The screen is accessible by clicking [Manage→Security→Roles] from The Navigation Bar.
| Note |
|---|
The security roles management screen is always available, regardless of whether the system is managing users using DPOD internal database registry or LDAP. |
There are two types of security roles available with DPOD:
- Custom Roles - defined by the administrator. These roles may be added, deleted or altered by a DPOD Administrator.
- Built-in Roles - these are DPOD's own built-in roles, which can not be added, deleted or altered.
The roles are Security roles are used to provide a means for the administrator to filter the view users have of the system. Administrators can use the roles to filter out devices, domains, services, client IP addresses, payload and more from a user's view, thereby providing each user with insights to only the parts of the system they are allowed to access.
...
There are two types of security roles available with DPOD:
- Custom Roles - defined by the administrator. These roles may be added, deleted or altered by a DPOD Administrator.
- Built-in Roles - DPOD's own built-in roles, which can not be added, deleted or altered.
For a detailed explanation about security roles, see Role Based Access Control.
Custom Roles Table
The custom roles widget at the top of the screen lists the custom roles defined in the system in a table. Each row in the table contains the following information for a single role:
Column | Description |
|---|---|
| Name | The role's name. Clicking on a role's name will load the role's details in the Role View and provide access to system actions for the role. |
| Description | The description for this role |
...
The Role Details section below provides information about the details required for adding or editing custom roles.
Built-In Roles Table
The built-in roles widget at the top of the screen lists the built-in roles defined in the system in a table. Each row in the table contains the following information for a single role:
Column | Description |
|---|---|
| Name | The role's name. Clicking on a role's name will load the role's details in the Role View and provide access to system actions for the role. |
| Description | The description for this role |
...
| Field | Purpose |
|---|---|
| Name | The name of this role. This is a mandatory field. |
| Description | The description of this role. |
| Allowed Devices | A comma-separated list of devices this role provides access to. See possible field values below. |
| Denied Devices | A comma-separated list of devices this role denies access to. See possible field values below. |
| Allowed Domains | A comma-separated list of domains this role provides access to. See possible field values below. |
| Denied Domains | A comma-separated list of domains this role denies access to. See possible field values below. |
| Allowed Services | A comma-separated list of services this role provides access to. See possible field values below. |
| Denied Services | A comma-separated list of services this role denies access to. See possible field values below. |
| Allowed Client IPs | A comma-separated list of client IP addresses this role provides access to. See possible field values below. |
| Denied Client IPs | A comma-separated list of client IP addresses this role denies access to. See possible field values below. |
| Allow Access to Raw Messages | Whether this role, when assigned to a user, allows them to view Raw Messages. |
| Allow Access to Payload | Whether this role, when assigned to a user, allows them to view Messages Payload. |
| Allow Manage Payload Capture | Whether this role, when assigned to a user, allows them to manage payload capture. |
Possible Field Values
Each field that provides access or denies access to devices, domains, services or client IP addresses should contain the values described below:
- The field contains a comma-separated list of values to allow or deny.
- Wildcards are not allowed.
- When left blank, the field does not affect access.
Effective Access Rights
A user may be assigned with several custom roles, directly or via groups. The effective access rights of a user is calculated according to the rules described below:
- If the user has access to certain items (devices/domains/services/client IP addresses), they are denied from all other items of the same type. For example, if a user is allowed access to devices MyDevice1 and MyDevice2, they can only have access to these devices, and are denied from all other devices.
- If the user is denied from certain items, they are allowed to all other items of the same type. For example, if a user is denied from devices MyDevice1 and MyDevice2, they still have access to all other devices.
- If the user is denied from certain items, they will not be able to access them, even if they have access to the same items in other custom roles they are assigned to. For example, if a user is assigned with CustomRole1, which denies access to MyDevice1, and the same user is also assigned with CustomRole2, which provides access to MyDevice1, the user will not have access to MyDevice1.
- If a user is assigned with several custom roles, field values are merged. For example, if a user is assigned with CustomRole3, which provides access to MyDevice3, and the same user is also assigned with CustomRole4, which provides access to MyDevice4, the user will have access to both MyDevice3 and MyDevice4.