KBI 311129 Enhancement: Expanded Security In Argent Global Manager Via Active Directory


Argent Global Manager 3.1A-1412-A and later


Wednesday, 17 Dec 2014


Argent Global Manager has been enhanced with an option to set Security on individual objects or object folders, for Active Directory users/groups

Security can be set either explicitly or implicitly

Explicitly means Security is applied using Global Security Objects (GSO) or specifying accessing rights to explicit users/groups

Security applied implicitly using the special feature of GSO (This feature is explained in the later sections)

A Default Policy of the product can be set from any one of the three options:

  • Denied
  • Read-Only
  • Full Access

For a detailed view on setting security in Argent Global Manager, see:

How To Set Security In Argent Global Manager

Technical Background

Argent Global Manager version 3.1A-1412-A implements the same security mechanism as in Argent AT

However, the concept of applying security on Shared Objects (CMDB-X, Alerts, Monitoring Groups, Automatic Report Distributions, Macros and Calendars) slightly differs as they are commonly allocated for all products in Argent Global Manager

Product security is achieved by setting different levels of access privileges to Active Directory users/groups

The three levels of access rights that can be set are:

  • Denied
No Access, will not be displayed
  • Read-Only
Will be shown but can’t be modified
  • Full Access
Has read and write access

Defining Security

As shown in the adjacent screenshot, a new ‘Administration’ section is added in the tree that allows defining security for shared objects and also for each Argent AT product independently

The Administration section in the tree lists all products and an ‘Argent Shared’ option

The Argent Shared option is used to define the security for shared objects

Each option in the Administration section has a ‘Security’ leaf node and on clicking this node, a Security screen (C7 screen) of the corresponding product is displayed

The product security works independently in each product; that is, the security defined for one product does not relate to the security of another product

The Security screen allows defining multiple security conditions:

a) Adding System Administrator

Active Directory users/groups can be set as System Administrators of the product using the ‘System Administrator’ option

To set security using C7 screen, the user must have ‘System Administrator’ privilege in that product

Users defined as System Administrators in Argent AT products will be System Administrators for corresponding product in Argent Global Manager by default

The System Administrator user gets Full Access on the product regardless of any security set for that user explicitly

b) Defining Default Policy

A Default Policy can be set here, from one among the three options: Denied, Read-Only and Full Access

The security defined here is applied on all Rules, Relators and Reports of that product by default

c) Creating Global Security Objects (GSO)

The Security screen also allows adding Global Security Objects (GSO)

Global Security Objects provide a mapping between Active Directory groups/users against different privileges

Applying security using GSO benefits that it works as a security macro that can be reused anywhere across Argent Global Manager

For example, assume a company needs to set Full Access for the Admin users on an object and a ‘Read-Only’ access for Domain users on the same object

In this case, a GSO can be created by specifying Admin users with Full Access and Domain users with Read-Only access

On assigning this GSO to an object, each users in the GSO get permission to access this object as defined in the GSO (Admin users – Full Access and Domain users – Read-Only access)

Same GSO can be used anywhere across Argent Global Manager

Shared Object Security

Shared Objects comprises of the components that are common to all products of Argent AT like CMDB-X, Alerts, Monitoring Groups, Automatic Report Distributions, Macros and Calendars

Working Concept:

  • Users set as System Administrator of any product get Full Access on shared objects by default
  • System Administrator privilege on Shared Objects can also be specified explicitly for Active Directory users

The policy set here are applied on all shared objects

For example, if the Default Policy for the shared object is Denied, then none of the shared object will be shown for the user, unless configured otherwise

If a security is set on a shared object for a user, that user gets the same privileges on that object when accessing from any product

How To Apply Security On Objects

Security on an object or object folder can be applied explicitly by invoking the ‘Security Settings’ option in the context menu

To set security on an object, customers can use pre-defined GSO policies or define access rights for explicit users or groups

  1. Applying Security Using GSO
  2. Clicking ‘Security Settings’ option displays a new screen Z4B (see screenshot)

    To apply GSO, check the ‘Use Global Security Object’ combo and select the desired GSO

  3. Apply Security To Explicit Users/Groups

    Specific access rights can also be set for explicit users/groups


If any GSO is applied, the security set for explicit users/groups get overridden

How Security Works In Argent Global Manager

The child node inherits the security set on its immediate parent node, until the tree root

If any security is defined explicitly, the inherited security is overridden

Special Feature:

Argent Global Manager has incorporated a special feature of Argent AT where the security settings of a Global Security Object is applied for a folder if the folder name exactly matches the Global Security Object name

Hence the user may just create a GSO with the same name of the folder for which the GSO is required to be applied

Users/Groups and permissions required may be suitably defined for the GSO and the security gets applied to the folder automatically

Applying GSO implicitly using this feature helps the Argent System Administrator in two ways:

  • Save time in assigning the created GSO to the required folder
  • Easily understand the extent of security applied from the GSO name itself

The Authorization Cascade Is:

If security is explicitly defined, use it

If not, check the parent folder

    If folder security is explicitly defined, use it

    If folder security is not explicitly defined, check whether its name matches one of the Global Security Objects (GSO)

    If any is matched, use the GSO security

        If folder security is not defined either explicitly or implicitly, check its immediate parent folder until the tree root

If security is not defined anywhere, use the product’s default policy

Following flow chart explains the Security Algorithm


Upgrade to Argent Global Manager 3.1A-1412-A or later