Forum Home Forum Home > Feature Requests > Identity Finder Enterprise Console
  New Posts New Posts RSS Feed - more flexible roles
  FAQ FAQ  Forum Search   Register Register  Login Login

more flexible roles

 Post Reply Post Reply
Author
Message
Karen View Drop Down
Senior Member
Senior Member


Joined: 29 Nov 2010
Location: Connecticut
Status: Offline
Points: 115
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karen Quote  Post ReplyReply Direct Link To This Post Topic: more flexible roles
    Posted: 12 Apr 2012 at 1:30pm
I'd like to have some more flexibility in the roles I can assign to users.

I would like tag permissions to work similar to policy permissions where I can give someone the permission to create or edit tags - but I want to be able to deselect the ability for them to modify/delete tags I created. Right now - if I give a user the ability to delete tags - they can then go and delete a tag I created - so it's all or nothing. I like the way policies work where I can prevent them from deleting some tags - but they can create their own.

It would be nice if it were heirarchical as well - so I create a parent tag called "Clients" and the user can create/edit any nested tags under it but not be able to edit/delete the tag "Clients" for example.

I'd like to be able to give/not give out the ability to manage service jobs. Right now, no one has Manage Service Jobs yet everyone can create/execute/delete any service job. I'd like to be able to give someone the ability to view only/edit service jobs by role.
Back to Top
Product Management View Drop Down
Admin Group
Admin Group


Joined: 24 Nov 2010
Status: Offline
Points: 254
Post Options Post Options   Thanks (0) Thanks(0)   Quote Product Management Quote  Post ReplyReply Direct Link To This Post Posted: 13 Apr 2012 at 3:02pm
Thank you for the suggestion on more granular role permissions.  We will investigate adding this ability for a future update.

The manage service jobs issue was addressed in 5.7 (and will therefore also work correctly in all subsequent versions).
Back to Top
Identity Finder Team View Drop Down
Admin Group
Admin Group


Joined: 30 Nov 2010
Status: Offline
Points: 110
Post Options Post Options   Thanks (0) Thanks(0)   Quote Identity Finder Team Quote  Post ReplyReply Direct Link To This Post Posted: 19 Sep 2013 at 3:40pm
Hello -

We have been discussing Role permissions architecture and would like to get your feedback on a proposal.

1.    From “General Permissions” under “Tags Editing” we would remove “Rename” and “Remove” and add “Create Root Tags”

2.    In the “Tags Permissions” pane (the right most on the Roles page where there is are columns for Name, View and Export) we would add 2 additional columns “Edit” and “Create Nested Tags”.  These checkboxes would only be available next to tags, not next to endpoints (as they don’t apply to endpoints).

3.    Edit would mean: remove, rename, edit definition, change type, change permissions for that tag

4.    We could potentially also add the ability to set the Edit and Created Nested Tags permissions by adding a Permissions feature to the Tag->Edit Tag dialog box

5.    The Tag->Update Now could be executed by anyone allowed to see the tag

Thoughts?

Back to Top
Karen View Drop Down
Senior Member
Senior Member


Joined: 29 Nov 2010
Location: Connecticut
Status: Offline
Points: 115
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karen Quote  Post ReplyReply Direct Link To This Post Posted: 25 Sep 2013 at 11:52am
1. So without the "create root tags", it just means if given the tag permissions to "create nested tags" they can only create tags under the tags provided?  Yes, then that is nice.
 
Point though: i want to be to give my non-enterprise admins, the ability to create nested tags under a root tag - but not be able to remove/rename/chnage permisson on the root tag. So in this case, I'm assuming it will work this way:
 
Tag:
AS-Tags Tags Permissions:
AS Policies (simple)     Edit - NO         Create Nested - Yes
   
They cannot edit/modify/remove the  "AS Policies" root, simple tag - but can create tags under it.
 
I'd still need under "Tags Editing" the ability to allow the creation of certain tag types, so hopefully that stays.  If I were to allow any nested tags - then the non-enterprise admins could just create a filter tag and they would have access to create an ip tag and could just put our entire class B in and get access to endpoints that is not in their domain. So I'd want to allow simple tags, not ip tags, filter tags (maybe) and ldap tags (maybe - see below):
 
Filter: I don't see how I can give the ablity to create filter tags to a non-enterprise admin as I need to manually add "and tags contain "AS Workstations(ldap tag)" so that filter tags for a particular instution ONLY filters for the institution's endpoints. (Basically if I want to create a filter tag for institutions, I need to create 13 of them, all with an added "and tags contain XX worksations (ldap)"
 
So, if they had the ability to create a filter tags, and did something like  "workstations polling today", they would need to enter "polled today AND tags contain <their ldap tag that gives permission to see their workstations>" If not, they'd see all endpoints in entire forest polling today. Is there a way to give permission to create nested filter tags AND require "and tags contain <tags they have access to>" so they can't create filter tags and see endpoints they don't have access to? If not, I will not be able to use filter tags for non-enterprise admins.
 
LDAP tags - I'd want them ONLY to be able to create LDAP tags as long as it didn't give them the ability to create an ldap tag from the whole forest.  We host 13 institutions on our console, so we have 13 roles - each role has some simple "root" tags and then an LDAP tag from their branch of the forest down, so they can manipulate their endpoints.  If they can create an LDAP tag ONLY from their branch down, then that's perfect. If it's as it is today, where if I give them the "Create LDAP tag" permission, they can just create an LDAP tag from the whole forest, then that won't work and I can't provide non-enterprise admins the ability to create LDAP tags.
 
5. Great!
 
 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down