ACL Details Window

Certain objects in KeyServer can be configured so that different Administrators have different permissions for those objects.

There are high level ACLs available in the Config menu for Server ACL, Enterprise ACL, and Maps ACL. These in order affect all objects in the server, all Sections and Divisions, and allow granular access to Maps in the Web UI. In simple structures these top level items are sufficient. In complex federations, you may need to set specific access rights on granular object (Folders in the main windows).

To change Access Permissions for a Computer Division, User Folder, Purchase Folder, Purchase, Policy Folder, or Policy, select it and right-click to choose Edit ACL. For example, you can "Edit ACL..." for a Computer Division, User Folder, Purchase Folder, or Policy Folder (or even a single Policy) to give rights to a particular Account, a Role, or a Group. The ACL Details Window lets you restrict the "scope" so that specific Computers, Users, Purchases, or Policies can be viewed, inspected, or modified.

The default rights for built-in Roles have been designed to reduce the need to customize ACLs yourself, but if your requirements are complex, there could be cases where you need to edit ACLs. For a more general discussion of how ACLs work and how they can be used, refer to the Administration and Management documentation. For more on defining roles and permissions, refer to Admin Access Window. For information on external authentication sources like Active Directory, see Admin Authentication.

The ACL Details window will always show two lines: Administrator Role and Everyone. The Administrator Role has all Rights, and this cannot be changed since the Administrator Role always has full access to everything. The Everyone settings apply to all Administrators, even when their Account or associated Roles or Groups are not listed in the ACL. Remember everyone who can log in to KeyConfigure or KeyReporter is referred to as an Administrator, but the Administrator Role grants full access privileges in the software. Other Administrators may have limited roles. The picture below illustrates the addition of the Assistant Group to the default ACL in order to grant View and Inspect permissions to any Admin in that Group. The rest of the lines displayed in the ACL details, with gray checkmarks, come from inherited ACLs at the Server, Policies (root), and Folder levels.

ACL Details window

From the Admin Access window, items can be selected and dragged into this window – then View, Inspect, or Modify permissions can be configured for these additional specific Accounts, Groups, or Roles. Permissions are calculated using an “or” - that is, every line which is relevant to the logged in Administrator is considered, and if any of those lines have a check-mark in a column, then the logged in Administrator will have that Permission. Note: unless one or more check-marks are turned off for Everyone, any configuration for other roles that are dragged in will have no effect!

Caution: while the ability to limit the scope of an admin by configuring ACLs is very powerful it can also become very confusing. Edit ACL is available from many contexts in the KeyConfigure interface, and depending on where you right-click and what is selected, the permissions you end up setting will apply to one or many records. Interactions with permissions set at another level can become complex. Contact Sassafras tech support for guidance in keeping your configuration as simple as possible while still accomplishing your management goals.

Summarize Access window

Since ACLs quickly become complex, there is a Summarize Access window that helps understand how different ACLs interact to ultimately grant access rights to different Admin accounts. You can open this window by right-clicking in any of the main windows that use ACLs, and selecting Summarize Access.... Once open, it will show a chart of which access rights each account has on each object. Hovering over the various icons will give additional details about what access has been granted from what source. The icons also indicate the source in various ways, like the Key icon indicating the Server ACL.