Folder and Group Permissions for admin users

security CMC
1

I have a group of system administrators who need access to the CMC for obvious reasons, but I would like to lock them out from changing permissions on folders and users/groups. Is there a way I can do this?

Thanks!

kmcginn (BOB member since 2011-03-11)

2

Yes, there is a way to do this. In the CMC:

  1. Create a new user group for these users. I’ll call this Delegated Admins.

  2. Create a new access level (assuming you’re on BO XI 3.x or higher.) I would copy this from the Full Control access level.

  3. Go to Included Rights for the access level and click on “Add/Remove Rights”.

  4. Navigate to Content|Folder and set the rights to for the “Securely modify right…” options (there are several of them…) to “Not Specified”. You could set these to “Denied”, but that can cause other problems.

  5. Assign the new group this level of access at the Root Folder level.

-Dell

hilfy :us: (BOB member since 2007-04-16)

3

That works fine for folder permissions, but that user can still log onto the CMC and manipulate User and Group permissions. I’m trying to exclude these users from monkeying around with my user/group permissions. I should have been a little more clear on my original intent. Sorry…

Any ideas?

kmcginn (BOB member since 2011-03-11)

4

You can do something similar for users and groups.

  1. In the CMC, go to Users and Groups
  2. Click on the Manage menu and select “Top Level Security” then “All Users”.
  3. Add the Delegated Admins group, turn off inheritance and set the access level to “No Access”.
  4. Do steps 2 and 3 for “All User Groups”.

-Dell

hilfy :us: (BOB member since 2007-04-16)

5

Awesome! That worked great!

I did want the system admins to be able to view users and groups, so I just gave them view access level at the root. As an addition, I added a new Access Level to deny them any permission settings and added this access level to the root for the new group. This solved the rest of my problem!

Thanks so much for your help!

kmcginn (BOB member since 2011-03-11)

6

You will need to apply that Custom Access Level to each component. So, for example, go to CMC -> Universes and select the folder the the delegated admin group should have access to. Modify its User Security, add the group, and apply your Custom Access Level.

Note that the delegated admin groups will also need “View” access as the top level of universes, for that object only.

They will also need at least “Edit” and “Modify the rights users have to objects” at the top level of “Users”, if you want the group to be able to add users to the groups it owns.

Joe

joepeters :us: (BOB member since 2002-08-29)