Administrators Permissions

All administrators activity in the Control Center is limited by the set of permissions, which can be defined either for specific account or for a group of administrators.

Administrative permissions system includes the following opportunities of permissions management:

Granting permissions

Granting permissions performed during creation of administrative account or administrative group. When administrator or administrative account is created, it inherits permissions from the parent group it is added to. Changing permissions is not allowed during creation.

Inheriting permissions

By default permissions of administrators and administrative groups are inherited from a parent group, but inheritance can be disabled.

If inheritance is disabled, administrator uses independence set of personal permissions witch is set directly for the account. At his, permissions of the parent group are not considered.

Inheriting account or group permissions does not reassign them with parent permissions but calculates new set of permissions from permissions of all parent groups in the branch of hierarchy. The resulting set of permissions for an object depends on own permissions and parent groups permissions can be found in the Permissions Merge section.

Changing permissions

Changing permissions is not allowed for administrators accounts or administrative groups during creation. Permissions can be changed only for already created accounts and groups and can be done in the properties section of an account or a group. You can only reduce permissions at editing own settings. You cannot edit permissions for the admin predefined administrator and Administrators and Newbies predefined groups.

The procedure is described in the Editing Permissions section.

Editing Permissions

To edit permissions of an administrator or a group of administrators

1.Select the Administration item in the main menu of the Control Center and in the opened windows, select the Administrators item in the control menu.

2.Select the account you want to edit from the list of administrators. The properties section will be opened for editing.

3.In the Permissions subsection, you can edit the list of actions that are allowed for the selected administrator or administrative group.

4.To manage the permissions inheritance from the parent group for the selected object, use the switch:

icon-notification-enabled Inheritance enabled

icon-notification-desabled Inheritance disabled

5.The general settings are set in the permissions table:

a)In the first column, permission names are given. A column name depends on the specific section that unifies permissions by types.

info

Brief description of administrative permissions and Control Center sections depended on a certain permissions, is given in the Appendices document, B4. Depended Permissions Sections.

b)The Permissions column contains the settings for corresponding permissions from the first column.

Managing objects

Settings list in the Permissions column

How to setup the permission

Permission is set for all objects

Permission does not implicate dividing on groups by managing objects.

One of the following permission types may be given:

Personal—personal settings are assigned for this object.

Inherited—settings are inherited from the parent group.

Set/clear the Grant flag in the corresponding permission line.

Permission is set for the list of objects (stations, administrators or groups)

All granted—permission is granted for all managing objects.

All forbidden—permission is forbidden for all managing objects.

Granted for some objects. At this, the list of objects to grant the permission must be set. For all other objects, the permission is considered forbidden.

Forbidden for some objects. At this, the list of objects to forbid the permission must be set. For all other objects, the permission is considered granted.

If settings are merged, the following permission types are given at the same time:

Personal—personal settings specified for this object.

Result—the result of merging of an object personal permission and a parent group permission.

If settings are inherited, only the permission type Inherited is given.

Click the objects list (even it is All). Either the anti-virus network tree or administrator groups tree or tariffs tree opens depending on the editing permission. Select necessary objects in the tree. Use ctrl and shift to select several objects. If necessary, set the For all permissions of the section, to apply these settings for all permissions given in the same section as the edited permission.

Click the button:

Grant to allow the permission for selected objects.

Forbid to forbid the permission for selected obkects.

info

For the same permission assigned on the list of objects, cannot be set the lists of forbidden and allowed objects at the same time. These concepts are mutually exclusive.

c)The Inheritance column reflects the state of the permission relatively a parent group:

Inherited from a group—the inheritance from the specified parent group is enabled, personal permissions are not set.

Personal settings—the inheritance from the specified parent group is disabled, personal permissions are set.

Merged with the group—the inheritance from the specified parent group is enabled, personal permissions are set. Result permission of an object is calculated by merging of parents group permissions and personal permissions (see the Merging Permissions).
In this case, personal permissions of an object can be removed. To do this, click icon-general-remove-settings in the Inheritance column. After personal permissions been removed, the Inheritance from a group will be set.

Merging Permissions

Calculation of result permissions of an object (administrator or administrative group) when inheritance is enabled, depends on paren groups permissions and permissions of an object itself. The table below contains the calculation principal of an object permission result:

Parent group permission

Examining child permission

Result permission

All granted

Granted for some objects

Granted for objects of a child

Granted for some objects

Granted for some objects

The list of allowed objects are merged

Granted for some objects

All granted

All granted

A parent and a child have forbidding permissions and one of them forbids all

All forbidden

Forbidden for some objects

Forbidden for some objects

The list of forbidden objects are merged

All forbidden

All granted

All granted

Forbidden for some objects

All granted

Forbidden of objects of a parent

Forbidden for some objects

Granted for some objects

Allowed objects are subtracted from forbidden objects. If the forbidden objects list is not empty, in the result, the left objects are forbidden. Otherwise, in the result, all objects of a child are allowed

Granted for some objects

All forbidden

All forbidden

All granted

Forbidden for some objects

Forbidden of objects of a child

Granted for some objects

Forbidden for some objects

Forbidden objects are subtracted from the allowed objects. If the allowed objects list is empty, in the result, all is forbidden. Otherwise, in the result all left objects are allowed.