Managing Roles

Learn how to add role, edit role, delete role, manage security groups and manage rights.

This feature allows you to manage roles and change the privileges of the user under a particular role. You must create a role to assign to the user. Once a new role is added, you need to specify the rights that should be associated with this role. To specify the rights that should be associated with a role, you can double-click the given role from the Roles screen, where all the current roles are displayed, and then use the Add, Edit or Delete Right buttons to specify the rights to be associated with the given role. If any of the existing VHQ users has to be added to the given role or have to be removed from this role, then edit the given role and edit the users associated with this role.


Adding Role

You can add a role.

To add role:

  1. Go to Administration > User Administration > Roles.
  2. Click Add userto add a role. Enter the Role name and Role description.
    Managing Roles1
  3. Click Add. The new role created is listed under Roles screen.

Editing Role

You can also edit a role.

To edit a role:

  1. Go to Administration > User Administration > Roles.
  2. Select a role and click Edit user to edit role.

NOTE:

You can edit the role name and description as well as assigned security groups and rights.

Managing Users3

The Edit Role screen includes:

  1. Users
  2. Rights

Deleting Role

You can delete multiple roles from the role screen.

To delete role(s):

  1. Go to Administration > User Administration > Roles.
  2. Select the multiple roles.
  3. Click Delete role.

    Mapping VHQ user to Active Directory Security Groups

    Mapping of Active Directory, security groups to the VHQ roles is done based on the claim information sent by ADFS (Active Directory Federation Services), when user logs into VHQ GUI.

    VHQ GUI allows for the creation of VHQ roles, where a VHQ role is a collection of VHQ rights/privileges. Based on the types of users using VHQ, such as Administrators, Operators, Helpdesk users, etc., a number of VHQ roles are created where each VHQ role has a different set of VHQ rights.

    Once the required VHQ roles are created, Active Directory security groups that are relevant to the VHQ users list is created. For each security group, the corresponding VHQ role name is specified.

    Once a VHQ user logs in to VHQ GUI, ADFS provides the list of AD (Active Directory) security group names associated with the given VHQ user, as part of the claim information sent by ADFS system. VHQ server updates the VHQ database to indicate the VHQ roles that should be associated with given VHQ user, based on the list of security groups that ADFS provides for the given user as part of the claim information.

    The list of VHQ roles associated with a VHQ user can be seen from the VHQ user profile screen. The following points should be noted about the assignment of VHQ roles to VHQ users:
    1. In the case of ADFS based authorization, it is not possible to use VHQ GUI to edit the list of VHQ roles that are assigned to a VHQ user, since this information will come as part of the claim information from ADFS, when a user logs in to VHQ GUI. The only method to update the assignment of VHQ roles assigned to a user will be through ADFS, when a user logs in to VHQ GUI.

    NOTE:
    The ability to assign VHQ roles or VHQ security groups to VHQ users from the VHQ GUI will be allowed for VHQ mode and AD mode of authorization. It is not allowed for the ADFS mode of authorization.

2. A VHQ user can be associated with multiple VHQ roles, and in this case the user will have the combined VHQ rights from all the VHQ roles that are associated with given VHQ user.
3. If one or more of the security group names as part of the claim information is not configured in VHQ GUI’s Security Groups screen, then VHQ server ignores these security groups, and only use the security groups that are configured in VHQ GUI, in order to determine the VHQ rights that is with the user. In this case, VHQ server will log an entry in the VHQ audit report to indicate the security group names provided by ADFS that is not configured on VHQ GUI’s Security Groups screen.
4. If a VHQ user is not associated with any security group that is defined in VHQ, based on the list of security groups provided by ADFS when user tries to login to VHQ GUI, then VHQ GUI displays invalid user name and password message.


Managing Security Groups

The security groups provide an efficient way to assign access to the users. The User Administration feature enables you to create a security group and, then associate these users under the security group with Roles in VHQ. The user rights are assigned to security groups to determine which user of that group can do within the scope of a role. User rights are automatically assigned to the security group at the time Active Directory is installed to help administrators define a user role in the domain.

EXAMPLE:
A user who is added to the Backup Operators group in Active Directory has the ability to backup and restore files and directories.

When both Authentication and Authorization modes are in Active Directory, only then Security Groups screen will be visible to the user. Only the Database support personnel will be able to add security group. When the Database support personnel add the first security group, only then the user will be able to add more security groups from UI. If a user belongs to multiple security groups, then the user will have the combined roles of all the security groups that the user is associated in VHQ.

Assigning Security Group(s)

You can assign security group(s) in the Edit Role screen under Security Groups section only when the user is added to the Active Directory.

To assign security groups:

  1. Click Add user to assign.
    2. Select the security group.
  2. Click Save.

Removing Security Group(s)

You can remove multiple security groups.

To remove security group(s):

  1. Click Edit.
  2. Under Security Groups section, click Delete role to remove.

Adding Security Group

You can add a security group.

To add a security group(s):

  1. Go to Administration > User Administration > Security Groups.
    2. Click Add user to add security group.
    3. Enter the Security group name and description. Select the Role to assign from the Roles drop-down list.
    4. Click Add.

Editing Security Group

You can edit a security group.

To edit a security group:

  1. Select a security group and click Edit user.
  2. Edit the values in Edit Security Group screen and click Save.

Deleting Security Group

You can delete multiple security group.

To delete a security group:

  1. Select the security group(s).
  2. Click Delete role.

Managing Rights

Administrators can assign specific rights to group accounts or to individual users. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are attached to objects.

User rights define capabilities at the local level. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. This ensures that a user logging on as a member of a group automatically inherits the rights associated with that group. By assigning user rights to groups rather than individual users, you simplify the task of user account administration. When users in a group all require the same user rights, you can assign the set of user rights once to the group, rather than repeatedly assigning the same set of user rights to each individual user account.

User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that the rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights. In general, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the administrator simply removes the user from the group. In this case, the user no longer has the rights assigned to that group.

Adding Rights

You can add rights to the groups.

To add rights to the group:

  1. ClickAdd userto add rights to the group.
  2. Click Save. The rights are added to the list.

Editing Rights

You can edit rights.

To edit rights:

  1. Select the multiple rights from the list.
  2. Click Edit user.
  3. You can edit rights by selecting the check boxes corresponding to column Right Name and click Save.

Deleting Rights

You can also delete multiple rights.

To delete rights:

  1. You can select multiple rights from the list.
  2. Select the check box corresponding to column Right Name.
  3. Click Delete role.