Settings > Roles & Permissions
All access within System Frontier is role-based. That’s the foundation of the privileged management concept. Users are assigned Roles which in turn give them Permissions to access the data, properties, and functions of computers and devices through the built-in features and Custom Tools in System Frontier.
Managing Roles and Permissions
The Roles page shows you the existing Roles. There are some customizable, built-in Roles and you have the ability to add new Roles. Filtering and sorting will help in your viewing as well as dictating how many Roles to display at a time.
The Name and Description of the Role are visible here. Additionally, you can disable or enable a Role from this page and discern the number of Role members.
If a Role has been given the CreateRole permission, then the members of that Role have the ability to create other Roles and to modify or delete those created Roles. Generally, this is used to delegate permissions to other groups within their organization and within the Scope defined by the parent Role. The parent Role is able to manage any Roles that they create.
Throughout System Frontier, Roles are used to empower or restrict users interacting with data and tools. When you create or edit a Role, you’ll need to be cognizant of its purpose and ensure you grant it adequate Permissions for the appropriate members to do the tasks needed on the applicable computers.
Adding a New Role
From the Roles page, click on the New button to add a new Role. Fill in the Name and Description fields. Click Save.
Editing a Role
Clicking on the Name of a Role will open the Role (Edit) page. On this page you can:
- name the Role
- click the Members link to add or remove new members
- enter a Description
- disable or enable the Role
- add, edit, or delete a Permission
- click on the Scope link to manage the Scope
- filter Permissions, sort the results, and set the number to show on the page
To Edit the Role, make your changes, then click the Save button at the bottom of the page.
Deleting a Role
At the bottom of the Role (Edit) page, click the Delete link to delete the Role.
Copying a Role
At the bottom of the Role (Edit) page, click the Copy Role link to duplicate the Role. After duplication, you can modify the specifics within the Role to make it unique.
Since everything in System Frontier is role-based, you’ll need to add users or groups to a Role in order for them to use the product. To see the members of a Role, click on the Members link on the Role (Edit) page.
On the Role Members page, you can:
- add new members
- remove members
- filter accounts, sort accounts, and set the number of accounts to show per page.
Adding a Member to a Role
Clicking on the Add New button will take you to the Add Role Member(s) page. At the top you’ll see Search Active Directory. This is the quickest way to find the account you wish to add.
Choose the Domain and type in the user or group name. A click on the Search button will yield the results you seek. To add a new member to the Role, simply select the user or group and click the Add button.
Removing a Member from a Role
To remove a member from a Role, click on the Members link on the Role (Edit) page, select the user or group, then click Remove.
Permissions for a Role are managed from the Roles (Edit) page initially. These low-level Permissions are the most basic access components that can be delegated to Roles.
For example, the Permission called ReadApplicationPools can be used to administer access to the application pools in IIS. StopService relates to the ability to stop a service on a computer. RunCustomTool concerns permission to run a Custom Tool.
The Filter column on the Roles (Edit) page is specific to the Permission chosen. Using the examples above, for ReadApplicationPools, the Filter would name the application pools on which you wish to apply the Permissions (within System Frontier). For StopService, the Filter would name the service. For RunCustomTool, the Custom Tool that the Role is allowed to run is identified.
You can use wildcards (asterisk) with the Filter so that it could be more global rather than having a narrow specification. As a Filter for StopService, for instance, you might put *metrics*. This would allow the Role the ability to stop any service that contains the word metrics. Or, any service that starts with the word metrics: metrics*. Also, any service that starts with metrics and ends with the letter z: metrics*z.
Adding a Permission to a Role
Select the Permission from the dropdown box then click Add. The Permission naming convention follows a verb-noun syntax, making it easier to find the Permission needed.
Modifying a Permission in a Role
To edit a Permission, click the Edit link on the right side. You can change the Filter and Expiration Date when you edit. Click Update to save your changes.
Setting an Expiration can be beneficial in those cases where you want to limit the time that a Role has for the Permission to be valid. A good case in point is for a vendor who might only need access for a short period of time. By declaring an Expiration date here, you eliminate a future logistical headache as you won’t have to remember to come back and remove the Permission later.
Removing a Permission to a Role
To remove a Permission from a Role, click on the Delete button located to the right of the Permission.
The Effect of Not Having a Permission Associated with a Role
If a particular Permission is not added for a Role, that is an explicit Deny, as in no access is granted to the Role for that specific Permission.
Custom Tool Permissions
Granting the RunCustomTool permission will allow the Role members the ability to run the Custom Tools specified by the Filter on the computers identified in the Scope. Even though the Role may show up in the Custom Tool (Edit) page under the Permissions Editor, unless the Scope grants access to the computers they need to run this tool on, they will not be able to run it.
Role Permission Scope
Managing the Scope of a Permission in a Role
The Scope of a Permission refers to the nodes to which it applies. If you want the users in the Role to only be able to stop services on a computer named APPSERVER01, then you would ensure that only APPSERVER01 was in the Scope for that Permission.
From the Role (Edit) page, click on the Scope link for a Permission.
After clicking the Scope link, you will see the Permission Objects page (below), which in this case shows that the Help Desk Role has Permission to read the application pool on all computers.
Adding a Scope
To add a new Scope or change the Scope, click on the Add link (on the Permission Object page). This will take you to the Add Objects to Scope page.
If you’d like to change it so that the Help Desk only has permission to read the application pool on Windows 2012 and Windows 2016 servers, then you’d select those Containers and click Add.
More than likely, you’ll have Containers already built for applications, divisions, departments, locations, or whatever is required by your organization. You’ll be able to select those Containers for your Scope.
Removing a Scope
To remove a Scope from a Permission, click the Remove link to the left of the Scope on the Permission Objects page.
Be sure to read the User Guide for more information.