Syncplicity Support

Search our knowledgebase to get the help you need, today

Follow

Access Control - Groups, Roles and Permissions

The initial administrator user is a global administrator. This user is granted all permissions - can access all data and functionality. New users are considered global administrators when they are not assigned to a group.

Global administrators have access to the "My Computer" connection. This connection is created in the initial setup and is required for Agents to access content on the user's local desktop. Access to the "My Computer" connection is limited by creating groups with associated users.

In production installations, it is recommended that users be created in the context of a newly created group. This avoids security issues associated with implicit access to the "My Computer" connection.

Definitions

Groups and group memberships define the data to which users have access. For example, if an NFS connection is created by a user in Group A, a user assigned to Group B will not be able to access that connection. Groups only have access to data created by members of this group and its child groups. A group will not have access to data created by its parent or peer groups.

The term tenant is also used in relation to groups. A tenant is any group created without a parent. Otherwise known as a root group. A user is considered a tenant administrator when they are assigned to a root tenant group.

Permissions define the type of data and the level of access. For example, the List Jobs permission allows a user to view a list of jobs that are defined in the group or groups the user is included.

Roles define a subset of permissions. For example, a role named 'Job Administrators' might be created that includes the List Jobs, Manage Jobs, and Control Jobs permissions.

Related:

How To

There are three ReST endpoints used to create groups, roles, and users.

  • POST [base-url]/v1/groups
  • POST [base-url]/v1/roles
  • POST [base-url]/v1/users

Create Group

To create a new group, secure an access token using the [base-url]/connect/token endpoint.

Then make a ReST request using the information to the right as a template.

Method POST
URL [base-url]/v1/groups
Headers Authorization: Bearer [access_token]
Accept: application/json
Content-Type: application/json
Body

{
    "name": "Tenant 1"
}

...or include a parent reference for nested groups...

{
    "name": "Tenant 1"
    "parent": {
        "id": "[parent-group-id]"
    }
}

Create Role

Next create a new role by making a ReST request using the information to the right, replacing [role name] with the role name and list of permissions desired.

A list of permission ID's and their descriptions is found at GET [base-url]/v1/permissions - you must use a bearer token.

Method POST
URL [base-url]/v1/roles
Headers Authorization: Bearer [access_token]
Accept: application/json
Content-Type: application/json
Body {
    "name": "[role name]",
    "permissions": [
        "bbd25a404cdc4e01baabd0b79394cbd8",
        "d9507ec76bf7414aa8a74a0c88c32a48",
        "3560a25976504967bcd48a7e668a07a8"
    ]
}

Create User

Finally create a new user by making a ReST request using the information to the right.

Replace the monospace items with desired values, the roles ID with the value from the response in the second step, and the group ID with the value from the response in the first step.

Note that roles is an array - multiple IDs may be included here. Alternatively, the roles attribute can be removed and the user will be created as a tenant admin for that group.

Method POST
URL [base-url]/v1/users
Headers Authorization: Bearer [access_token]
Accept: application/json
Content-Type: application/json
Body {
    "login": "[username]",
    "password": "[password]",
    "name": "[display name]",
    "roles": [{
        "id": "07698d0034064b2b9d3966f4e19da21f"
    }],
    "group": {
        "id": "07698d0034064b2b9d3966f4e19da21f"
    }
}
Powered by Zendesk