Permission Model
The permission model is based on Device Groups, Roles, Software Gollections and AD Groups, which build a Profile.
Permission Roles
Permissions are set to profiles in netECM.
A profile is linked to an Active Directory group through the groups SID. The SID is set manually in the settings of the profile. There are five different permission roles that can be used for the profiles, enabling more or less control over the functions of netECM.
| Role | Description |
|---|---|
| Viewer | The viewer permission is for first level support. It allows the viewer to see whether or not there is an error with the device or the job and the viewer can then alert the necessary personnel. |
| Software Manager | A software manager has the same permissions as the viewer but can additionally install and uninstall software on clients. |
| Staging Manager | The staging manager can manage devices (except deleting them) and view the status of the devices. Furthermore, the staging manager can initialize device stagings and manually confirm staging states. |
| Supporter | A supporter is the combination of software and staging manager. The supporter can therefore manage devices (except deletion) and software. |
| Administrator | The administrator set allows for full control over the netECM:UserDevice. This includes setting permissions for other profiles, deleting devices and managing device types. |
The following matrix shows an overview of the permissions for each role.
| Role | Viewer | Software Manager | Staging Manager | Supporter | Administrator |
|---|---|---|---|---|---|
| View Devices | X | X | X | X | X |
| View Running Jobs | X | X | X | X | X |
| View Archive Jobs | X | X | X | X | |
| Manage Devices | X | X | X | ||
| Delete Devices | X | ||||
| Confirm Staging State | X | X | X | ||
| Manage Software | X | X | X | ||
| Manage Device Types | X |
Device Groups
In order to grant permissions to a set of devices, these devices need to be grouped first. This can be achieved through device groups based on the device name, the device type or a device variable. When creating a new device group a regular expression pattern for at least one attribute has to be set that includes all the desired devices. After the creation of a device group it can be added to the required profiles. The permissions themselves are defined through the profile permissions.
User Groups
In order to grant permissions to a set of users, these users need to be grouped first. This can be achieved through user groups based on the properties which are available in the full text search. When creating a new device group a regular expression pattern for at least one attribute has to be set to includes all the desired devices. After the creation of a user group it can be added to the required profiles. The permissions themselves are defined through the profile permissions.
Software Collection Types
In order to assign software with netECM the collections that are used to deploy software in SCCM need to be identified. This task is done with the Software Collection Types that are used to search these collections based on their names using defined regular expression patterns. The standard types differentiate between user and device targeted, as well as between production and pilot collections. The Software Collection Types are used in the install and uninstall software wizard, where the user can filter according to the defined types. For every type, there are two RegEx patterns, one each for the install and uninstall collections.
The standard patterns for device collections in production look like this:
- Install: (?
^DSW[R,A])\s(? [a-zA-Z0-9-.]+)\s(? [a-zA-Z0-9-.]+)$ - Uninstall: (?
^DSWR)\s(? [a-zA-Z0-9-.]+)\s(? [a-zA-Z0-9-.]+)\s(? Uninstall)$
Production install collection:
- DSWR Adobe Reader
- "<Prefix> <Manufacturer> <Product>"
Production uninstall collection:
- DSWR Adobe Reader Uninstall
- "<Prefix> <Manufacturer> <Product> <Uninstall>"
The three keys "Prefix", "Manufacturer" and "Product" have to match in order to link the install and uninstall collection because these three are set as the correlation keys
Software Collection Groups
Software Collection Groups are used to group software collection types together. The groups can then be assigned to different profiles in order to grant permissions. A profile that has, for example, the production software collection group can therefore only assign production software. Identifying the collection types for the group is done through a regular expression pattern which has to match the software collection type name.
