Introduction to Access Permissions

Download this manual as a PDF file

This section is intended for system administrators who are responsible for controlling user access to Skylar One (formerly SL1) systems. This manual describes the access permissions system used in Skylar One. This system comprises a selection of access hooks that control individual actions and user-defined access keys, that group together access hooks and are granted to users. This manual includes step-by-step instructions on how to create access keys and how to select appropriate access hooks.

Use the following menu options to navigate the Skylar One user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

What is an Access Hook?

An access hook controls access to a specific action that can be performed in the Skylar One user interface. These actions include navigating to a page, viewing information about an element in the system, and editing elements in the system. Each access hooks is designed to be highly granular, providing access to only one action on one specific entity or page. Because of this granularity, there are hundreds of access hooks available in Skylar One.

Access hooks are not granted to users directly; instead, access hooks are grouped together to form an access key, which can be granted to users either directly through their user account or indirectly through a user policy.

What is an Access Key?

Because there are several hundred access hooks provided in Skylar One, granting each individual access hook to a user or user policy would be a time-consuming process.

Therefore, Skylar One requires that access hooks be grouped together in an access key that can be granted to users either directly or through a user policy. By default, the access key "Grant All" is included with Skylar One. Every access hook, except for the access hook that controls the Access Key Manager, is aligned to the "Grant All" access key. Skylar One also includes default access keys for the most common user profiles and common tasks in Skylar One.

Role-Based Access Control Restrictions

Role-based access control (RBAC) is a methodology that enables Skylar One administrators to determine which end users have access to which features within the system. It has three primary components:

  • Organization memberships

  • Access hooks and access keys

  • User accounts and user policies

Access hooks and access keys control the pages users can navigate to and the actions they can perform. However, user access is further controlled by organization membership. Users can view and interact only with elements associated with organizations to which they have membership.

For example, a system might have three organizations: Org A, Org B, and Org C. If user is a member of Org A and Org B and is assigned the appropriate access keys to view the Devices page or Device Manager page, the user will see only devices in Org A and Org B on those pages. The user will not be able to see or interact with elements associated with Org C.

If a user is able to view the Access Hooks and Access Keys pages, the user interface is restricted so no navigation links are given to those pages. See the Navigation Access Hooks section for more information.

If a user is able to modify user accounts, user hierarchy is also enforced in the following ways:

  • Non-administrator users cannot modify administrator accounts.
  • Non-administrator users cannot make themselves or another user an administrator.
  • Users cannot grant or remove access keys that they have not also been granted.

For more information about RBAC, see the section on Role-Based Access Control.

High-Level Access Keys

In Skylar One, the "Grant All" access key assigns most available access hooks to users who have that access key aligned to their user account. It should be reserved for only administrator users and high-level, non-administrator users that require access to all of the functionality within Skylar One.

In Skylar One 12.5.1 and above, the following additional access keys can be used to grant varying levels of administrator access, based on the user's role and the type of Skylar One deployment:

  • Tenant - Administration, which provides most of the functionality of the "Grant All" access key, excluding the features controlled by the "Platform - Administration" access key and the ability to create or edit access keys or their alignment with access hooks.

  • Platform - Administration, which is assigned by default to administrator user accounts and specifically grants the following permissions that are not aligned with the "Tenant - Administration" access key:

    • The ability to access the Backup Management and Database Tool pages

    • The ability to enable and disable administrative processes or edit the collection frequency of those processes

    • The ability to edit email gateway settings