Controlling Access and Permissions

ZENworks^® 6.6.2 Linux Management includes a more complex permissions and security mechanism than in previous versions. The new mechanism is based on three levels of access: Grant, Modify, and View:

Permission	Description
Grant	Grant permission allows you to grant access to an object. By default, you get the Grant permission for any object you create. Grant permission includes the Modify and View permissions.
Modify	Modify permission allows you to edit a given object. For example, if you have Modify access to a channel, you can add packages to it. Modify permission includes View permission.
View	View permission is read-only access to a given object. For example, an administrator could be given Grant permission for channel A, but only View permission for channel B. She will then know what software is available in channel B, and won't bother to ship it in channel A. However, she doesn't need Modify or Grant access to the channel.

The first administrator created is an organization administrator. This administrator is created during the initialization process during installation.

This administrator can grant organization administrator status to other administrator accounts, and receives all permissions for all objects in the organization, regardless of the permissions settings.

For multiple-organization deployments, a superadministrator account can be created, which is equivalent to organization administrator status in all organizations.

Permissions can be granted for different portions of the organization, which are represented by the following objects: administrator accounts, channels, groups, machines, packages, and activations.

Some operations require access to multiple objects. In these circumstances, an administrator must have appropriate permissions for both objects. For example, if Anne wants to have John administer channel A, she must have Grant permission for the channel, and Modify permission on John's account.