- 4 minutes to read

What is a Role?

Get started now: How to Add or Manage Role user guide

A Nodinite Administrator creates User-defined Roles in Nodinite. These Roles are used to enforce different security policies for end-users working with Nodinite. All user actions with potentially sensitive operations are Log Audited.

graph TD subgraph "fal:fa-user-crown Administrators (built-in)" ro1(fal:fa-hdd Log Views) ro2(fal:fa-desktop Monitor Views) ro3(fal:fa-sitemap Repository) ro0(fal:fa-cogs Administration) end subgraph "fal:fa-user-tie Economy" ro4(fal:fa-hdd Log Views) ro6(fal:fa-sitemap Repository) end subgraph "fal:fa-user Service Owner" ro7(fal:fa-sitemap Repository) end

Example of different roles with different access rights

  • Members of the Administrators role is a Nodinite Administrator.

    The built-in role named Administrators cannot be renamed or deleted. Review the Access Management user guide for additional details.

  • You must be a member of the Administrators role to manage Roles
  • End-users with appropriate rights can create and manage any number of Roles.
  • Windows Active Directory Users can be a member of the Role
  • Windows Active Directory Groups can be a member of the Role
  • The Administrator assigns the Role a permission set for the following Nodinite entities:

    For the above, even the Nodinite Administrator must have the proper permission sets assigned to interact with the entities(!)

As defined by your access policy; You can allow members of for example the Economy role to have access only to selected Log Views. For each of these Log Views, different permission sets may be applied.

Role Based Example
Example of the Economy role with the configuration options for Log Views

About permission sets

The permission sets are used to enforce a security policy for end-users working with Nodinite, and these are applied on the user-defined Nodinite Roles-level.
For each Role; A Nodinite Administrator assigns the different permission sets on the following Nodinite entities:

A permission set can either be applied on the Global level or set uniquely on the entity directly. The values for a permission are the following:

  • Inherited - default (which means not allowed)

    NOTE: Not allowed is NOT the same thing as a Deny(!) as it merely means; Honour the inheritance chain.

  • Allow - Access is granted.
  • Deny - Feature is blocked from usage. Use this setting only for special cases.

NOTE: Regardless of other permission sets, a Deny always win. Since the entities are assigned to the Roles, you should rarely have to use the Deny setting. Instead of denying access, consider removing the entity from the Role instead.

graph TD subgraph "fal:fa-lock Permission set" ro1(fal:fa-door-open Global setting) ro2(fal:fa-cog Permission) ro1 --> |Inherit, Allow or Deny| ro2 end

Access right

For end-users to interact with the Repository Model, Monitor Views and/or the Log Views; The Access permission must be set to Allow.
The highest level of a permission set is the Access right. The available values for this setting are:

  • Allow - Members of the Role can access the entity
  • Deny - Members of the Role can NOT access the entity
graph TD subgraph "fal:fa-users-class Role" ro1(fal:fa-door-open Access) ro2(fal:fa-hdd Log Views) ro3(fal:fa-desktop Monitor Views) ro4(fal:fa-sitemap Repository) ro1 --> |Allow or Deny| ro2 ro1 --> |Allow or Deny| ro3 ro1 --> |Allow or Deny| ro4 ro2 -.- ro21[fal:fa-lock Permission Set] ro3 -.- ro22[fal:fa-lock Permission Set] ro4 -.- ro23[fal:fa-lock Permission Set] end

Examples

Windows User AD Group Role Log Views Monitor Views Repository
Agni
Waseem
- Economy Find Order by Order Id Get alerts, troubleshoot if the daily exchange-rate failed to appear before 08:15 Read rights on monitored resources
- SE_IT_Operations IT-Operations Can use and manage all Log Views Get alerts from all detected problems and can perform Remote Actions to swiftly resolve problems Maintains the Knowledge base Articles and modifies the custom meta data fields
Joe - Production Denied A single Monitor View with the right to restart the printer service on Windows Server "SEDC01" Can read the knowledge base article with the restart instructions
Andreas SE_DevTeam
NO_DevTeam
Developers Denied Denied Writes the Knowledge base Articles and contributes with the documentation for new systems integration solutions

Version history

The role-based security features are incremental with the following Nodinite versions:
* 5.1 - Log Views
* 5.2 - Monitor Views
* 5.3 - Repository Model


Next Step

Add or manage Role
Add or manage Log View
Add or manage Monitor View
Repository Model

Users
Log Views
Monitor Views
Access Management