Access Lists (ACLs)
Access lists (ACLs) are a central element for managing authorizations for groups and users. With access lists, you can control which groups and users can access certain functions and system components in various areas of ACMP.
Use of Access Lists
In general, access lists are used in almost all places in the ACMP Console where content and components can be structured using folders. This means that when you create a new folder, you can set up or manage the visibility of a folder for each group and user. This is also possible for each folder that has already been created.
Access Lists for folders
Apart from the folders, you can manage the permissions of groups and users with access lists at other specific points in the ACMP Console:
Query Management
- Reports
- Client Commands
- Job Collections
- Asset Management
- Helpdesk
- Reference data (contracts)
Note:
Depending on the respective point, the configurable permissions differ. Detailed information about the individual access lists can be found in the linked sections.
Groups and users
According to the user management in ACMP, permissions for user groups and individual users can be set for the access lists. If a user is assigned to one of the groups, they also get the permissions of the group. In addition, there is a special group, Privileged users, for which there are some special features to be aware of.
Privileged users
In ACMP, the Privileged users group is a standard group that appears in every access list. Unlike all other groups, this group cannot be edited using the general user management, as it is a dynamically created group that is created individually for each access list. This group contains all users who have the basic right to view the respective solution in which the specific access list is contained.
Adding or removing groups and users
Groups and users can be added or removed in the specific access lists using the respective buttons. The standard group Privileged users and the standard user ADMINISTRATOR are excluded from both actions. Neither can be removed. Further information for standard groups and users can be found in the section User Management.
Note:
Even if the Privileged Users group cannot be removed, the authorizations can be changed. For the standard ADMINISTRATOR user it is not possible to change the authorizations.
Standard groups and users in access lists
Permissions
Depending on which specific access list you select, the manageable permissions may differ. In general, the following permissions exist:
- Visibility = Users with this permission can see the respective system component, but cannot edit, execute or perform any other component-specific actions.
- Edit = Users with this permission can generally see and edit the respective system component and perform other component-specific actions.
Note:
There is a dependency between rights. In order for the “Edit” right to be activated, the “Visible” right must always be activated as well.
Statuses and priorities of permissions
Rights can have one of the following states:
- Not set = an unchecked checkbox is displayed
- Allowed = a checkbox with a green checkmark is displayed
- Forbidden = a red prohibition sign is displayed
The states are prioritized differently. The rights are therefore considered in descending order of priority as follows: Forbidden > Allowed > Not set
Note:
In general, group rights always take precedence over individual user rights. However, due to the different priorities, individual users may have different rights from the group.
Example: If a group is allowed to see a particular component, individual users in the group may still be prohibited from doing so.
Import of system components with access lists
At various points in ACMP where access lists occur, it is possible to export and import certain system components (e.g. for Queries, Reports and Client Commands). During these processes, the access lists are also exported and imported. The import behavior of system components with access lists is not always identical. That's why there are some special features to consider.
Transfer of access lists during import
When importing the following system components, the access lists are adopted along with the settings for groups and users:
- When importing queries in Query Management
- When importing Helpdesk queries
- When importing reports
- When importing Client Command functions
Note:
If a group or user does not exist on the target system, the group or user is not entered in the ACLs and must be added later. The ID of the group or user serves as an identifier.
Resetting access lists during import
When the following system components are imported, the access lists and the settings for groups and users are reset to the default settings:
- When importing client commands