Case Study: Managing Access to Reporting Configuration
Suppose an InTrust administrator creates a task that generates reports on superuser access to Linux hosts. Only users from the Linux01 group can view and modify this reporting task. When a user from the Linux01 group opens InTrust Manager, only the Tasks node and the prepared task with the reporting job are available.
To implement this scenario, be sure to do all of the following:
- Deny access to all second-level nodes in the InTrust Manager treeview, except the Tasks node.
- Give the Linux01 group the Read permission on the Tasks node and the task folder that contains the necessary task.
- Give the Linux01 group the Modify permissions on the task itself.
- Make sure that account under which the reporting job runs has the Read permission on the nodes of the InTrust server and data stores used by the reporting job.
InTrust Configuration
- Configuring Access Rights
- Configuring InTrust Sites
- Configuring Notification Groups and Recipients
- Configuring InTrust Monitoring Console
Configuring Access Rights
During InTrust installation, the following groups are created on the InTrust server:
In addition, access to InTrust configuration is controlled by the following:
- List of organization administrators (see InTrust Organization Administrators)
- Permissions on individual InTrust objects
These settings are closely related to the role-based administration capabilities of InTrust, that is, help to control who has access to which InTrust objects. Role-based administration feature is disabled by default after the installation. For more information about enabling and using this feature, see the Role-Based Administration of InTrust topic.
InTrust Organization Administrators
InTrust organization administrators are members of a special list maintained in the InTrust configuration database. Accounts included in this list can do the following:
- Install InTrust servers
- Override permissions on objects in InTrust Manager (if role-based administration is used in your InTrust organization)
When you install the first InTrust server in the organization, the following accounts automatically become members of this list:
- The account you are using to run the setup
- The account of the InTrust Server service (supplied during the setup)
Before you install subsequent servers, you should add all the accounts you are going to use for setup to this list. For that, in InTrust Manager, open the properties of the root node and use the Add and Remove buttons to edit the list.
|
|
Caution: If you configured non-dbo accounts to access InTrust databases (as described in the Providing Database Access topic), make sure that the corresponding group is included in the list of InTrust organization administrators. |
