KBI 311129 Enhancement: Expanded Security In Argent Global Manager Via Active Directory
Version
Argent Global Manager 3.1A-1412-A and later
Date
Wednesday, 17 Dec 2014
Summary
Argent Global Manager has been enhanced with an option to set Security on individual objects or object folders, for Active Directory users/groups
Security can be set either explicitly or implicitly
Explicitly means Security is applied using Global Security Objects (GSO) or specifying accessing rights to explicit users/groups
Security applied implicitly using the special feature of GSO (This feature is explained in the later sections)
A Default Policy of the product can be set from any one of the three options:
- Denied
- Read-Only
- Full Access
For a detailed view on setting security in Argent Global Manager, see:
How To Set Security In Argent Global Manager
Technical Background
Argent Global Manager version 3.1A-1412-A implements the same security mechanism as in Argent AT
However, the concept of applying security on Shared Objects (CMDB-X, Alerts, Monitoring Groups, Automatic Report Distributions, Macros and Calendars) slightly differs as they are commonly allocated for all products in Argent Global Manager
Product security is achieved by setting different levels of access privileges to Active Directory users/groups
The three levels of access rights that can be set are:
|
|
Defining Security
As shown in the adjacent screenshot, a new ‘Administration’ section is added in the tree that allows defining security for shared objects and also for each Argent AT product independently
The Administration section in the tree lists all products and an ‘Argent Shared’ option
The Argent Shared option is used to define the security for shared objects
Each option in the Administration section has a ‘Security’ leaf node and on clicking this node, a Security screen (C7 screen) of the corresponding product is displayed
The product security works independently in each product; that is, the security defined for one product does not relate to the security of another product
The Security screen allows defining multiple security conditions:
a) Adding System Administrator
Active Directory users/groups can be set as System Administrators of the product using the ‘System Administrator’ option
To set security using C7 screen, the user must have ‘System Administrator’ privilege in that product
Users defined as System Administrators in Argent AT products will be System Administrators for corresponding product in Argent Global Manager by default
The System Administrator user gets Full Access on the product regardless of any security set for that user explicitly
b) Defining Default Policy
A Default Policy can be set here, from one among the three options: Denied, Read-Only and Full Access
The security defined here is applied on all Rules, Relators and Reports of that product by default
c) Creating Global Security Objects (GSO)
The Security screen also allows adding Global Security Objects (GSO)
Global Security Objects provide a mapping between Active Directory groups/users against different privileges
Applying security using GSO benefits that it works as a security macro that can be reused anywhere across Argent Global Manager
For example, assume a company needs to set Full Access for the Admin users on an object and a ‘Read-Only’ access for Domain users on the same object
In this case, a GSO can be created by specifying Admin users with Full Access and Domain users with Read-Only access
On assigning this GSO to an object, each users in the GSO get permission to access this object as defined in the GSO (Admin users – Full Access and Domain users – Read-Only access)
Same GSO can be used anywhere across Argent Global Manager
Shared Object Security
Shared Objects comprises of the components that are common to all products of Argent AT like CMDB-X, Alerts, Monitoring Groups, Automatic Report Distributions, Macros and Calendars
Working Concept:
- Users set as System Administrator of any product get Full Access on shared objects by default
- System Administrator privilege on Shared Objects can also be specified explicitly for Active Directory users
The policy set here are applied on all shared objects
For example, if the Default Policy for the shared object is Denied, then none of the shared object will be shown for the user, unless configured otherwise
If a security is set on a shared object for a user, that user gets the same privileges on that object when accessing from any product
How To Apply Security On Objects
Security on an object or object folder can be applied explicitly by invoking the ‘Security Settings’ option in the context menu
To set security on an object, customers can use pre-defined GSO policies or define access rights for explicit users or groups
- Applying Security Using GSO
-
Apply Security To Explicit Users/Groups
Specific access rights can also be set for explicit users/groups
Clicking ‘Security Settings’ option displays a new screen Z4B (see screenshot)
To apply GSO, check the ‘Use Global Security Object’ combo and select the desired GSO
Note:
If any GSO is applied, the security set for explicit users/groups get overridden
How Security Works In Argent Global Manager
The child node inherits the security set on its immediate parent node, until the tree root
If any security is defined explicitly, the inherited security is overridden
Special Feature:
Argent Global Manager has incorporated a special feature of Argent AT where the security settings of a Global Security Object is applied for a folder if the folder name exactly matches the Global Security Object name
Hence the user may just create a GSO with the same name of the folder for which the GSO is required to be applied
Users/Groups and permissions required may be suitably defined for the GSO and the security gets applied to the folder automatically
Applying GSO implicitly using this feature helps the Argent System Administrator in two ways:
- Save time in assigning the created GSO to the required folder
- Easily understand the extent of security applied from the GSO name itself
The Authorization Cascade Is:
If security is explicitly defined, use it
If not, check the parent folder
If folder security is explicitly defined, use it
If folder security is not explicitly defined, check whether its name matches one of the Global Security Objects (GSO)
If any is matched, use the GSO security
If folder security is not defined either explicitly or implicitly, check its immediate parent folder until the tree root
If security is not defined anywhere, use the product’s default policy
Following flow chart explains the Security Algorithm
Resolution
Upgrade to Argent Global Manager 3.1A-1412-A or later