6.6. Users and Security¶
All access to NexLog DX-Series™ clients and features is predicated on having a user account with appropriate permissions to those clients and features. One must log in to play back recordings, archive, or configure channels, for example.
Admin accounts have access to all NexLog DX-Series™ functionality and options. All other users will only be able to access aspects of the system as their permissions dictate. Permissions can be assigned directly to user accounts, or permissions can be assigned to User Groups, which in turn will apply to all users in those user group. (See User Groups and Permissions).
6.6.1. Users¶
The Users page allows creation and maintenance of user accounts on the recorder. It displays a table showing each user currently configured on the system.
Fig. 6.46 User Configuration¶
This table can be sorted by clicking in the header on the column you want to sort by; the width of the columns is also adjustable. The columns shown are:
Username: The name the user will use to log into the system.
Admin: An indication of whether the user is an Administrator.
LDAP: An indication of whether the user is part of Active Directory LDAP server, or local to the recorder. If you have not configured Active Directory all users will display “No.”
Groups: A list of the user groups that this user is assigned to. If the user is a member of many groups only the first few will be displayed.
Below the main users table are several action buttons. All but the “Add User” button first require a user to be selected in the user table and they take effect on the selected User. The buttons are Add User, Edit User, Delete User, Change Password and Permissions. Delete User and Change Password can be applied to multiple users at once if you select more than one from the list with Shift+Click or Ctrl+Click.
The Search by Username… field is useful on systems with a lot of users; it will limit the displayed users to those containing the characters entered. For example, if you put “d” in the field in the figure above, it would show only DSigal and Eventide; if you put “b”, BBellerue & LBertucci.
Fig. 6.47 Add New User Pop Up¶
6.6.1.1. Add User and Edit User¶
Add User will open a blank user to configure, starting with Add New User overlay that requires the entry of the most important information about a user account: Username, Password and Security Group.
Edit User brings up the same page, without the Add New User overlay, with the information and settings for the selected user. One difference between the ‘Add User’ page’ and ‘Edit User’ page, is that when adding a user, the ‘Username’ parameter is editable, whereas it cannot be changed when editing an existing user.
No options changed on any of these tabs will take effect until the ‘Save’ button at the bottom of the page is clicked, except for Resource Permissions and Search Filters which update in real time.
Fig. 6.48 Editing a User¶
The available parameters are described below:
6.6.1.1.1. User Info tab:¶
Username: The name of the user being edited or added. The username of existing users cannot be changed. If you wish to change the name of a user, the user entry can be duplicated by right-clicking on the user and selecting Duplicate User, which will let you create a new user with the same settings.
Force password change at next login: If checked, the user will be forced to change their password the first time they log into the system. This can be used in conjunction with the Change Password option to allow someone to reset another user’s password if they have forgotten what they set it to.
First Name: The user’s first name
Middle Name: The user’s middle name
Last Name: The user’s last name
Suffix: The user’s full name suffix (e.g., Jr.) if any
Email: The address associated with this user account. The primary purpose of the email parameter is that Users with Administrator access are emailed copies of any recorder alerts that are configured to send email. A valid email address also allows users to communicate on evaluations in Quality Factor.
6.6.1.1.2. Permissions tab:¶
Security: This control provides a check box for each user group configured for the system. By default, these groups are: Admin, Agents, Archivers, Group Evaluators, Instant Recall, Maintainers, Monitors, Report Editor, Researchers, SuperEvaluators, Systems and User Managers. Checking the box makes the user a member of that group, and the user will inherit all permissions which that group provides. Except for ‘Admin’ (which is a hard-coded internal group name providing Administrator access) all the user groups on the system and what permissions they entail can be edited using the System: User Groups and System: Permissions NexLog DX-Series™ Configuration Manager pages. Check a box to add the user to that group, on check to remove the user from the group.
Table 8—Default Security Group Privileges at the Front Panel
Security Group | Privileges |
Admin | All available privileges, including the ability to create new users, and receive emailed alerts. |
Archiver | Ability to archive calls (INFO screen only). |
Maintenance | Ability to change system settings (SETUP screen only). |
Monitor | Ability to monitor live calls (INFO screen only). |
Researcher | Browse and play back recorded calls (RECALL screen only). |
Table 9—Default Security Group Privileges in NexLog DX-Series™ Clients
Security Group | Privileges |
Admin | All available privileges, including the ability to create new users, and receive emailed alerts. |
Archiver | No access. |
Evaluator | Evaluations Tab. Usually paired with Researcher group. |
SuperEvaluator | Evaluations Tab. Usually paired with Researcher group. |
Maintenance | No access. |
Monitor | Ability to monitor live calls (Channels tab only). |
Researcher | Browse, play and export recorded calls (Browse, Search, Incidents, Live Monitor). |
More information about User Groups can be found below in the User Groups and Permissions sections.
Archive Drive Maintenance Access: This affects which drives a user can access at the front panel.
ROD Channels: This field uses the same formatting as the Channel IDs parameter above and determines what if any channels the user will be allowed to perform “Record On Demand” on. If the user has permission, they will be able to temporarily disable recording on the channels they have this permission on.
Instant Recall Replay Limit: On the Front Panel and the MediaWorks DX™ and MediaAgent clients, users may have access to an ‘Instant Recall’ functionality in which they can view the most recent calls on the recorder. Users can select how far in back they wish their view to contain calls from. The Limit configured here places an upper bound on how far back the user can set this limit when performing instant recall.
Restrict to user tagged recordings on Instant Recall tab: If this checkbox is selected, then when viewing the Instant Recall tab, users will only be able to view and play call records which have a metadata field called USER_ID which contains their username. For this setting to have any value, you must also create the USER_ID column in “Recording: Custom Fields” and provide USER_ID information to the field, either by manually placing User_IDs in individual calls using MediaWorks DX™, by configuring the “Quality Factor: Agent Mapping” section for Call Taker tracking, using “Windows User Tracker”, or by a custom integration. This does not apply to other tabs of MWP.
Enable alarm notifications via email: If this checkbox is selected, the user will receive any email alerts or alarm notifications that are configured to do so in the “Alert Codes” section. This setting is enabled and cannot be disabled if the “Admin” permission is applied to the user. To receive the notifications via email, a valid email address must be configured in the “User Info” tab. The SMTP server settings must also be enabled and defined on the “Alerts: Email” page (Section 4.8.5).
NAB Access: If this system is configured with any NexLog Access Bridges, each NAB will be listed here by IP and Serial Number. By default, users will have access to all configured NABs. You can uncheck these boxes to restrict a user from connecting to any given NAB. By unchecking the box, you are removing permission to access the source recorder and if this user is a member of a group with access, it will not override the block. Similarly, a User Group with a NAB unchecked will block access to that NAB for all users in that group.
Fig. 6.49 NAB Access Denied by Group Membership¶
For example, above we see the NAB Access section of a User who is in a group that only has access to 192.168.22.184, and as such is blocked from access to 192.168.22.98.
6.6.1.1.3. Account Settings tab:¶
Can Change Password: If this option is checked, the user can change their own password. If disabled, only Admins can change this user’s password.
Account Enabled: If checked, the account can be used. If unchecked, the account cannot be logged into.
Password Never Expires: If checked, the password expiry date has no effect.
Account Expiry Date: The account expiry date. After this date, user will not be able to log in. They will get an “Account expired” message instead.
Number of days after a password expires until the account is permanently disabled: If password complexity rules include expiring passwords, this is the number of days after a password is unchanged that the account will be permanently disabled. If configured, this will prevent long-dormant accounts from being logged into again.
Session Inactivity Timeout Enabled: By default, users will be logged out from Configuration Manager and MediaWorks DX™ after an hour of inactivity. This toggles whether that is in effect.
Session Inactivity Timeout (mins): Number of minutes of inactivity before the user is automatically logged out. If the Session Inactivity Timeout is not enabled, this value is ignored. The default is 60 minutes.
6.6.1.1.4. Resource Permissions tab:¶
These settings control what resources a user can search and playback in MediaWorks DX™, MediaAgent, and the Front Panel. This feature integrates with the Resource Groups feature detailed in Section 4.6.4 in this manual. You can add or delete individual resources or resource groups from the user’s resource groups here.
6.6.1.1.5. Search Filters tab:¶
These settings control resource groups in MediaWorks DX™, MediaAgent Plus, and Enhanced Reporting. This feature integrates with the Resource Groups feature detailed in Section 4.6.4 in this manual. You can add or delete individual resources or resource groups from the user’s resource groups here.
6.6.1.2. Delete User¶
Delete User will delete the selected users from this recorder and any recorders currently connected via NexLog Access Bridge. Clicking this button will prompt for confirmation before deleting.
6.6.1.3. Change Password¶
Change Password will change the current password for the selected accounts.
6.6.1.4. Permissions¶
The Permissions button will load the Permissions page showing the selected user’s permissions. See Permissions in this manual for more details.
Fig. 6.50 User Table Right-Click Context Menu¶
6.6.1.5. User Table Right-Click Context Menu¶
There are additional features available on this page accessible by right-clicking on the user table: Duplicate, Synchronize User(s), Use Selected User as New User Configuration, and Apply Default MediaWorks Configuration to Selected Users.
Fig. 6.51 Duplicate User¶
6.6.1.5.1. Duplicate¶
This option adds new users based on the selected user, with all the same options, user group memberships, permissions, resources and search filters. The users are added one per line with Username, Password, FirstName, LastName and Email as a comma delimited list. The only required entry is a Username.
The checkbox for “Define Password for all new users.” will let you assign a specific password to each user, who can then change it individually when they log in. If “Force change at first login” is selected, these users will be prompted to change password at first login.
Fig. 6.52 Verify Duplicate User¶
After clicking Next, the user info will be presented for verification before being duplicated. Click “Back” to make corrections; click “Go” to create these users.
Fig. 6.53 Duplicate User Results, with Error for User That Already Exists¶
6.6.1.5.2. Synchronize User(s)¶
Synchronize User(s) will sync the selected user to all NAB sources currently connected. (This option is only present for systems with NexLog Access Bridge.)
6.6.1.5.3. Use Selected User as New User Configuration¶
If you want to set up a custom MediaWorks DX™ user configuration (tab layout and options), you can set up that configuration with any user and then use this option to make it the default for all new users.
6.6.1.5.4. Apply default MediaWorks Configuration¶
This will apply the current “New User Configuration” to the selected users.
6.6.1.6. NexLog Access Bridge Sync¶
If the recorder is licensed and configured as a NexLog Access Bridge host, the NAB Connection Manager tool will appear at the top of the user page. Enter an admin username and password here to connect to all configured NAB sources.
While connected via NAB, all users created, edited and deleted will be created, edited and deleted across all sources as well as the host.
6.6.2. System Security¶
NexLog DX-Series™ Recorder provides options to allow recorder administrators to fine tune the recorder’s security policies which are configured from the Security: System Security NexLog DX-Series™ page.
6.6.2.1. General¶
Audit Changes: If this option is enabled, then any configuration changes made via NexLog DX-Series™ Configuration Manager, Front Panel, or the SOAP Service will result in Audit event entries being placed in the audit history table. The audit history can be viewed by visiting the Alerts and Logs: Audit History Setup page.
Audit Verbose: To have an effect, this option requires “Audit Changes” to also be enabled. If enabled, then the difference between the previous state and the new state will be stored along with the audit entries in the audit history table and visible for comparison. This information can be viewed by clicking on the audit event on the audit history page.
Encrypted Terminal (ssh): The ssh terminal is only used by Eventide Service personnel to assist with diagnostics. Off by default. Only change this setting if asked to by an Eventide Service engineer.
Enable Incident Clip Management: This enables the Incident Clip Management feature in MediaWorks DX™. This feature allows users to non-destructively splice or join analog calls that were inappropriately split or merged based on VOX hold settings. It is disabled by default so that administration can decide if this feature meets the needs of your site’s policies. For more information on its use, see the MediaWorks DX™ manual.
Enable Terms Of Service splash screen in MediaWorks Plus clients (edit contents in System->Configuration Files->Terms of Service Display): A custom Terms of Service splash screen can be show at login time for all users by enabling this. To configure the text for this, navigate to System Settings: Configuration Files and edit the file named Terms of Service.
Session Communication Timeout (min): If the recorder loses contact with a current client session, it will require a new log in at reconnection from that session after this many minutes.
Exempt NexLog Access Bridge Hosts from Database Authentication: This is for a very specific scenario involving NexLog Access Bridge (NAB) and Single Sign-On. If you have a NAB host that is not on the domain and the configured NAB sources have Single Sign-On enabled, they will be unable to connect. (Note that the inverse works fine, SSO Host, non-SSO Source.) In this particular case, the database authentication on the NAB source can be configured here to be bypassed when the request comes from a specific IP address or list of IP addresses. You can enter the IP addresses of the non-SSO Hosts here, comma delimited if there is more than one. (E.G. 193.57.164.242, 176.53.92.53)
The Eventide Active Directory software add-on, its configuration and use are detailed in the Eventide Active Directory Configuration Manual, (part number 141267.)
6.6.2.2. Front Panel¶
Front Panel Login Required: If disabled, the Recorder’s Front Panel will be usable without first logging in. If enabled, users will need to supply login credentials in order to view or use the Front Panel. Normally this would only be disabled if the recorder is physically secured, for example by being in a locked rack or in a locked room. The Front Panel auto-login user determines which user account is automatically logged in if “Front Panel login required” is disabled. When Front Panel Login requires is disabled, there is no way to log in to the front panel as any user other than the auto-login user other than first enabling Front Panel Login Required in setup.
Front Panel auto-login user: The user that will be automatically logged on. Many installations with high security requirements change the auto-login user to an unprivileged user that can just monitor channel activity.
Auto logout after timeout: If Front Panel Logins are required, this is the number of seconds of inactivity before the user will be automatically logged out. This cannot be disabled, but can be set arbitrarily high to achieve the same effect.
6.6.2.3. Password Complexity¶
This section configures restrictions on NexLog DX-Series™ passwords. If the “Enable Password complexity” option is disabled, then the only requirement on user passwords is that passwords contain at least three characters so trivial passwords such as 123 are allowed. If this option is enabled, further restrictions can be applied. Note that password complexity constraints are enforced at password creation or modification time. Newly configured password constraints will not have any effect on existing user passwords until the users attempt to change their password. When enabled, this option enforces basic “no dictionary words” password complexity constraints. In addition, additional configurable constraints can be enabled. Password complexity changes the configurable password restrictions are configured as follows:
Minimum Length: The minimum total number of characters a password must contain
Minimum Digits: The numerical characters 0-9 are considered digits. If this setting is greater than zero, then any password must contain at least that many digit characters to be allowed.
Minimum Lowercase Characters: Any password must contain at least this number of lowercase characters (a-z)
Minimum Uppercase Characters: Any password must contain at least this number of uppercase characters (A-Z)
Minimum Special Characters: Special Characters are the non-numeric, non-alphabetical characters that are available on the keyboard and result in a glyph being entered. For example, !@#$%^&*() are all Special Characters, but the CTRL key is not since it does not result in the insertion of a glyph when pressed. This setting indicates the minimum number of special characters that a password is required to contain.
6.6.2.4. Aging¶
The Password Aging sub header provides configuration options for the “Aging” or “Time Limiting” of passwords. If this option is enabled via the “Enable Password Aging” checkbox, users the system will require that users change their password on a certain configured schedule to continue to access the system. The configurable options are:
Maximum password age: Once this many days have passed since the user has last changed the password before they are required to change it again. For example, if this option were set to 7, users would be required to choose a different password each week. If a user’s password ‘expires’ and has not yet been changed, then if the user attempts to log in to NexLog DX-Series™ via the web Configuration Manager or other clients, the only option they will have available to them is “Change Password”. They will not be able to utilize other client functionality until they successfully complete password modification.
Minimum password age: If this option is set to a value greater than zero, it configures a time period after which a user changes their password in which they are prevented from changing their password again.
Warn Before Password Expires: Will warn user this many days before a password change is required.
Reject Previous Passwords Including Current: Remember historical passwords and don’t allow them to be re-used. If set to a value greater than zero, this option will prevent a user from reusing a recent password. For example, if set to three, a user required to change their password every three months could not simply rotate between ‘password1’ and ‘password2’. Normally this option would only be used in conjunction with the Minimum Number of Days feature described immediately above. Otherwise, users could simply change their password several times quickly to clear out the configured “recent history” list to get around the security requirements.
6.6.2.5. Lockout¶
Clicking the “Lockout Settings” sub header provides configuration settings allowing user accounts to be temporarily “locked out” upon presentation of an invalid password. This can be used to prevent unauthorized personnel from gaining access to the recorder by using automatic scripts to attempt many passwords very quickly. To enable this option, check the “Enable Account Lockout” Checkbox and configure the two fields below:
Lock After Failed Attempts: The number of unsuccessful passwords that must be entered in order for a user’s account to enter the locked out state
Lock Duration: The number of seconds a user’s account remains in the lockout state once the threshold above is met.
None of the settings on this NexLog DX-Series™ Configuration Manager page will take effect until the ‘Save’ button is pressed.
6.6.3. Active Directory¶
This page is for configuring the Active Directory feature and provides four options for Authentication:
Local Recorder Only: No Active Directory features in use. The default. All Authentication done using local User configuration.
Network File Share (SMB): Configure the recorder to test user authentication against an SMB share. If the user’s credentials allow access to the folder, they are authenticated to the recorder. Allows for the use of Domain credentials but no other AD user management features.
LDAP: Use LDAP to assign user groups to recorder users. Add-on License required. Covered in detail in the Active Directory manual.
Active Directory Domain: Join the recorder to an Active Directory Domain to authenticate with domain credentials and enable single sign on. Add-on License required. Covered in detail in the Active Directory manual.
6.6.3.1. Network File Share (SMB)¶
This option allows for basic Active Directory Authentication to a Windows service. The NexLog DX-Series™ server does not have to join the domain in order to use this credentialing method however users and permissions must be managed on the recorder. All users must be created via the NexLog DX-Series™ User configuration interface before logging in.
6.6.3.2. Active Directory Domain¶
Active Directory Domain allows users to log in to their NexLog DX-Series™ user accounts with their Windows credentials (username and password,) via LDAP user management. It allows the system administrators to manage group level user permissions from one place. With the Single Sign-On option, logging into MWP can be as simple as clicking a link.
This is much more comprehensive than the Network File Share setting: for example, with enhanced Active Directory, users that exist on the domain but have not been previously created on the NexLog DX-Series™ can be automatically created on the recorder at first login, including inheriting their proper group memberships and resource permissions, if configured correctly on the domain.
Active Directory requires a NexLog DX-Series™ Add-on License Key. The Eventide Active Directory software add-on and its configuration and use are detailed in the Eventide Active Directory Configuration Manual.
6.6.4. SSL¶
When client software connects to the recorder and transfers data over the network, this data can be sent in plain text (unencrypted) over the network or can be encrypted using the SSL (Secure Socket Layer) protocol.
The ability to enable SSL functionality in NexLog DX-Series™ recorders for recording SIP Trunks, Cisco BIB, and ED137C requires a free Eventide add-on license. (Eventide reserves the right to limit the availability of this enabler add-on license for export.) SSL for client connections such as MediaWorks DX™ do not require a license.
This Setup page determines where encryption is used. For each entry, the recorder can be configured to accept Unencrypted Connections only, SSL Connections only or to accept both. When clients connect to the recorder they must use an enabled form of communication. Encryption provides for data security at the expense of causing more CPU resources to be utilized on the recorder. The following connection types can each be configured:
Database Connections: This includes Eventide software such as MediaWorks DX™ which communicate with the recorder’s onboard database as well as ODBC Connections to the recorder’s database made by third party applications such as Crystal Reports (TM).
Web Server Connections: Determines how Web browsers are allowed to connect to the recorder. Plaintext is used for http:// and Encrypted for https://
Client Service Connections: Controls the live data sent between the Recorder and MediaWorks DX™/MediaAgent.
Centralized Archive Connections: Controls the connections made between two NexLog DX-Series™ recorders when one acts as an archive destination for another.
No changes made on this page will take effect on the recorder until the recorder is rebooted.
For details on how to configure SSL, see the SSL Certificate Request & Application appendix.
6.6.5. User Groups¶
The User Groups Setup page allows User Groups to be managed and configured.
User Groups are a way to organize permissions and resources so that they can easily be granted to multiple users.
When a user is added to a group they receive the recorder permissions for the group. If they are removed from the group, they lose those permissions.
For example, you could create a Group called “Dispatchers” and give that group permission only to instant recall calls and view alerts, and then add the user accounts for all your dispatchers to that group.
The main User Groups page displays a table showing all the user groups configured on the system, one per row. Each group entry displays the Group Name, and the Members of the group. If there are many members in the group, only the first few will be displayed here, and you must navigate to the ‘Edit Group’ page for the group to view the full set. Under the User Groups table are a set of action buttons. Except for the ‘Add Group’ button, all actions require you to first select the group you wish to perform the action on from the User Group table by clicking on it in the table.
Fig. 6.54 User Groups¶
The default User Groups are:
Admin: Administrator group. Has all permissions by default. This group cannot be deleted.
Archivers: Group has permissions related to archiving, but not configuring archiving.
Group Evaluators: Can evaluate all users in a Agent Group, if the Group Evaluator is also configured as Group Leader
Instant Recall: Can login and use instant recall feature of MediaWorks DX™ only.
Maintainers: Can configure the recorder and archive recordings but not use client software to search or playback recordings.
Monitors: Can use the channels tab of MediaWorks DX™ and the Front Panel to live monitor incoming calls as they happen.
Report Editors: Can edit Enhanced Reports.
Researchers: Can use MediaWorks DX™ to find, play and export recordings and make incidents.
SuperEvaluators: Can evaluate any call. (See more info in the Quality Factor Manual)
Systems: This user only has permissions to login on behalf of Centralized Archiving, NexLog Access Bridge and Screen Agent clients.
‘Add Group’ and ‘Edit Group’ both navigate to the same page where group membership can be viewed and modified. ‘Edit Group’ provides access to the options for an existing group, while ‘Add Group’ creates a new group and provided access. In addition to a Group Name, this page allows you to modify which users are a member of the group. To accomplish this task, choose a user from the drop down list of all users. Once chosen the user will appear below the dropdown list as being a member of this group. You can remove a user by simply clicking the ‘remove’ link next to the user name. You can also control a user’s group memberships via the check boxes on the Security: Users page. No changes will take effect on this page until the ‘Save button’ is clicked.
‘Delete Group’ will prompt for conformation and then delete the currently selected user group from the system. Users that are members of that group will not be deleted, but they will no longer possess any permissions they were inheriting through their group membership.
The ‘Permissions’ button is a shortcut which navigates to the Security: Permissions: Edit Permissions page showing the permissions for the currently selected User Group. Members of a user group always have these permissions. The rest of the user group options are “defaults”, which means that they are set when a user joins the group, but can be overridden to customize a specific user’s resources, search groups or NAB access.
Fig. 6.55 User Group Edit¶
Defaults: User Session Inactivity Time Out, User Permission Groups and Search Filter Groups can be set as a default here. Default in this context means that a new user made as a part of this group will get these settings by default, but they can be customized/overridden per user at any time without affecting their group membership. For example, you may want a user to be a researcher, but with fewer resource permissions; you can add them to this group and then customize that user’s Resource Permissions on the User Edit page.
NAB Access: If this system is configured with any NexLog Access Bridges, each NAB will be listed here by IP and Serial Number. By default, user groups will have access to all configured NABs. You can uncheck these boxes to block a user from connecting to any given NAB. This will remove permission to access the source recorder and being a member of another group with access to that recorder will not override the block.
6.6.6. Permissions¶
The Permissions feature allows administrators to configure which actions users can take on the recorder. Without the appropriate permission, a user cannot playback recordings, export calls, or run reports. With the correct permissions, a user can evaluate their agent group, create incidents, or even create new users with permissions of their own. The actions permitted are further filtered by permissions granted to individual resources and channel names on the recorder, and to the individual pages of Configuration Manager.
At install time, your NexLog DX-Series™ recorder is configured with a default set of User Groups and Permissions. Often, Recorder Administrators will simply assign users to the preexisting groups, and make minor modification to what permissions each group has.
The NexLog DX-Series™ permissions system is flexible and allows for the creation of new user groups and the assignment of customized sets of permission to each group, so the entire security system behavior can be configured based on your site’s needs. Permissions can be assigned directly to a user, or can be assigned to a user group; all users in a user group inherit the group’s currently set permissions.
Each permission is assigned as a noun-verb pair of Security Object and Security Operation. For example, User Groups is a Security Object and Add, Delete, Read, and Update are Security Operations, so a user or user group can be assigned permission to Read User Groups, which would allow them access to see what User Groups exist, but not add, edit, or delete them.
Access to each page of Configuration Manager is also restricted by permissions. This is because some permissions apply to more than one page and it is easier to know what a user or group can do when access to entire pages is explicitly granted rather than implicity arrived at based on individual Read permissions.
Fig. 6.56 Permissions¶
The Users and Security: Permissions page shows a searchable and filterable list of users and user groups. Select any entry in this list and click Edit Permissions to see what Configuration Manager Pages and Security Operations are configured. The Permissions edit view can also be searched or filtered.
The filters available are:
Show All: Shows all permission options.
Show Permissions Granted: Shows only permissions selected for this user or group.
Show Permissions Not Granted: Shows only permissions not selected for this user or group.
Show Inherited: Shows only permissions this user has because of group membership. (Users Only)
Show Permissions Granted And Inherited: Shows permissions this user been assigned directly and those they have because of group membership. (Users only)
Show Changes Only: This last option only shows the changes being made to this user or user group during this editing session.
Fig. 6.57 Permissions with Filter Set to Show Granted Directly And Inherited From Groups¶
Right-click on any permission to set or unset permission to an entire section, or if you want to see which users and groups have a given permission, select “View All With This Permission”
Fig. 6.58 Permissions Edit Page Context Menu¶
A fast way to assign the appropriate permissions for a group or user is to select the pages they should have access to and click save. This will bring up the Additional Recommended Permissions Pop Up, listing the permissions relevant for each page.
Fig. 6.59 Additional Permissions Recommended Pop Up Wizard¶
In the example above, the User was granted permission to load the Active Alerts, Archive Media History and Archives pages. The Additional Permissions Recommended wizard pop up appears to show the relevant Permissions relevant to actions performable on these pages. Without Update, the user cannot acknowledge an Active Alarm. Without Browse Archive, the user cannot put an archive into browse mode. The User already has Alert Read, so that permission is not suggested.