Access Details Window

Overview

Certain objects in KeyServer can be configured so that different Administrators have different permissions for those objects. For example, it is often useful to "Edit Permissions..." that are assigned to a Computer Division, Purchase Folder, or Policy Folder (or even a single Policy) so that each particular administrative login account may have view-only versus modify permissions. By default, any particular Role has uniform access to all records in the relevant database. The Access Details Window lets you restrict the "scope" of any particular role so that specific records within the Computer, Purchase, or Policy databases can be viewed, inspected, or modified. Unless you explicitly select and modify permissions, any Roles that have basic privileges on the relevant database will simply be allowed access to all records.

To change Access Permissions for a Computer Division, Purchase Folder, Purchase, Policy Folder, or Policy, select it and Right-click to choose Edit Permissions. The Access Details window will always show two lines - Administrator and Everyone. The Administrator entry will always have all three Permissions, and this cannot be changed, since Administrator always has all possible permissions. The Everyone entry is used when an administrator is not logged in as any of the names specifically listed in the Access Details window. The screenshot below illustrates a change to the defaults for Everyone, and a custom restriction for the Assistant role which allows only View and Inspect permissions:

Access Details Window

From the "Roles & Accounts" window, items can be selected and dragged into this window – then View, Inspect, or Modify permissions can be configured for these additional specific Accounts and Roles. Permissions are calculated using an “or” - that is, every line which is relevant to the logged in Administrator is considered, and if any of those lines have a check-mark in a column, then the logged in Administrator will have that Permission. Note: unless one or more check-marks are removed for Everyone, any configuration for other roles that are dragged in will have no effect!

In the example above, Administrator can of course do everything regarding this Policy. Assistant can see everything but cannot make changes. No one else can even see the Policy.

• View means that objects can be seen in a main window. Turning off View for a policy will hide just that policy. Turning off View for a Policy folder will not hide the folder, but will hide all Policies within the folder.
• Inspect means that detail windows can be opened - again this really applies to Computers, Policies, and Purchases, even when this permissions is configured on a Division or Folder.
• Modify means that the configuration and properties for the object can be changed.

Caution: while the ability to limit the scope of a role by configuring permissions - globally, for a folder, and at the individual record level - is very powerful it can also become very confusing. Edit Permissions is available from many contexts in the KeyConfigure interface, and depending on where you right-click and what is selected, the permissions you end up setting will apply to one or many records. Interactions with permissions set at another level can become complex. Contact Sassafras tech support for guidance in keeping your configuration as simple as possible while still accomplishing your management goals.