Users

User management is part of the More section of the ESMC Web Console.

The security model

These are key terms used in the new model:

Term

Explanation

Home Group

Home Group is the group where all objects (devices, tasks, templates, etc.) a user creates are automatically stored. Each user must only have one home group.

Object

Objects are located in Static Groups. Access to objects is by groups, not users (providing access by group makes it easy to accommodate multiple users, for example, if one user is on holiday). Server tasks and notifications are exceptions that require an "executing" user.

Access Group

Access Group functions as a static group which allows users to filter the location of the object based on access rights.

Administrator

A user that has home group All with a full Permission Set over the group is effectively an administrator.

Access Right

The right to access an object or to execute a task is assigned with a Permission Set.

Permission Set

A Permission Set represents the permissions for users that access ESMC Web Console. They define what the user can see or do in ESMC Web Console. A user can be assigned multiple Permission Sets. Permission sets are applied only over objects in defined groups. These Static Groups are set in the Static Groups section when creating or editing a permission set.

Functionality

A functionality is one type of object or action. Typically, functionalities get these values: Read, Write, Use. The combination of functionalities applied to an Access Group is called a Permission Set.

Access Group Filter

The Access Group filter button allows users to select a static group and filter viewed objects according to the group where they are contained.

access_group

Add filter and filter presets

To add filtering criteria, click Add filter and select item(s) from the list. Enter the search string(s) into the filter field(s). Active filters are highlighted in blue.

Filters can be saved to your user profile so that you can use them again in the future. Under Presets the following options are available:

Filter sets - your saved filters, click one to apply it. The applied filter is denoted with a apply_default check mark. Select Include visible columns, sorting and paging to save these parameters to the preset.

add_new_defaultSave filter set - Save your current filter configuration as a new preset. Once the preset is saved, you can not edit the filter configuration in the preset.

edit_defaultManage filter sets - Remove or rename existing presets. Click Save to apply the changes to presets.

Clear filter values - Click to remove only the current values from the selected filters. Saved presets will remain unchanged.

Remove filters - Click to remove the selected filters. Saved presets will remain unchanged.

Remove unused filters - Remove filter fields with no value.

light-bulbEXAMPLE: Branch office admins solution

If a company has two offices, each with local admins, they need to be assigned with more permission sets for different groups.

Let's say there are admins John in San Diego and Larry in Sydney. Both of them need to take care only of their local computers, use Dashboard, Policies, Reports and Dynamic Groups Templates with their machines. The main Administrator has to follow these steps:

1.Create new Static Groups: San Diego office, Sydney office.

2.Create new Permission sets:

a.Permission set called Sydney permission set, with Static Group Sydney office, and with full access permissions (exclude Server Settings).

b.Permission set called San Diego permission set, with Static Group San Diego office, and with full access permissions (exclude Server Settings).

c.Permission set called All Group / Dashboard, with Static Group All, with the following permissions:

Read for Client Tasks

Use for Dynamic Group Templates

Use for Reports and  Dashboard

Use for Policies

Use for Send Email

Use for Send SNMP Trap

Use for Export report to file

Use for Licenses

Write for Notifications

3.Create new user John with home group San Diego office, assigned with the permission sets San Diego permission set and All Group / Dashboard.

4.Create new user Larry with home group Sydney office, assigned with the permission sets Sydney permission set and All Group / Dashboard.

If permissions are set like this, John and Larry can use same tasks and policies, reports and dashboard, use dynamic group templates without restrictions; however each can only use templates for machines contained in their home groups.

Domain Security Groups

To ease usage in Active Directory, users from Domain Security Groups can be allowed to log into ESMC. Such users can exist next to ESMC Native Users; however, the permission sets are set for the Active Directory security group (instead of for individual users, as in the Native User case).

Sharing objects

If an Administrator wants to share objects, such as dynamic group templates, report templates, or policies, the following options are available:

Move those objects into shared groups

Create duplicate objects and move them into static groups which are accessible to other users (see the example below)

light-bulbEXAMPLE: Sharing via duplication

For an object duplication the user needs to have Read permission on the original object and Write permission on his Home Group for this type of action.

Administrator, whose home group is All, wants to share Special Template with user John. The template was originally created by Administrator, therefore it is automatically contained in the group All. Administrator will follow these steps:

1.Navigate to More > Dynamic Group Templates.

2.Select the Special Template and click Duplicate, if needed, set name and description and click Finish.

3.The duplicated template will be contained in the home group of Administrator, group All.

4.Navigate to More > Dynamic Group Templates and select the duplicated template, click move_defaultAccess Group > move_default Move and select the destination static group (where John has permission). Click OK.

 

How to share objects among more users via Shared Group

To better understand how the new security model works, see the scheme below. There is a situation where there are two users created by the administrator. Each user has his own home group with objects he has created. San Diego permission set gives John rights to manipulate Objects in his home group. The situation is similar for Larry. If these users need to share some objects (for example, computers), these objects should be moved to Shared Group (a static Group). Both users should be assigned with Shared permission set which has Shared Group listed in the Static Groups section.

security_model

 

details_hoverNOTE

A fresh ESMC installation has the Administrator (Native User with home group All) as the only account.