.
When you add a new role in your console security, you must add permissions to the role. By default, most permissions are denied. You can add multiple permissions to a role by allowing or denying access to specific actions, security checks, task suites, and reports in Secure Configuration Manager. For more effective and efficient security settings, ensure that these permissions allow a set of activities that fulfill a particular job function. For more information, see Section 3.6, Managing Permissions.
You can limit the maximum number of concurrent web and client console sessions for each user in a role by assigning Session Limit to the role. You can specify Session Limit for any role. Users under that role can then launch the maximum number of concurrent console and web sessions the Session Limit allows. The default value of Session Limit is unlimited. If you do not specify the Session Limit for a role, users included in the role can use an unlimited number of concurrent sessions.
A user who reaches the Session Limit for a specific role and launches another session, the user receives a message on the active computer stating that maximum limit is reached and the user must select an option to terminate or keep the oldest session. If the oldest session is not running on the active computer, then the oldest session is terminated with a logout message and a new session is launched on the active computer. If the oldest session is running on the same computer, then the oldest session is terminated without any logout message and a new session is launched. If the user chooses to keep the oldest session, then the user cannot launch a new session.
If a user has multiple roles and session limits, the precedence of the session limits is as follows:
The Session Limit that has the highest numerical value among the roles is applicable for that user.
If a user is added or removed from any role, the Session Limit that has the highest value among the remaining roles will be applicable for that user.
The highest numeric value of Session Limit takes precedence over the default value. The default value (Unlimited) is not considered in the session limit calculation.