Manage System Security

Manage System Security allows non-administrators to manage users, roles and groups and facilitates a comprehensive, functionally-tailored way to separate user and group responsibilities.

By default Administrators have access to all security roles. Assigning other groups to roles does not remove an Administrator's complete system access. Users with Manage System Security roles can access to the System User Interface Roles of SystemAdministrationLogon and SystemPane.

Roles are not exclusionary or limiting. If granted, users can get additional functionality through their membership in groups having corresponding role assignments. See System Security Roles.

For example:

  • A member of the IT team who is not an administrator might need to manage the system security roles.

  • An employee in the Accounting department who reports to the Controller over consolidations may manage groups and not need access to other areas of the system.

You can delete these security roles to non-Administrators:

  • ManageSystemSecurityUsers: Grants permission to manage users.

  • ManageSystemSecurityGroups: Grants permission to manage groups, exclusion groups and group membership.

  • ManageSystemSecurityRoles: Grants permission to manage system security role assignment.

Access System Security Roles

  1. From the System tab, go to Administration > Security.

  2. Select System Security Roles.

Manage System Security Users

This role enables you to:

  • Create users

  • Modify users

  • Delete users

  • Disable users

This role enables you to specify these user properties:

  • General

  • Authentication

  • Preferences

  • Custom Text

Limitations

Users with the Manage System Security role cannot create, modify, or delete administrators, directly or indirectly. Also, they cannot:

  • Add or remove themselves to or from groups or roles.

  • Delete themselves.

  • Add other users to Manage System Security privileges.

  • Add or remove groups they are members of from roles.

To manage group membership or copy users, the ManageSystemSecurityGroup is required.

Manage System Security Groups

This role lets you manage groups and exclusion groups. You can also:

  • Add or remove members to or from groups and exclusion groups.

  • Copy groups except groups with Administrator privileges.

Limitations

Users with this role cannot:

  • Modify the Administrators group.

  • Assign users to a group that establishes Administrator privileges.

  • Modify your membership in other groups.

  • Modify the parent group of a group in which the user is a member.

Manage System Security Roles

This role lets you manage system security roles. However, you cannot:

  • Modify the ManageSystemSecurityRole itself because it requires Administrator level privileges.

  • Assign the Everyone or Nobody groups that require Administrator level privileges.

  • Add a group to a role of which you are a member.

Load and Extract

Load and Extract functionality of Security requires a user to have permissions for all three of the Manage System Security roles, as well as the System User Interface Roles of SystemLoadandExtractPage.

The controls limiting Manage System Security user's capabilities is enforced during the Load and Extract process. Validation occurs by comparing the current state of security in the target environment to the changed state determined by the processing of the source file. Therefore, the validation of XML loads for Manage System Security users requires that security is pre-existing to determine the changed state.

For example, although Manage System Security users cannot create Administrators, if the current Administrator Groups existed in the target environment prior to the XML load, then the XML will pass the validation and will be loaded. However, when an empty or new environment exists with no pre-existing users and groups, then an Administrator would need to perform the load.

BRApi

You can manage user and group system security using BRApi functions such as CopyUser, DeleteUser and CopyGroup. These are controlled by the assigned Manage System Security role. See System Security Users and Groups for more information.

For example, if a dashboard is created to insert new users, and a dashboard button executed a BRApi to insert a user, the system validates that the user clicking the button is in the Administrators Group or has role permission to ManageSystemSecurityUsers.

Combined Roles

When granted access to more than one of these roles, you gain more functionality within the scope of the designed capabilities and restrictions. For example, if you have both the role of users and groups, you can copy a User or you can also can add a user to a group. Certain functionality requires assignment of combined roles, such as Load and Extract.