The Prognosis SECURITY configuration allows system administrator to control users’ access to individual Prognosis subsystems such Databases, Thresholds, Analysts, Configurations and Commands.
General Rules:
- When a SECURITY Configuration has NOT been created, then access is allowed to all users
- When a SECURITY Configuration has been created and no GRANT or REVOKE rules have been added, then access will NOT be allowed to any users
- When a SECURITY Configuration has been created with a GRANT rule added which has not been revoked anywhere else in the Configuration, then access is allowed
- The order of the rules is not significant as access is checked by first looking at all the GRANT rules and then looking at all the REVOKE rules
- Do NOT change or remove GRANT(*,*,\NT Authority.System) or GRANT (*, #LocalNode, \NT Authority.System)
- Always make a backup of the current working config before change it
Security Requirements and Settings:
Scenario 1:
As Prognosis Administrator, I want to allow full access to administrator users, and only give INFO access to all other users.
Setting:
SUBSYS SECURITY
!Grant full access to all subsystems to Admin Users
GRANT (*, *, <Admin-User>) ! Eg, domain\username, or \domain.username, or local Administrator user
!Local Platform User used by Prognosis service
GRANT (*, #LocalNode, \NT Authority.System)
! Grant INFO access of all subsystems to all other users
GRANT ( *, *, *, *, *, INFO )
Scenario 2:
A more complex configuration which sets users into Admin users, Power users and Operator users.
Admin users: full access to all subsystems;
Power users: INFO access to all subsystems, but have access revoked to view SECURITY and PASSWORDS configuration. They also have read access to Databases and Command execution
Operator users: only have the ability to start displays.
Setting:
SUBSYS SECURITY
!Grant full access to all subsystems to Admin Users
GRANT (*, *, <Admin-User>)
!Local Platform User
GRANT (*, #LocalNode, \NT Authority.System)
!Power Users
GRANT (*, *, <Power-User>, *, *, INFO)
GRANT (DATABASE, *, <Power-User>, *, *, READ)
GRANT (COMMAND, *, <Power-User>, *, *, EXECUTE )
REVOKE (CONFIGURATION, *, <Power-User>, CONFTYPE, SECURITY, INFO )
REVOKE (CONFIGURATION, *, <Power-User>, CONFTYPE, PASSWORDS, INFO )