Permission Sets

Overview

A permission set is a group of permissions, divided in sections, that grants a set of rights and access to a user. The following default permission sets are included with ePO, for immediate assignment or for use as a template for customization:

• Executive Reviewer: Provides view permissions to dashboards, events, contacts, and can view information that relates to the entire System Tree

• Global Reviewer: Provides view access globally across functionality, products, and the System Tree, except for extensions, multi-server roll-up data, registered servers, and software

• Group Admin: Provides view and change permissions across ePO features. Users, who are assigned this permission set, each need at least one more permission set that grants access to needed products and groups of the System Tree.

• Group Reviewer: Provides view permissions across ePO features. Users, who are assigned this permission set, each need at least one more permission set that grants access to needed products and groups of the System Tree.

The administrator can assign permission sets while creating a user account, when editing an existing user account, and when creating a new permission set. Administrators have permissions to all products and features and can create, edit, or delete permission sets. Users who are not administrators can do only those things permitted by their assigned permission sets.

Default Permission Sets

Each permission set grants a set of rights and access to any user to which the permission set is assigned. Remember, administrators always have the rights and access do everything in ePO. As a best practice, use these default permission sets as templates to create new ones that meet your needs.

* Note: Users need to be assigned to at least one set, granting them permissions to desired products and groups.

Configuration Guidelines

• Some permissions are exclusive to administrator.

• Multiple permission sets aggregate combined rights and privileges.

• Use default permission sets as templates.

• You can map to Active Directory users using Active Directory groups.

• Consider groups to support different access control levels.

• New extensions may add new sections that require configuration for access.

• Consider which products require users to have data access for queries.

• For quick migration, export defined permission sets and import them to other ePO servers.

Duplicating, Adding, or Deleting Permission Sets

To duplicate, add, or delete a permission set, complete these steps:

1. Select Menu > User Management > Permission Sets to open the Permission Sets page.

2. Take one of these actions:

   • Duplicate: Select (highlight) the source and then select Actions > Duplicate.

   • Delete: Select (highlight) the source and then select Actions > Delete.

   • New: Click New Permission Set button.

3. If duplicating or adding, type a meaningful name in the Name box, then click OK (if duplicate) or Save (if new).

Authentication Types

Each authentication type has different configuration requirements.

• ePO Authentication: ePO authentication uses the ePO account’s credentials. This is the default authentication method. You must enter and confirm a password.

• Windows Authentication: If you use Windows authentication, enter the user’s Windows NT domain credentials. You can specify whether users authenticate:

  • Against the domain that your ePO server is joined to and any other domains that have a trust relationship (default)

  • Against a list of one or more domain controllers for domains that do not have a trust relationship

  • Using a Windows Internet Name Service (WINS) server to look up the appropriate domain controller Note: If you have domain controllers or a WINS server, you must configure the Windows authentication server setting.

• Certificate-based Authentication: For certificate-based authentication, upload certificate file. This automatically adds the personal certificate subject Distinguished Name (DN). The ePO server must be configured to allow certificate-based authentication.

Permissions Exclusive to Administrator

The following are permissions exclusive to the administrator:

• Create, edit, or delete source and fallback repositories

• Change server settings

• Add and delete user accounts

• Add, delete and assign permission sets Import events into ePO databases and limit events stored there

Administrators have all permissions to all products and features.

Editing Permission Sets

After duplicating or adding a new permission set, you can edit selected sections, as required.

In the left pane, make sure the duplicated or new permission set is selected (highlighted).

Click the Edit link for a specific section. Example: System Tree access

Modify the permissions, as required, then click Save.

Verify your changes display on the Permission Sets page.

Exporting All or Importing

You can also export and import permission sets.

• To export all permission sets into an XML file, click Export All.

• To import permission sets from an XML file exported from this or another ePO server, click Import.