Document toolboxDocument toolbox

(12.06.110-en) User Authorization Rules

Problem

In the IGEL UMS, you want to assign permissions or roles to administrators according to various responsibilities.

Reason

In the IGEL UMS, you can create user or administrator accounts, and you can assign rules to them, but it is not possible to assign roles.

You would like to group administrators according to their tasks in order to achieve a clearly structured management of user rights.

Within your company you already maintain employee accounts using an Active Directory or LDAP.

Solution

As best practice, we suggest connecting the UMS with the user accounts of the Active Directory. You maintain the user and group accounts in the Active Directory only. In the UMS, you assign rights to the imported groups.



Transferring Active Directory groups to the UMS and assigning permissions and roles to them:

→ Click UMS Administration > Global Configuration > Active Directory / LDAP to integrate your Active Directory.

You may import Administrative Users / UMS administrators from an Active Directory as well as from an LDAP.

 

→ In the UMS console click System > Administrator accounts > Import, to import groups from the tree of your Active Directory.

 

The successful import of a group cannot be undone. You have to manually delete the wrongly created UMS group in the "Administrator account" management. The name of the imported Active Directory group is taken from the account.

 

→ Assigning roles to groups in the IGEL UMS on the basis of authorization rules:

  • Click System > Administrator accounts > Groups > Edit to directly assign general group rights.

  • Assign object-related access rights via object permissions, choosing Access Control in the context menu of any object.



This way, you can assign certain roles to administrators of the UMS according to their group memberships.

Please note:

  • Permissions are inherited from a parent directory to a child directory or to a subordinated object.

  • It is possible to change indirect rights, i.e. rights which are given by group assignment. However, directly assigned rights take precedence over indirectly assigned rights.

  • An administrator can be a member of different groups and receives the corresponding rights. If they are contradictory, the deprivation of a right takes precedence over the permission. If a prohibition for an action or an object of a group is issued, it will override any number of rights from other groups.

  • Click Effective Rights to get more details about the rules collection, for example if a permission was given directly or if it was assigned by a group or by an inheritance within a tree structure.