logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Michael-RescueIT  
#1 Posted : Tuesday, July 15, 2014 9:06:21 PM(UTC)
Michael-RescueIT


Rank: Member

Joined: 2/20/2014(UTC)
Posts: 12
Man
Canada
Location: Sherwood Park AB

Thanks: 1 times
It would be very helpful if we could have a little more selection ability under the security section.

Use case:

My company has many levels of staff in an EVER growing list of clients that we support. Not all staff should have access to say high profile clients, servers, etc.
We have created a Managers level and a Staff level profile in security. Staff should have access to clients A through X but not have access to Corporate servers or client servers. Managers gain access to customer servers and only operations (administrators) should have full access.


Problem:

It's a lot of administrative overhead to remember to go back in and provide access to those who need it when we onboard a new client and would be easier if we could just restrict access to groups already created and allow users access any new groups automatically.

Proposed solution:

The ability to give users permissions to access sessions a, b, c but not d by saying "All access sessions except group X" or by having some way to say users are NOT allowed access to Access Group X.

Thoughts?
Michael Stants - Senior Systems Administrator

jdp  
#2 Posted : Saturday, July 19, 2014 12:44:56 PM(UTC)
jdp


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 6/20/2014(UTC)
Posts: 52

Was thanked: 2 time(s) in 2 post(s)
Hi,
A few of us have logged similar requests.

Basically if you could say that the group xxxx had DENY permissions on an access group then even if they were in another group which got access the deny permission would still take presidence.

Jeff  
#3 Posted : Monday, July 21, 2014 7:03:06 PM(UTC)
Jeff


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/14/2010(UTC)
Posts: 1,785
Man
Location: Raleigh, NC

Thanks: 8 times
Was thanked: 156 time(s) in 122 post(s)
So our stance has always been primarily to not mix access and deny permissions because that can get very confusing and create security conflicts that are tough to troubleshoot pretty quickly. By not providing access to anything unless explicitly defined you run a lower chance of giving someone access to something they shouldn't have.

That said we certainly acknowledge that it can be time consuming to add multiple View Session Group permissions if you have dozens or hundreds of folders. There was at one point a way to manually edit our role file to add a deny permission there something we asked our development team to look into recently.

But it does sound like that Michael you would like to select the available permissions as you create the session filter is that correct? Or is your request more like the others where they wanted to add a view all session groups at Administration/Security under the role and then add one additional 'deny' for a couple of session groups?
ScreenConnect Team
Michael-RescueIT  
#4 Posted : Monday, July 21, 2014 7:51:11 PM(UTC)
Michael-RescueIT


Rank: Member

Joined: 2/20/2014(UTC)
Posts: 12
Man
Canada
Location: Sherwood Park AB

Thanks: 1 times
It would certainly be easier if there were a way to select multiple access groups in an allow rule instead of having to add each group one at a time. I still would realistically like to see the ability to say "Allow from all access sessions except: Group A, Group B, Group C". This would kill a lot of overhead for most setups that constantly grow like ours does.
Michael Stants - Senior Systems Administrator
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.