ACL Details Window

Certain objects in KeyServer can be configured so that different Administrators have different permissions for those objects.

To change Access Permissions for a Computer Division, User Folder, Purchase Folder, Purchase, Policy Folder, or Policy, select it and right-click to choose Edit ACL. For example, you can "Edit ACL..." for a Computer Division, User Folder, Purchase Folder, or Policy Folder (or even a single Policy) to give rights to a particular Account, a Role, or a Group. The ACL Details Window lets you restrict the "scope" so that specific Computers, Users, Purchases, or Policies can be viewed, inspected, or modified.

The default rights for built-in Roles have been designed to reduce the need to customize ACLs yourself, but if your requirements are complex, there could be cases where you need to edit ACLs. For a more general discussion of how ACLs work and how they can be used, refer to the Administration and Management documentation. For more on defining roles and permissions, refer to Admin Access Window. For information on external authentication sources like Active Directory, see Admin Authentication.

The ACL Details window will always show two lines: Administrator Role and Everyone. The Administrator Role has all Rights, and this cannot be changed since the Administrator Role always has full access to everything. The Everyone settings apply to all Administrators, even when their Account or associated Roles or Groups are not listed in the ACL. Remember everyone who can log in to KeyConfigure or KeyReporter is referred to as an Administrator, but the Administrator Role grants full access privileges in the software. Other Administrators may have limited roles. The picture below illustrates the addition of the Assistant Group to the default ACL in order to grant View and Inspect permissions to any Admin in that Group. The rest of the lines displayed in the ACL details, with gray checkmarks, come from inherited ACLs at the Server, Policies (root), and Folder levels.

From the "Admin Access" window, items can be selected and dragged into this window – then View, Inspect, or Modify permissions can be configured for these additional specific Accounts, Groups, or Roles. Permissions are calculated using an “or” - that is, every line which is relevant to the logged in Administrator is considered, and if any of those lines have a check-mark in a column, then the logged in Administrator will have that Permission. Note: unless one or more check-marks are turned off for Everyone, any configuration for other roles that are dragged in will have no effect!

• View means that objects can be seen in a main window. Turning off View for a policy will hide just that policy. Turning off View for a Policy folder will not hide the folder, but will hide all Policies within the folder.
• Inspect means that detail windows can be opened - again this really applies to Computers, Users, Policies, and Purchases, even when this permission is configured on a Division or Folder (or even higher up).
• Modify means that the configuration and properties for the object can be changed.
• Delete means that the relevant Computers, Users, Policies, or Purchases can be deleted.
• Create means that new Computers, Users, Policies, and Purchases can be created.
• Special only applies to running and saving reports and access to that folder.
• Grant means that the ACL can be edited (thus granting rights to other Accounts/Groups/Roles).

Caution: while the ability to limit the scope of an admin by configuring ACLs is very powerful it can also become very confusing. Edit ACL is available from many contexts in the KeyConfigure interface, and depending on where you right-click and what is selected, the permissions you end up setting will apply to one or many records. Interactions with permissions set at another level can become complex. Contact Sassafras tech support for guidance in keeping your configuration as simple as possible while still accomplishing your management goals.

Access Summary window

Since ACLs quickly become complex, there is an Access Summary window that helps understand how different ACLs interact to ultimately grant access rights to different Admin accounts. You can open this window by right-clicking in any of the main windows that use ACLs, and selecting “Summarize Access...”. Once open, it will show a chart of which access rights each admin has on each object. Hovering over the various icons will give additional details about what access has been granted and how.