Configuring permissions

An administrator can grant access to specific resources such as Documents, Sources, Destinations, Devices, and Reports.

Permissions can be granted to users and/or groups directly to the using console or object permissions.

Console permissions

Console Permissions allow access to individual areas of the Output Manager Console. Console permissions grant access to the following

  • The Output Manager Console
  • Individual applications (Sources, Destinations, Administration, and so forth)
  • Individual administrative tasks in the Administration application
  • Menu items on the Tools menu

There is no inheritance in console permissions.

Object permissions

Object permissions provide access to features and components of Output Manager.

  • Destination Permissions allow access to printers or groups of printers.
  • Document Permissions allow access to documents in a given document folder.
  • Library Document Permissions allow access to documents in a given document library folder.
  • Query Permissions allow access to document and document library queries.
  • Report Permissions allow access to reports or report group folders.
  • Source Permissions allow access to sources or groups of sources.

In tree and grid interfaces, an object that supports security configuration will display a Security command on its context menu. This opens the Security Configuration which has features similar Windows security, similar to the Security tab in the Windows folder properties dialog box. This standardized functionality helps increase familiarity of options in the dialog box.

The available permissions are specific to the type of object. For example destinations have a different list of permissions from Reports. The complete list of permissions is always in the same for a given object type. Although a list of users and user groups can be configured, a single user or user group in the list will always be selected. The enabled permissions are always in the context of the selected user or user group. A check box to the left of the permission description indicates its enabled state. Clicking on a permission toggles its enabled state. When a permission is enabled via inheritance, it displays grayed-out and control over that permission is disabled even though adjacent permissions maybe configured (see Inheritance).

Inheritance

Objects inherit permissions from their parent object unless you specify not to do so. Inherited permission are permissive. When an object inherits permissions from a parent, you can only add permissions for specified users and groups. You cannot remove inherited permissions from a user or group.

Administrators use inheritance to productively configure security. By default, when security is configured on an object hierarchy, all of the children (folders and objects) inherit that security configuration. For example, configuring security on the “All Destinations” folder in the Destinations tree will apply that security to every folder and every destination that does not block inheritance from its parent. When security is configured on any descendant object in a tree, all children of that object inherit those settings as well.

The Security Configuration dialog box allows you to control inheritance. An administrator can add permissions for specified objects or users or block inheritance for the object. When an administrator blocks inheritance for an object, the administrator can choose to copy permissions from the parent object into the current object and then configure those as required. Alternatively, the administrator can choose not to copy inherited permissions and configure entirely new permissions to apply to that object and any of its descendants.

Security configuration is audited in Output Manager, so it is possible to report on changes in the security configuration. For example, Audit Reports show who granted a given permission to whom and for what object.

In general it is a good practice to define permissions at the highest level folder or object possible and allow inheritance to provide access to all descendants. This allows you to more easily assign and manage permissions for many different objects. If necessary, you can add members or groups to an object to add additional permissions to those that are inherited. You should only block inheritance for an object when you need to limit access to specific groups or users.