6 Replies Latest reply on Aug 4, 2011 5:46 AM by DanDinolfo

    Role Based Authentication with Limited Scopes

    Apprentice

      So, I'm running 9.0 SP2.  Here is what I want to be able to do.  I would like to give users different access to different scopes.  So for instance, we have someone who needs basically all access to all of our workstations.  This person needs to be able to see inventory of our servers.  This person can not have access to deploy software, RC, patch, etc our servers.  How do you do this?  I tried giving an AD group a role of "Workstation Administrators" which was scoped out to all of our workstations and gave more or less full access to the desktops.  I logged in and everything worked fine, except servers weren't visible (as expected).  I then added the user to a "Server Inventory" group which I scoped to all server and then gave it the role of inventory.  So the user was in two groups that had the correct rights/scopes added.  What I found was that the scopes and rights seem to be addative.  I expected that when they overlapped, but since I was scoping the roles, I had hoped they would only add when they both applied to the same computer.

       

      Is there anyway to give the same person different access levels to different scopes?

        • 1. Re: Role Based Authentication with Limited Scopes
          ahe Expert

          Hello,

           

          I'm not sure if this problem is still relevant, but scopes define a view to the clients only, no rights will be set.

           

          The rights are configured with different roles and the roles are additive as you mentioned.

           

          In the user overview (double click on the user name below "User management - Users and groups - LDAP_name - user name") you can see the Effective Rights of the user.

           

          If you allow something in role A and disallow it in role B, role A will win!

           

          The local rights on the clients/server should be managed by local groups or better by AD groups and GPO's and not by LANDesk...

           

          regards

          Axel

          • 2. Re: Role Based Authentication with Limited Scopes
            Apprentice

            It makes sense what's going on.  I just can't imagine that there wouldn't be a good way to give someone full access to one group of computers and limited access to another.  The only way I can figure that might work for something like that is to use a multiple core setup.  I just don't think I want to go from a single core to a multi-core install because of this one reason.

            • 3. Re: Role Based Authentication with Limited Scopes
              ahe Expert

              We make it in this way:

               

              In local group "Remote Control Operators" (made by LANDesk agent) we add via GPO the AD user group which should have rights to logon remote to this client.

              Additionally we add via the GPO the AD user group which should have administrative rights to the client in the local admin group.

               

              So the rights are set by AD.

               

              In LANDesk you can only manage the rights of the Management Suite, not the rights on the client!

               

              So, we set in LANDesk the view to the clients with the scopes to restrict the users to view more client they are responsible for.

              With the roles you can set the rights to the different tools of LDMS, no more, but no less! So we define in roles, what can be done.

              For example some users only allowed to start remote control, others are allowed to install software, some other can check Licensing and others can check patch management.

              So we define different roles, for what they can do in LANDesk, not what they can do on a client!

               

              Regards

              Axel

              • 4. Re: Role Based Authentication with Limited Scopes
                Apprentice

                I understand you can use local policy to control RC.  It's a useful method, but pretty awful for security.  Regardless, you still run into issues.  If I want a user to be able to deploy software to workstations and see inventory of servers, it's not possible.  It doesn't matter that he has rights on only the workstations.  If he can deploy software to a server, he might as well have admin rights on the servers.

                • 5. Re: Role Based Authentication with Limited Scopes
                  ahe Expert

                  You don't need administrative rights to install software with LANDesk... software installation with LANDesk is made by a local service...

                   

                  But you are right, if you've in LDMS the right to deploy software (defined by roles) you are able deploy software on all clients/servers you can see (defined by scopes), independent on the local rights on the client/server!

                   

                  It could be a interesting idea to combine scopes with rights, perhaps in Version 10... you could open a ER for it...