ACL Details Window

Certain objects in KeyServer can be configured so that different Administrators have different permissions for those objects.

There are high level ACLs available in the Config menu for Server ACL, Enterprise ACL, Maps ACL, and Extras ACL. These in order affect all objects in the server, all Sections and Divisions, and allow granular access to Map Sets and Extras in the Web UI. In simple structures these top level items are sufficient. In complex federations, you may need to set specific access rights on granular object (Folders in the main windows).

ACL Details window

To change Access Permissions for a Division or Folder, select it and right-click to choose Edit ACL. For example, you can "Edit ACL..." for a Computer Division or Purchase Folder (or even a single Policy) to give rights to a particular Account, a Role, or a Group. The ACL Details Window lets you restrict the "scope" so that specific Computers, Users, Purchases, or Policies can be viewed, inspected, or modified.

To change Access permissions for ALL Divisions or Folders of a certain object type, right-click on the actual word Division or Folder in that window and Edit ACL. This will be the ROOT ACLs for all objects of that type. You can see that these are inherited by default from the root Server ACL. Likewise any Folder etc under the root window ACL will inherit by default in most cases (Divisions are special by default). You can disable the Inherit checkbox to remove Access at any level, or add a Role, Group, or Account to add access at any level.

The default rights for built-in Roles have been designed to reduce the need to customize ACLs yourself, but if your requirements are complex, there could be cases where you need to edit ACLs. For a more general discussion of how ACLs work and how they can be used, refer to the Administration and Management documentation. For more on defining roles and permissions, refer to Admin Access Window. For information on external authentication sources like Active Directory, see Admin Authentication.

The ACL Details window will always show two lines: Administrator Role and Everyone. The Administrator Role has all Rights, and this cannot be changed since the Administrator Role always has full access to everything. The Everyone settings apply to all authenticated users, even when their Account or associated Roles or Groups are not listed in the ACL.

Items can be selected and dragged into any ACL window from the Admin Access window. Once added, View, Inspect, or Modify permissions can be configured for these additional specific Accounts, Groups, or Roles. Permissions are calculated using an “or” - that is, every line which is relevant to the logged in account is considered, and if any of those lines have a check-mark in a column, then the logged in account will have that Permission. Note: unless one or more check-marks are turned off for Everyone, any configuration for other roles that are dragged in will have no effect!

View means that objects can be seen in a main window. Turning off View for a policy will hide just that policy. Turning off View for a Policy folder will not hide the folder, but will hide all Policies within the folder.
Inspect means that detail windows can be opened - again this really applies to Computers, Users, Policies, and Purchases, even when this permission is configured on a Division or Folder (or even higher up).
Modify means that the configuration and properties for the object can be changed.
Delete means that the relevant Computers, Users, Policies, or Purchases can be deleted.
Create means that new Computers, Users, Policies, and Purchases can be created.
Special only applies to running and saving reports and access to that folder.
Grant means that the ACL can be edited (thus granting rights to other Accounts/Groups/Roles).

Caution: while the ability to limit the scope of an account, role, or group by configuring ACLs is very powerful it can also become very confusing. Edit ACL is available from many contexts in the KeyConfigure interface, and depending on where you right-click and what is selected, the permissions you end up setting will apply to one or many records. Interactions with permissions set at another level can become complex. Contact Sassafras Support for guidance in keeping your configuration as simple as possible while still accomplishing your management goals.

Summarize Access window

Since ACLs quickly become complex, there is a Summarize Access window that helps understand how different ACLs interact to ultimately grant access rights to different Admin accounts. You can open this window by right-clicking in any of the main windows that use ACLs, and selecting Summarize Access.... Once open, it will show a chart of which access rights each account has on each object. Hovering over the various icons will give additional details about what access has been granted from what source. The icons also indicate the source in various ways, like the Key icon indicating the Server ACL.