9.3.2. Creating Local Administrators
The hierarchical structure of access groups combined with the constraints inheritance enables creating local administrators, by delegating creation and configuration of users and their rights under organization departments.
The local administrators have access to the security subsystem screens; however they only see the users and groups in their access group and below. Local administrators can create subgroups and users and assign roles available in the system, however they will have at least the same constraints as the administrator who created them.
The global administrator in the root access group should create the roles that will be available to the local administrators for assigning to the users. The local administrators should not be able to create and update the roles.
An example access group structure is presented below:
Problem:
-
The users under the
Departments
group should only see the users of their own group and the groups below. -
Each subgroup –
Dept 1
,Dept 2
, etc. should have its own administrator, who can create users and assign them the available roles.
Solution:
-
Add the following constraints for the
Departments
group:-
For the
sec$Group
entity:{E}.id in ( select h.group.id from sec$GroupHierarchy h where h.group.id = :session$userGroupId or h.parent.id = :session$userGroupId )
With this constraint, the users will not be able to see the groups higher than their own.
-
For the
sec$User
entity:{E}.group.id in ( select h.group.id from sec$GroupHierarchy h where h.group.id = :session$userGroupId or h.parent.id = :session$userGroupId )
With this constraint, the users will not be able to see the users in groups higher than their own.
-
For the
sec$Role
entity:({E}.description is null or {E}.description not like '[hide]')
With this constraint, the users will not be able to view the roles that have the
[hide]
string in thedescription
attribute.
-
-
Create a role that denies editing roles and permissions:
-
Select the Default role checkbox:
-
Add the
[hide]
string to the Description field. -
In the Entities tab, deny create, update and delete operations for the
sec$Role
andsec$Permission
entities (to add permissions for thesec$Permission
object, select the System level checkbox).
All created users, including the local administrators, will get the
local_user
role. This role is invisible to the users in theDepartments
group, so even the local administrators are unable to unassign this role from themselves. Local administrators can only operate on the existing roles that have been created for them by the global administrator. Obviously, the roles available to department users should not remove restrictions imposed by thelocal_user
role. -