6.5.7.Managing access to contentACCESS objects
Logged on user – the user logged in to the Central Adminisration, who has the permissions to manage access to contentACCESS objects;
Second user – the explicit user, who gets the rights (involved in the assigned role) to manage certain contentACCESS objects;
Tenant objects – objects like jobs, repositories, schedulers, archive mailboxes etc. of the given tenant;
Tenant repositories – databases, storages, retentions, shortcuts, Exchange connections, aliases of the tenant.
contentACCESS allows to manage access to the contentACCESS objects for second users. These objects are the following:
- schedules and repositories of tenants (database, storage, retention, shortcut, Exchange connection, alias)
- jobs of tenants
- archive mailboxes of a given tenant
- the file archive of a given tenant and
- the tenant itself
In case of schedules, repositories and jobs the “manage access“ means, that the logged on user (with the necessary permissions) assigns for a second user a role containing permissions to
- edit and/or
- delete
the assigned tenant’s
- schedulers and/or
- repositories and/or
- jobs.
In case of tenants “manage access” means, that the logged on user grants rights for a second user to manage the tenant assigned for him, i.e. he gives tenant administrator permissions for this user. The second user’s exact permissions on the given tenant are defined in the assigned role.
In case of archive mailboxes and file archive “manage access” means, that the logged on user grants for the second user access rights to the archive mailboxes and file system archive on the assigned tenant.
The permissions of the role assignment define, what the second user will be allowed to manage. E.g. if my user called ”Job manager” has got “Edit job – All allowed” permission on the TECH-ARROW, but the “Delete job” permission is not allowed in his role assignment, then he will be able to edit the jobs of this tenant, but won’t be able to delete any jobs of the tenant.
The user logged on to the Central Administration, who is able to give access e.g. to TECH-ARROW tenant‘s objects for second users, must have “Manage users and roles” permissions and “Manage tenant” permissions on the TECH-ARROW tenant and also
- Edit repositories – “All allowed” permission to be able to manage access to the repository items on the TECH-ARROW tenant;
- Edit jobs – “All allowed” permission to be able to manage access to the jobs of the TECH-ARROW tenant;
- Edit schedules – “All allowed” permission to be able to manage access to the schedules of the associated tenant
- Manage tenant – permission on the TECH-ARROW tenant to be able to add tenant administrator rights on the TECH-ARROW tenant for a second user
- View mailboxes/View folders/View public folders – “All allowed” permissions on the TECH-ARROW tenant to be able to give access to the archive mailboxes/file archive/public folders for second user(s)on the tenant.
The rule is, that the logged on user must have equivalent or more permissions than the role to be assigned for a second explicit user. E.g. the logged on user is not allowed to assign a role for a second user containing permission “Delete job”, if this permission is not granted for him as well.
Manage access option is available for the logged on user on the respective pages of the Central Administration.
In case of repository items, schedules, jobs and tenants the option is available above the list of items:
Screesnhot A: Manage access to the TECH-ARROW tenant’s file archive jobs
In case of archive mailboxes the option is available in the Address book, in the context menu of the given Exchange mailbox:
Screenshot B: Manage access to edit.balazsy’s archive mailbox
In case of file system archive the option is available in the File archive’s Provisioning settings:
Screenshot C: Manage access to the file system archive folders
First the user needs to select an item (a given job, database, retention, mailbox etc.) from the list.
In each cases, by clicking the “manage access” option, the logged on user is redirected to the Manage access to Object page. Here he can manage access to the contentACCESS object. He clicks +new and the Create role association window opens.
The Role dropdown list lists only the roles that the logged on user is allowed to assign, and which contain specific permissions on that object (in this case the object is the job). Roles containing “All allowed“ permissions (e.g. “Edit job – All allowed“ or “View mailboxes – All allowed”) cannot be granted on the “Manage access to Object page”. The user selects the role with the necessary permissions and assigns it to a new or an existing contentACCESS user.
In this use case we grant access for Jack Bolton to edit the Archive job of TECH-ARROW tenant.
The TAAdmin_job_editor role is already prepared and contains permission to edit specific job(s) of this tenant (“Edit job – Specific allowed”):
On the File Archive’s Jobs page of TECH-ARROW tenant we locate the Archive job, select it and click “manage acces”.
On the “Manage access to Object” page, we select the “TAAdmin_job_editor” role, and assign it to our existing user, to Jack Bolton:
Our Jack Bolton user has now rights to edit the “Archive job” on the TECH-ARROW tenant, but he cannot delete this job from the list.