Best Practices for Deployment Solution Role-Based Security

book

Article ID: 180324

calendar_today

Updated On:

Products

Deployment Solution

Issue/Introduction

 

Resolution

Problem
This article will explain how role-based security can be used to restrict access to resources. Role Base Security determines the user's identity and group membership, and an authorization process, which decides whether a user has the role membership necessary to access a particular resource.

Environment

Cause
The administrator could define login accounts and assign specific tasks (imaging, remote control, and so on) to those accounts creating roles. One person could be an imaging person (but might not have rights to remote control) while another could be a Helpdesk person with remote control rights (but not imaging). The problem is that these roles are not limited to which computers these tasks could be performed on.

Security roles have been combined with scope control. This gives the administrator the ability to:

  • Restrict access to functions/tasks (Role).
  • Restrict access to computers or subsets of computers (Scope).
  • Restrict the new accounts support Active Directory (AD) authentication. If a worker is logged on to AD, and there is a matching account in DS, the DS console will restrict that user’s activities to that account’s role and scope.

Resolution

Role-Based security

Deployment Solution provides a security system based on associating job and computer objects with user and group permissions. This allows IT personnel to be assigned to different security groups to manage operations on specific computer groups or job folders. Each security group can then perform only a defined scope of deployment operations on each computer group or job folder. In addition, each user can be assigned rights to access general console features.

Note: Security rights and permissions set in one console will be enforced in all Deployment consoles.

Best Practices for Deployment Solution Security

Deployment Solution is based on defining groups of users and groups of computers and jobs, and then associating one with another. It is recommended that you first create user groups based on either administration duties or access to levels of deployment operations. For example, you will most likely set up a group with full Administrator rights. This group will have access to run all operations on all computers using all types of jobs.

No permissions need to be set on each computer group or job folders for the Administrator group because they have full rights to all features and resources. However, you may also want to set up a Technician group that has only basic access and permissions limiting deployment operations. This will prohibit members of the group from re-imaging the Server computer group or scheduling Distribute Disk Image jobs. You can explicitly Allow or Deny the group from running these operations for each computer group in the Computers pane or each job folder in the Jobs pane.  

After creating the technician group, you can limit their rights to set General Options and then set permissions on each computer groups and job folders for the group. You can select the computer group, right-click and select Security. Then select the group name in the left pane, and click Allow or Deny for a list of deployment operations. For example, you can select the Deny check box for Restore, Schedule Create Disk Image, and Schedule Distribute Disk Image.

Additional groups can be created with different rights and permissions depending on the needs and responsibilities in the IT team. If users are assigned to multiple groups, the Evaluate Permission and Evaluate Rights features will sort and display effective permissions and rights.

Defining the Options

Options Console
  • This allows you to set Console options.
  • Set basic console features for miscellaneous refresh actions and warning messages.
  • Scan resource files for changes every ____ seconds. Specify how frequently (in seconds) that the Deployment Server Console updates its view of package files in the Resources view.
  • Warns user when no tasks are assigned to the 'default' condition. When a job is assigned to computers and the Default condition has no tasks assigned, then a message box will appear. The job has no secondary default tasks assigned if a computer in the group does not meet the primary conditions.  
  • Refresh displayed data every ____ seconds. Refresh the display of data accessed from the Deployment Database. This allows you to refresh console data at defined intervals rather than updating every time the Deployment Server Console receives a command from the server, which can be excessive traffic in large enterprises.

Options Global

  • Allows you to set Global options.
  • Delete history entries older than _____ days. Specify the number of days an entry is kept in the history until it is deleted. If the number of days is set to 0, no entries will be kept in the history. If this option is not selected, log entries will remain in the history.

Deployment Server 6.5

  1. Tools > Options > Global tab.
  2. Select to Delete history entries older than <30> days and Remove inactive computers after <30> days.