How to Manage Roles and Permissions

You are here:

Settings > Roles & Permissions

Introduction

All access within System Frontier is role-based. That’s the foundation of the privileged management concept. Users are assigned Roles which in turn give them Permissions to access the data, properties, and functions of computers and devices through the built-in features and Custom Tools in System Frontier.

Managing Roles and Permissions

The Roles page shows you the existing Roles. There are some customizable, built-in Roles and you have the ability to add new Roles. Filtering and sorting will help in your viewing as well as dictating how many Roles to display at a time.

The Name and Description of the Role are visible here. Additionally, you can disable or enable a Role from this page and discern the number of Role members.

The Roles page
Each Role has Permissions assigned to it and each Permission has a Scope, which contains the objects (i.e. computers) to which it applies.

Role Delegation

If a Role has been given the CreateRole permission, then the members of that Role have the ability to create other Roles and to modify or delete those created Roles. Generally, this is used to delegate permissions to other groups within their organization and within the Scope defined by the parent Role. The parent Role is able to manage any Roles that they create.

Roles

Throughout System Frontier, Roles are used to empower or restrict users interacting with data and tools. When you create or edit a Role, you’ll need to be cognizant of its purpose and ensure you grant it adequate Permissions for the appropriate members to do the tasks needed on the applicable computers.

Adding a New Role

From the Roles page, click on the New button to add a new Role. Fill in the Name and Description fields. Click Save.

Editing a Role

Clicking on the Name of a Role will open the Role (Edit) page. On this page you can:

  • name the Role
  • click the Members link to add or remove new members
  • enter a Description
  • disable or enable the Role
  • add, edit, or delete a Permission
  • click on the Scope link to manage the Scope
  • filter Permissions, sort the results, and set the number to show on the page
Role Edit

To Edit the Role, make your changes, then click the Save button at the bottom of the page.

Save, Delete, or Copy the Role

Deleting a Role

At the bottom of the Role (Edit) page, click the Delete link to delete the Role.

Copying a Role

At the bottom of the Role (Edit) page, click the Copy Role link to duplicate the Role. After duplication, you can modify the specifics within the Role to make it unique.

Role Membership

Since everything in System Frontier is role-based, you’ll need to add users or groups to a Role in order for them to use the product. To see the members of a Role, click on the Members link on the Role (Edit) page.

On the Role Members page, you can:

  • add new members
  • remove members
  • filter accounts, sort accounts, and set the number of accounts to show per page.
Role Members
User accounts are disabled or enabled in System Frontier from the Settings > Users page

Adding a Member to a Role

Clicking on the Add New button will take you to the Add Role Member(s) page. At the top you’ll see Search Active Directory. This is the quickest way to find the account you wish to add.

Choose the Domain and type in the user or group name. A click on the Search button will yield the results you seek. To add a new member to the Role, simply select the user or group and click the Add button.

Adding a Member to a Role
Adding a Member to a Role – Using Search
Adding existing AD groups as members of a Role can make Role membership management a lot easier.
When you add an AD group as a member of a Role, the first time that a user of that AD group connects to the System Frontier URL, the entire AD group will have membership in the Role provisioned and their account will be added to Users. Likewise, after an AD group has been removed, the next time a user of that AD group connects, the entire group will be deprovisioned and their accounts in Users will be disabled.

Removing a Member from a Role

To remove a member from a Role, click on the Members link on the Role (Edit) page, select the user or group, then click Remove.

Removing a Member from a Role

Role Permissions

Permissions for a Role are managed from the Roles (Edit) page initially. These low-level Permissions are the most basic access components that can be delegated to Roles.

Role Permissions

For example, the Permission called ReadApplicationPools can be used to administer access to the application pools in IIS. StopService relates to the ability to stop a service on a computer. RunCustomTool concerns permission to run a Custom Tool.

Filters

The Filter column on the Roles (Edit) page is specific to the Permission chosen. Using the examples above, for ReadApplicationPools, the Filter would name the application pools on which you wish to apply the Permissions (within System Frontier). For StopService, the Filter would name the service. For RunCustomTool, the Custom Tool that the Role is allowed to run is identified.

You can use wildcards (asterisk) with the Filter so that it could be more global rather than having a narrow specification. As a Filter for StopService, for instance, you might put *metrics*. This would allow the Role the ability to stop any service that contains the word metrics. Or, any service that starts with the word metrics: metrics*. Also, any service that starts with metrics and ends with the letter z: metrics*z.

Adding a Permission to a Role

Select the Permission from the dropdown box then click Add. The Permission naming convention follows a verb-noun syntax, making it easier to find the Permission needed.

Adding a Permission to a Role
You can add multiples of the same Permission, if needed. This allows you the opportunity to have different Filter criteria in use with the Permission.

Modifying a Permission in a Role

To edit a Permission, click the Edit link on the right side. You can change the Filter and Expiration Date when you edit. Click Update to save your changes.

Editing a Permission

Setting an Expiration can be beneficial in those cases where you want to limit the time that a Role has for the Permission to be valid. A good case in point is for a vendor who might only need access for a short period of time. By declaring an Expiration date here, you eliminate a future logistical headache as you won’t have to remember to come back and remove the Permission later.

Adding an Expiration date to a Permission

Removing a Permission to a Role

To remove a Permission from a Role, click on the Delete button located to the right of the Permission.

The Effect of Not Having a Permission Associated with a Role

If a particular Permission is not added for a Role, that is an explicit Deny, as in no access is granted to the Role for that specific Permission.

Custom Tool Permissions

Granting the RunCustomTool permission will allow the Role members the ability to run the Custom Tools specified by the Filter on the computers identified in the Scope. Even though the Role may show up in the Custom Tool (Edit) page under the Permissions Editor, unless the Scope grants access to the computers they need to run this tool on, they will not be able to run it.

Custom Tools (Edit) page – the Permissions Editor shows who has Permission to run the tool. The actual ability to run the tool on a computer will depend on the Permission’s Scope.

Role Permission Scope

Managing the Scope of a Permission in a Role

The Scope of a Permission refers to the nodes to which it applies. If you want the users in the Role to only be able to stop services on a computer named APPSERVER01, then you would ensure that only APPSERVER01 was in the Scope for that Permission.

From the Role (Edit) page, click on the Scope link for a Permission.

Role Permissions

After clicking the Scope link, you will see the Permission Objects page (below), which in this case shows that the Help Desk Role has Permission to read the application pool on all computers.

Permission Objects page – managing a Scope

Adding a Scope

To add a new Scope or change the Scope, click on the Add link (on the Permission Object page). This will take you to the Add Objects to Scope page.

Restricting the Scope by selectively adding Objects

If you’d like to change that so that the Help Desk only has permission to read the application pool on Windows 2012 and Windows 2016 servers, then you’d select those Containers and click Add.

Selecting Objects to Add to a Scope

More than likely, you’ll have Containers already built for applications, divisions, departments, locations, or whatever is required by your organization. You’ll be able to select those Containers for your Scope.

With the Search feature, you can find Containers or even single computers to use in your Scope.

Removing a Scope

To remove a Scope from a Permission, click the Remove link to the left of the Scope on the Permission Objects page.

Permission Objects page – managing a Scope

Be sure to read the User Guide for more information.

Was this article helpful?
Dislike 0