All administrators activity in the Control Center is limited by the set of permissions, which can be defined either for specific account or for a group of administrators.
Administrative permissions system includes the following opportunities of permissions management:
•Granting permissions
Granting permissions performed during creation of administrative account or administrative group. When administrator or administrative account is created, it inherits permissions from the parent group it is added to. Changing permissions is not allowed during creation.
•Inheriting permissions
By default permissions of administrators and administrative groups are inherited from a parent group, but inheritance can be disabled.
▫If inheritance is disabled, administrator uses independence set of personal permissions witch is set directly for the account. At his, permissions of the parent group are not considered.
▫Inheriting account or group permissions does not reassign them with parent permissions but calculates new set of permissions from permissions of all parent groups in the branch of hierarchy. The resulting set of permissions for an object depends on own permissions and parent groups permissions can be found in the Permissions Merge section.
•Changing permissions
Changing permissions is not allowed for administrators accounts or administrative groups during creation. Permissions can be changed only for already created accounts and groups and can be done in the properties section of an account or a group. You can only reduce permissions at editing own settings. You cannot edit permissions for the admin predefined administrator and Administrators and Newbies predefined groups.
The procedure is described in the Editing Permissions section.
Editing Permissions
To edit permissions of an administrator or a group of administrators
1.Select the Administration item in the main menu of the Control Center and in the opened windows, select the Administrators item in the control menu.
2.Select the account you want to edit from the list of administrators. The properties section will be opened for editing.
3.In the Permissions subsection, you can edit the list of actions that are allowed for the selected administrator or administrative group.
4.To manage the permissions inheritance from the parent group for the selected object, use the switch:
Inheritance enabled
Inheritance disabled
5.The general settings are set in the permissions table:
a)In the first column, permission names are given. A column name depends on the specific section that unifies permissions by types.
|
Brief description of administrative permissions and Control Center sections depended on a certain permissions, is given in the Appendices document, B4. Depended Permissions Sections.
|
b)The Permissions column contains the settings for corresponding permissions from the first column.
Managing objects
|
Settings list in the Permissions column
|
How to setup the permission
|
Permission is set for all objects
|
Permission does not implicate dividing on groups by managing objects.
|
One of the following permission types may be given:
•Personal—personal settings are assigned for this object.
•Inherited—settings are inherited from the parent group. |
Set/clear the Grant flag in the corresponding permission line.
|
Permission is set for the list of objects (stations, administrators or groups)
|
•All granted—permission is granted for all managing objects.
•All forbidden—permission is forbidden for all managing objects.
•Granted for some objects. At this, the list of objects to grant the permission must be set. For all other objects, the permission is considered forbidden.
•Forbidden for some objects. At this, the list of objects to forbid the permission must be set. For all other objects, the permission is considered granted. |
If settings are merged, the following permission types are given at the same time:
•Personal—personal settings specified for this object.
•Result—the result of merging of an object personal permission and a parent group permission.
If settings are inherited, only the permission type Inherited is given.
|
Click the objects list (even it is All). Either the anti-virus network tree or administrator groups tree or tariffs tree opens depending on the editing permission. Select necessary objects in the tree. Use ctrl and shift to select several objects. If necessary, set the For all permissions of the section, to apply these settings for all permissions given in the same section as the edited permission.
Click the button:
•Grant to allow the permission for selected objects.
•Forbid to forbid the permission for selected obkects. |
|
For the same permission assigned on the list of objects, cannot be set the lists of forbidden and allowed objects at the same time. These concepts are mutually exclusive.
|
c)The Inheritance column reflects the state of the permission relatively a parent group:
▫Inherited from a group—the inheritance from the specified parent group is enabled, personal permissions are not set.
▫Personal settings—the inheritance from the specified parent group is disabled, personal permissions are set.
▫Merged with the group—the inheritance from the specified parent group is enabled, personal permissions are set. Result permission of an object is calculated by merging of parents group permissions and personal permissions (see the Merging Permissions).
In this case, personal permissions of an object can be removed. To do this, click in the Inheritance column. After personal permissions been removed, the Inheritance from a group will be set.
Merging Permissions
Calculation of result permissions of an object (administrator or administrative group) when inheritance is enabled, depends on paren groups permissions and permissions of an object itself. The table below contains the calculation principal of an object permission result:
Parent group permission
|
Examining child permission
|
Result permission
|
All granted
|
Granted for some objects
|
Granted for objects of a child
|
Granted for some objects
|
Granted for some objects
|
The list of allowed objects are merged
|
Granted for some objects
|
All granted
|
All granted
|
A parent and a child have forbidding permissions and one of them forbids all
|
All forbidden
|
Forbidden for some objects
|
Forbidden for some objects
|
The list of forbidden objects are merged
|
All forbidden
|
All granted
|
All granted
|
Forbidden for some objects
|
All granted
|
Forbidden of objects of a parent
|
Forbidden for some objects
|
Granted for some objects
|
Allowed objects are subtracted from forbidden objects. If the forbidden objects list is not empty, in the result, the left objects are forbidden. Otherwise, in the result, all objects of a child are allowed
|
Granted for some objects
|
All forbidden
|
All forbidden
|
All granted
|
Forbidden for some objects
|
Forbidden of objects of a child
|
Granted for some objects
|
Forbidden for some objects
|
Forbidden objects are subtracted from the allowed objects. If the allowed objects list is empty, in the result, all is forbidden. Otherwise, in the result all left objects are allowed.
|
|