*iProtect™ - System user - Roles and authorizations
- Brittany Cornfield
- Rob Donker
- 1 Introduction
- 2 Purpose
- 3 User group
- 3.1 Roles and purpose
- 3.2 Rights
- 4 Functionality group
- 5 System user creation
- 5.1 Authorizations
- 5.1.1 Synchronization manager (LDAP)
- 5.1.2 External service user
- 5.1.3 Allow pincode reading for this user
- 5.1.4 Multi IPROTECT™ manager
- 5.1.5 Administrator rights
- 5.1.6 Installer rights
- 5.1.7 Alarm manager
- 5.1.8 Allow execute procedure
- 5.1.9 Authorization group manager (HSID Administrator)
- 5.1.10 Reset all notifications
- 5.1.11 Allow reader mode change
- 5.1 Authorizations
Introduction
iProtect™ provides the ability to create system users and select specific functionality groups and access rights to a specific type of user (group) in order to make use of iProtect™ and it’s functionalities.
Purpose
The purpose of having a system user is to have users in iProtect™ with the corrective type of access suiting their role. This to make sure you are only able to see and do things within iProtect™ applicable to the role. Refer to chapter Roles and purpose for more information about the different types of users and their roles.
User group
From iProtect™ version ≥10.4 we have default user groups automatically being installed (if it was not already existing) when installing iProtect™ version ≥10.4.
So iProtect™ now knows two types of User groups:
New User group system defaults (one suitable to each type of system user)
User groups which can be created from scratch.
Each of the new defaults automatically have a new default functionality group (Refer to: Functionality group) assigned as well. This will save up time setting up a system user. When you do create one from scratch you have to assign a functionality group to the user group yourself.
The new default user groups will not have any effect on existing user groups. These remain applicable and unchanged as how it worked before.
Roles and purpose
Within iProtect™ a system user is to be assigned to a suitable “user group” role. We have different types of default user group roles available which can be used (see below diagram). The below described default roles and authorizations are available from iProtect™ version ≥10.4.
If more roles are required you can either add a new user group from scratch and select a role or you can use the copy function on a existing role in the treeview and save it with a different name. The above can only be done by a super user or by already existing users having the rights to do so where their old settings remained unchanged.
Location: Installation | Authorization | User group
Rights
Each user group has its default rights defined with as a minimum the rights stated in the general description as shown in the diagram of the previous chapter.
The default rights are displayed underneath each usergroup in a section called “Data column authorization”. In this section you can see which rights you received in general for this role (Ex.a.).
When the above Insert, Delete, Read or Write is marked with a red X-mark or Green Checkmark it is wrong to assume that you are either allowed or not allowed to do the action. The comboboxes underneath will show for each of the items if you are either, Allowed “Yes”, Not allowed “No” or if you Inherited the rights from the database. But how do you know when inherited was stated if it will be a “Yes” or a “No”?
If you unfold the section Data column authorization in the treeview, you will see a section underneath called “Database”. When you click on this section the same type of Data column authorization appears on the right side only this one defines the database rights.
There are roles where the rights are expand for specific tables of columns in iprotect. Each of these tables and or columns are displayed underneath the Data column authorization as well and the same strategy as per above counts for each table and column: Each table and/ or column has their own Data column authorization displayed shown what may/ may not be done or what rights have been inherited.
It is important to know that for certain user groups the rights as per explanation above will only apply once specific Authorization checkboxes have been selected in the system user form. Kindly refer to a later sub-chapter Authorizations underneath the chapter System user creation of this document.
Functionality group
From iProtect™ version ≥10.4 it is required to have a functionality group created and defined and to assign it to a user group in order for the users to be able to make use of the iProtect™ menu items and functionalities suiting their role.
So iProtect™ now knows two types of functionality groups:
New Functionality group system defaults (one suitable to each user group role)
Functionality groups which can be created from scratch (Refer to https://tkhsecurity.atlassian.net/wiki/x/G4A7ZAI).
From iProtect™ version ≥10.4 the creation and/ or adjustments on a functionality group can be done by a Super user only or by already existing users having the rights to do so where their old settings remained unchanged on the following location in iProtect™:
iProtect™ clean install and upgrade version
In addition to the above, when upgrading a iProtect™ version ≥10.4 or doing a clean install, default functionality groups with default settings are automatically being installed and assigned to a default user group. Besides the default groups iProtect™ also gives the ability to create a new functionality group and further define the prefered functionalities from scratch.
Activation/ deactivation menu definitions on user group level
Once a functionality group have been assigned to a user group you can further define the activation/ deactivation of the functionalities for each user group. This we call “Menu definitions”. As the name already suggests it defines the menu items. So which items the system user with a certain user group role will see when he/ she logs in iProtect™.
In order to do this you can go to location:
Installation | Authorization | User group | Search for the specific user group
Unfold the user group name in the treeview,
Click on Menu definitions in the treeview,
Activate or deactivate complete menu’s or menu items (see below) by checking or unchecking the checkbox.
System user creation
Once the user group(s) are available, it will be possible to assign a person as a systemuser providing him/ her with the suitable user group role and check the correct checkboxes prior to the role. The super user or administrator will be the person whom will have the corrective access to create a system user. A system user can be created on the following location in iProtect™:
Once the corrective access have been granted the system user will be able to make use of iProtect™ and its functionalities.
Authorizations
When creating a system user a section called “Authorizations” is available on the system user details form. Within this section there are several types of (extra) rights shown which can be set True (checkbox checked), or in some cases must be set True in order to get the corrective rights to the chosen role. In below subchapters you can find the purpose and description to each of these types of rights and which checkboxes must be set True to get corrective access to the chose role.
Synchronization manager (LDAP)
Purpose | Description |
|---|---|
User to be able do LDAP operations | The user is allowed to:
|
External service user
Purpose | Description |
|---|---|
Mostly used by systems that connect to the iProtect database (and not by system users) e.g. IPROTECT server sync or FlinQ. | Allowed to:
|
Allow pincode reading for this user
Purpose | Description |
|---|---|
User to be able to read the pin code. Only in combination with External Service User. | The user is allowed to:
|
Multi IPROTECT™ manager
Purpose | Description |
|---|---|
Provides the option to manage multiple iProtect servers | The user is allowed to:
|
Administrator rights
To get the corrective rights as per Data column authorization stated in the user group role, the checkbox “Administrator rights” is to be set “True (Checked) in order to be a Super user or Administrator user. When True, the Super user and Administrator user will also get the following extra rights:
Purpose | Description |
|---|---|
The user to be able to be a super user with extra rights | The user Is allowed to:
|
Installer rights
To get the corrective rights as per Data column authorization stated in the user group role, the checkbox “Installer rights” is to be set “True (Checked) in order to be a Super user or Installer user. When True, the Super user and Installer user will also get the following extra rights:
Purpose | Description |
|---|---|
The user to be able to be a installer with extra rights | The user is allowed to:
|
Alarm manager
Purpose | Description |
|---|---|
The user to be able to handle alarms | The user is allowed to:
|
Allow execute procedure
Purpose | Description |
|---|---|
The user to be able to start (alarm) procedures | The user is allowed to:
|
Authorization group manager (HSID Administrator)
Purpose | Description |
|---|---|
The user to be able to do Hsid operations (user should be super user) | The user is allowed to:
|
Reset all notifications
Purpose | Description |
|---|---|
The user to have the same rights as the root user | The user is allowed to:
|
Allow reader mode change
Purpose | Description |
|---|---|
The user to be able to overrule automatic latch status of reader | The user is allowed to:
|