DualShield employs the Role Based Access Control (RBAC) model for access control to the Management Console.
- A user belongs to or has one or many roles
- A role has a set of access permissions
- A permission is right to execution or access
An administrative role is a collection of permissions that can be assigned to an administrator. A role determines what level of control the administrator has over which objects, such as users, tokens, reporting etc.
You can add as many custom administrative roles as your organization needs. You can also assign multiple roles to a single administrator. When an administrator has more than one role, the privileges granted by those roles are combined, allowing the administrator to perform any action granted by the assigned roles.
For example, suppose an administrator is assigned one role that grants permission to view and edit users, and another role that grants permissions to view and edit user groups. Each time the administrator logs on, he or she can view and edit both users and user groups.
A role has 3 properties:
- A descriptive name
- A set of managing domains
- A collection of permissions based on the function of the role
A permission has 3 components:
- A set of scopes
- A set of objects
- A set of actions
The managing domains of an administrative role determine the domains in which the role lives and is managed (by other administrative users with the right to manage roles).
The scope of an administrative role determines in what scope administrator may manage objects.
Actions assigned to the administrative role determine what actions an administrator assigned the role can take on objects such as users, user groups, security domain, units, and various policies. The following common privileges are available for all objects:
- All grants an administrator permission to perform any administrative action on the object.
- Create grants an administrator permission to create/add an object.
- Delete grants an administrator permission to delete an object.
- Edit grants an administrator permission to view and edit an object, but not the ability to create or delete.
- View grants an administrator permission to view an object, but not the ability to add, edit, or delete.
Each object may also have its own special privileges.
You can only assign and add administrative roles with the same or fewer objects than the administrative role assigned to you.
You can only assign and add administrative roles with the same or fewer privileges than the administrative role assigned to you.
How to Create a Help Desk Role in DualShield
Help desk operator is an administrator, typically with restricted access to the management console. For instance, below is a list of permissions that are typically assigned to help desk operators:
- Issue Emergency Code
- Reset Passwords
- Lock/Unlock. Enable/Disable user accounts
- Create and View reports
To create a role, select "Administration | Roles" in the main menu, click "Create" button on the toolbar:
The "Domain" field is the so-called Managing Domain. If a role has managing domains, then the role can only be managed by administrative users in the managing domains who have the right to manage roles. If a role does not have managing domains, then the role can be managed by all administrative users who have the right to manage roles.
Once a role is created, you can add and edit its permissions. Click the context menu icon of the role, select "Permits":
To create a new permit for the role, click "Create" on the toolbar:
You then need to set the scope, object and actions parameters for this role.
Scope = Area of applicability; eg. only users in a specific domain or OU
Object = The operational feature
Actions = What you can do; eg. Create, Delete, View, All
Click on the magnifying lens corresponding with the parameter you wish to set.
Select the domain, or OU
Select an object you wish this role to have control over
An then the type of action you need this role to have over the object:
Note: You get different action choices for different object.
Repeat the same process to create all other permits for the role:
Finally, do not forget to assign the role to a user or user group.
In DualShield go to "Directory | Groups"
And check the box next to the corresponding role.