Object Permissions in the IGEL UMS Web App

Through Access Control, users and user groups can be granted permissions (also called access rights) regarding object directories. The permissions are inherited "downwards", for example, from the root directory to the directories in the structure tree and from a user group to the members of that group.

In this article, you will find information on how to manage the access permissions as a user with access management rights.

For information on how to manage permissions in the UMS Console, see Object-Related Access Rights.

Object Permissions Basics

Object permissions are different from global permissions (for example, the Delete log messages). For global permission management, refer to How to Manage Global Permissions in the IGEL UMS Web App

Objects with Access Control

You can set the object permissions in the UMS Web App for the following object directories:

• devices

• profiles and priority profiles

• Corporate Identity Customization (CIC)

• files

• jobs

Contrary to the UMS Console, you can only set permissions at the directory level and not at the object level for improved overview.

Permission Types

You can set the same permission types as in the UMS Console, listed in Available Rights.

Permission Change Logs

You can find the change logs related to permission changes through the UMS Web App in Logging in the IGEL UMS Web App and Remote Security Logging.

Changing Object Permissions

You need to have the Access Control permission set to allowed to see and change permissions of users and user groups for the selected object directory. As a user without allowed Access Control, you see a greyed-out dialog when you click Access Control:

You can change the permissions of users related to an object by navigating to the object and clicking Access Control to open the Access Control dialog. For example, if you want to allow some users to read a file directory, navigate to the file directory and click Access Control. You will see the object name displayed in the title of the dialog.

For device directories, you can find the Access Control button under Other Actions.

In the Access Control dialog, you can do the following:

1. On the left hand side, you can select the Groups or Users tab to browse the list of user groups or individual users. You can edit the permissions of a user or user group selected from the list. You can also filter for groups or users by their name.
   

2. Using the search bar, you can filter for permissions.
   

3. Using the top row, you can Allow or Deny all of the permissions. Associated permissions are automatically set together. Enabled permissions or denials relating to nodes affect all objects within the node.

The withdrawal of permissions, i.e. Deny, always overrides the granting of permissions, i.e. Allow.

Checking Object Permissions of Users

You can check the permissions of a user in the Access Control dialog of the selected object. The rules for determining rights are also explained here under Reason, e.g. whether the permission was granted directly or whether it is granted via a group or an inheritance within the tree structure through a directory. This is called Effective Rights in the UMS Console.

Example Configurations

Example 1 - Allowing View Only Permission

You have a group of users who should only be able to see all the files in the UMS Web App, but not edit them:

1. Create a user group and assign the selected users to this group as described in How to Create User Groups in the IGEL UMS Web App.

2. Go to Configuration > Files

3. Select the root node and click Access Control.

4. Under Groups, select the created user group.

5. Set the Browse and Read permissions to Allow.

The users of the group will be able to see all files as the permission is inherited by all directories, but they won’t be able to change files or change permissions.

Example 2 - Inheritance of Permissions

You have a group of users who should have full access to all devices except for one device directory:

1. Go to Devices and select the root directory.

2. Click Other Actions > Access Control.

3. Under Groups, select the user group.

4. Set permissions to Allow.

5. Click Save and close.

6. Go to the directory that should be restricted and click Access Control.

7. Under Groups, select the user group.

8. Set permissions to Deny.

9. Click Save.

You will see that the users of the group have the permissions allowed for all folders due to inheritance but denied for the one folder due to direct settings.