To report a found bug,
please, select the text with the bug and click Report a Bug or
CTRL+ENTER.
Help
system 10.4 of 09/07/2024,
©
FORESIGHT
The tool supports interface of Foresight Analytics Platform 9 or earlier.
If required, use separation of information security admin (ISA) and application administrator (AA) roles:
Information security administrator controls changing user permissions, distributing privileges, changing policy, and clearing access protocol. He can access only the security manager.
The ISA has access to all sections, but he cannot create and update users in the Users section (if the ISA can Apply User Permissions at DBMS Level checkbox is deselected) and delete users.
Application administrator creates and deletes users, views access protocol.
When roles are separated, the application administrator can access only the following security manager sections: Access Protocol and Users, however, the application administrator is not allowed to disconnect a connected user or change user password.
NOTE. If administrator roles are separated, the mechanism of user personal folders is not available. On activating the administrator role separation mode the message about disabling personal folders mechanism appears.
If roles separation mode is enabled, privileges are distributed in the following way:
The ISA will be granted the following privileges:
Changing user permissions, distributing roles, changing policy.
Changing security label and access control list of any object. Browsing all objects in the navigator.
Clearing access protocol.
Disconnecting users, connecting a domain group.
Viewing access protocol.
The other subjects are excluded from the first four privileges.
The application administrator will be granted the following privileges for:
Reading and opening all objects.
Viewing access protocol.
Creating and deleting users.
Applying user permissions at DBMS level. This privilege is granted to ISA in case the ISA Can Apply User Permissions At DBMS Level checkbox was selected before activation.
The ISA can Apply User Permissions at DBMS Level checkbox determines whether the ISA is allowed to update users and groups of users:
When the checkbox is deselected, users can be updated only by application administrator; when the checkbox is selected, users can be updated by both administrators.
When the checkbox is deselected, groups of users can be updated only by application administrator; when the checkbox is selected, users can be updated only by ISA.
To activate role separation between information security administrator (ISA) and application administrator (AA), click the Activate or Activate Mode button on the General Policy tab of the Policies Editor section.
NOTE. When ISA is activated or deactivated, and if there are unsaved changes in the security policy, the system displays the request to apply these changes.
If the schema contains a user account *_ISA ( where * is SCHEME_NAME), it is used as information security administrator. An appropriate message appears if the account is successfully activated.
If there is not such user in the schema, the User Properties dialog box opens in the desktop application or the Properties side panel in the web application in the security manager to create a user with the *_ISA name (where * - SCHEMANAME), after which activation is started.
Clicking the OK or Save button in the confirmation dialog box applies the changes, and the mode is considered to be activated. Only application administrator will be able to log in to the system using the standard method, it is impossible to log in to the system using information security administrator's account. The information security administrator works in the security manager running as a separate application.
NOTE. Separating roles between ISA and AA is not available on working in the repository based on SQLite DBMS.
To deactivate the mode, start the security manager. Enter information security administrator account and password in the login dialog box. In the security manager dialog box that opens go to the Policies Editor section and click the Deactivate button. A confirmation dialog box opens. An information message appears if the operation is successfully completed. After the message is closed, the security manager window also closes and the mode of separating information security administrator and application administrator roles is disabled.
The activation cannot be executed if some problems occurred during activation process related to user (ISA) creation or to granting permissions for system tables for this user. A message appears informing that an error has occurred on activating information security administrator. Activate the information security administrator once again.
Activation or deactivation can be executed with errors. For example, if some problems occurred on redistributing user permissions, a message appears informing that user permissions on database level are not distributed. To ensure correct performance, update users at the DBMS level.
See also:
General Policy Settings | Exporting Security Policy and Access Permissions