Nova facilitates Role-Based Access Control (RBAC). That means you use it to grant permission for someone to do something, against something. For example, an administrator might grant permission for people to access a certain application. Or, an office manager might grant access for others in the office to use certain resources.
A Nova administrator configures authorization policies to specify who can perform certain actions within a tenant, and the conditions associated with those actions.
There are four pieces to an authorization policy:
·Tenant: Authorization policy is applied to a certain tenant. For example, North America.
·Delegate: The person to which rights are granted. They can do something with the tenant. For example, VP of Operations.
·Action: The activity the person can perform. For example, update user.
·Conditions of the action: Any conditions related to the delegate performing the action. For example, when the VP of Operations updates a user's information, you can specify whether they can see/update all of the user's attributes or only some of them.
When an authorization policy grants someone rights to perform a certain action, that person logs in to Nova to perform the action.
For example, a manager can perform certain actions (like setting out of office messages and granting access to SharePoint resources) to the users on their team. The manager uses single sign-on (via their AAD credentials) to log in to Nova and perform the actions. Actions performed by the manager are pushed to other applications (for example, Exchange Online). It is important to note the manager's Nova instance only shows options that are relevant to the activities they can perform in the application.
A video overview of authorization policies can be seen here.
Setting up a new authorization policy
Follow the steps below to create an authorization policy.
1.In the left menu, select Manage Administration > Authorization policies.
3.Enter a name for the policy.
4.Specify settings, if desired:
oDefault user policy: Select this option if the policy applies to all organizational units in a tenant. For example, select this option if you want the helpdesk to be able to update all users in the organization.
oSelf service: Select this option if you want a user to be able to perform a certain specific action on their own user object when they log in. For example, select this option if you want a user to be able to update their own phone number and address.
oIs template: Select this option if you want to create a template policy that you will use across tenants.
6.Using the Delegate to tab, assign the policy to users.
7.Using the Managed objects tab, specify where the delegated rights are assigned.
8.Using the Actions tab, add tasks you are delegating.
9.Using the Properties tab, add any conditions to the policy. For more information, click here.
10.Click Save to create the authorization policy.
Editing or deleting an authorization policy
To edit or delete an existing authorization policy:
1.In the left menu, select
2.Manage Administration > Authorization policies.
3.Locate the policy you want to edit or delete, and select it.
oClick Edit, make desired changes, and click Save to apply all the edits.
oClick Delete and confirm the delete action.
Delegating action(s) to an authorization policy
Follow these steps to delegate an action to an authorization policy:
1.In the left menu, go to
2.Manage Administration > Authorization policies.
3.Select an existing policy, and then click Edit.
4.In the Assignment frame, select the Actions tab, and then click Add.
5.Locate the action(s) you want to add, select it/them, and then click the Add button located in the top right corner of the window.
6.Select the Properties tab and select any conditions. For more information, click here.
7.Click the Save button.
Which policies apply?
After you have set up and assigned policies, here is how you can see which policies apply to a certain virtual organizational unit.
Below, you will find some examples of authorization policies in Nova.
Delegating password resets
In this video we see how to delegate the ability to perform password resets.
Delegating out of office administration
In this video we see how to delegate the ability to manage out of office (automatic replies) messages.
Delegating management of MFA
In this video we see how to delegate the ability to manage multi-factor authentication settings for users.
Delegating custom PowerShell scripts
As a System or Account Administrator, you have the ability to delegate the execution of Custom PowerShell scripts to other administrators. Click here for more information on that. Follow to steps below on how to create an authorization policy to delegate custom PowerShell Scripts.
1.Go to Manage administration > Authorization Policies.
3.Enter a name for your policy.
4.On the Assignment section, on the Delegate to tab, click Add, and add the user(s) and/or OU(s) you would like to delegate the policy to.
5.Then select Managed Objects and choose which user(s) and/or OU(s) you would like the delegated administrator to perform the actions on.
6.Then select Actions and select Executes Custom PowerShell Script, and click the arrow button.
7.Under PowerShell Commands, and add the PowerShell commands that have been created. Once you have selected them, click Close.
NOTE: Go here to learn more about creating custom PowerShell scripts.
8.Select the properties you would like to apply to your policy, then click Close.
9.Once you are finished creating the policy, click Save.
To ensure the policy does not become lost or corrupted, you might want to export/save the configuration to a safe location.
Exporting an authorization policy or configuration policy
Follow the steps below to export a policy file.
1.From the left menu bar, select Manage Administration > Authorization policies or Configuration policies (depending on the type of policy you want to export).
oExport all policies by selecting Export > Export All.
oExport a specific policy (or policies) by selecting the check box next to any policies you want to export and selecting Export > Export Selected.
3. Click OK.
A .zip file containing the policy configuration is saved to your Downloads folder.
Importing an authorization policy or configuration policy
When you are ready to restore a previously exported policy file, follow the steps below.
1.From the left menu bar, select Manage Administration > Authorization policies or Configuration policies (depending on the type of policy you want to import).
3.Specify how you want duplicate policy names to be handled.
4.Browse for the policy file, select it, and click Open.
The restored/imported policy can now be found in your list of policies.
You can edit details related to actions added to authorization policies using the Properties tab (shown below).
After adding actions to a policy, you can select whether delegates can see or edit information related to the assigned actions.
For example, after assigning the Update Tenant User action to an authorization policy, you might edit the policy's properties so delegates (i.e. members of the help desk) cannot read and/or edit certain information.
Here is a video showing more about properties.
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité