NightWatchman Console Security
In my post regarding what’s new in NightWatchman 5.5 I talked about the new NightWatchman Console. I want to cover the security aspect of the console in this post to show some of the flexibility of the console as well as explain how to set the proper security.
In the NightWatchman Console the last tab on the right is Security, this is to manage the security of the console specifically, not the NightWatchman clients, but which users and groups have what rights in the console.
If you click on the Security tab it shows you the Users and Groups section by default this includes the user or group you specified during the setup who was the Administrator. This user or group has full rights in the console which is the Systems Administrator role.
If you now click on the Roles tab next to the Users and Groups tab in this section you get a view of the roles and their rights. From this view you have the options to add a new role and set or modify the permissions of a role. As you can see the Systems Administrator role cannot be modified so that you don’t lock yourself out of the console completely.
If we add a new role we can then modify the permissions that the users who are assigned that role get when then open the NightWatchman Console. What I am going to do is add a role for the IT group that manages the retails department. I want this group to only be able to view and modify the power scheme and shutdown schedules for their particular department, preventing them from making changes to the settings for all other groups.
I do this by first clicking the Add button while still in the Roles tab. This opens a dialog box asking me for the name and a description of the role.
Notice that in the fields that are required to be filled out there is a stop symbol because I have not filled out the name filed. This also occurs in other fields in the console, say for instance you try to put in an invalid time in the scheduled shutdown’s time field you will get the same results and won’t be able to save your changes until it is filled out correctly.
I have filled out the name field and description and then clicked OK to create a group called Retail Admins. And it now shows up in the list of Roles in the console.
When I highlight this role I can see that there are no rights assigned to this role, not even the ability to launch the console, this is of course by design. Keeping in mind what my goal is for this group, I am going to assign it the following rights:
|Launch Console ||Yes || |
|Location Groups ||View || |
|Organization groups ||View || |
|Power Schemes ||View ||Add |
|Power Policies ||View ||Add |
It is important to understand the difference between View and View All when assigning roles rights. Since my plan is to only allow this role to view their group of clients I selected View and not View All as this would allow them to see all the groups in the console.
Notice if you do not click the Apply button and navigate away your changes will be discarded.
Here is what my Roles tab now looks like with the Retail Admins group selected.
Next I need to assign this role to a user or group of users. If I click on the Users and Groups tab at the top it switches me back to the users and groups view where I can add a new user or group. You can do this by clicking on the Add button and it will open the AD users and groups dialog where you can input the name of the user or group. I am going to use a single user in this example but I could have just as easily added a group. Now that I have a new user listed to the right I see a list of all possible roles that I can assign that user to. The roles the user has assigned to them is indicated by a stop symbol or a checkmark if they are assigned that role. By default a new user or group is not assigned any roles. I am going to assign the new user (Anthony) the role of Retail Admins and then the role has a checkmark next to it to indicate that it has been assigned that role. If I click on the details link next to the role it tells me exactly what rights that role has so that I don’t have to switch back to the roles tab to determine if it has the correct rights before I assign it to a user or group.
Next I need to assign my user to my group of clients. To do this switch back to the NightWatchman Clients view by clicking on the tab in the top left corner of the console.
In this view you can see the NightWatchman clients in their groups, either by organizationally or by geographic locations since we are picking on the Accounting department we are interested in the organizational grouping. If you don’t have a group you can create one from this view as well by just right clicking on the parent group and selecting Add Group. Always keep in mind that the NightWatchman clients are assigned to the lowest tier in the grouping and there must be five levels starting from the highest level, in my example I am going to use the Auditors group and here is my hierarchy in the console.
If you right click on the Auditors group then select Properties from the context menu. When the properties window is displayed click on the Security tab and from the list of users and groups you will see that the users and groups that have the Systems Administrator role show up with the right already assigned to this group but any other group or user does not yet have rights. To assign a user or group the ability to view this group simply click on them and they will then have a checkmark next to their name.
In this example I have added a group and a new user to demonstrate this and to show you can use groups as well. Daniel has been assigned the Retail Admin rights but he doesn’t yet have those rights on this group. Once I click on him he will then have the assigned rights we gave the Retail Admins group to this group of clients. And that is all there is to it. Once you click the OK button the user will have the rights to view this group, but this group only. If you click on the Finance group or any group higher up in the hierarchy and the open the groups properties page on the security tab you will see that any user or group other than those assigned the Systems Administrator role do not have rights to view this group. You could assign a user or group rights at this level and the lower tier groups under it would also inherit those rights.
As always if you have any questions or comments feel free to contact me.
Anthony Clendenen | Solutions Engineer | 1E
Microsoft MVP System Center Configuration Manager
© Anthony Clendenen