Up until now, all administrators in Landscape shared the same full privileges over all computers in the account. While this works well for small networks and just a few admins, it becomes more problematic as more administrators and computers are added to the account. Suddenly too many persons have management privileges over all computers.
With the introduction of Access Groups we hope to alleviate this problem. Now administrators can be attached to such an access group, meaning they will only see (and be able to manage) computers in the same group.
The following picture helps to illustrate this point:
Here we can see that both Alice and Bob are part of an access group called "devel", which also has three machines in it. When either Alice or Bob login on Landscape, those three machines are the only ones they will see.
Jane, however, belongs to the special "Full Access" group. She can see and manage all the machines from the account regardless of whether they are part of an access group or not.
The privileges associated with the "Full Access" group always takes precedence and override everything else. If an administrator belongs to it and is later also added to some other access group, the full access privileges remain and are not limited in any way.
Managing Access Groups
Access Groups can be managed via the new "Access Group" icon in the left menu from Landscape:
This will bring up a page which lists the current access groups. Here is where we add new groups, edit existing ones and also remove groups.
All accounts will have listed here the special "Full Access" group, which is explained further below. All existing administrators are by default part of this group, meaning they continue to have the full access they already had before this feature was implemented.
Adding a new group is as simple as clicking on the "Add" button. Just give the new group a unique title and you are set. For example, let's add the "devel" group:
To remove an existing access group, click on its name to get to the overview page and then select the "Remove" link:
Be careful when removing an access group which still has members (administrators or computers). Computers will get back to having no access group and the administrators might end up having no management rights whatsoever if that was their only group!
When viewing an access group, all administrators currently belonging to the Full Access group are also shown. This is to remind you that because they have full access, they consequently also have access to this group.
For example, the newly created "devel" group already lists "jane" as someone who has access to the computers in this group, but just because she is a member of the Full Access group:
When editing a group, the members of the Full Access group will also be shown just for completeness, but their membership status will be grayed out since they are not really members here:
Administrators and Access Groups
All newly created access groups start out empty. We can now add computers and administrators to an access group. In this section, let's deal with administrators.
Administrators can be members of more than one access group at the same time
Administrators can be added to access groups in two different ways:
- via invitations: this is the quickest way for when the administrator is not yet a member of the Landscape account and still needs to be invited
- by editing the access group: this should be used when the administrator is already a member of the Landscape account
Let's see them both.
When creating an invitation for someone to join your Landscape account, you now have the option of selecting to which access group the new administrator should belong:
Once that person accepts the invitation, he or she will become an administrator of that group, only having access to the machines that are in it.
If you select "no value" then the person will become a member of the Full Access group and thus have access to all computers.
If the administrator is already a member of the Landscape account, you can manage to which access group he or she belongs by editing the access group itself.
Only members of the Full Access group can manage access groups
For example, let's add "alice" to the "devel" access group. This is at most a two step process:
- remove her from the Full Access group
- add her to the "devel" group
If the Full Access group membership is not revoked, the restrictions from the "devel" access group will not apply
Go to Access Groups and click on the Full Access group to bring up its properties page. On this page, click on Edit and uncheck the box next to "alice":
You can use a similar procedure to add someone to this group: just enable the check box instead.
Now we are ready to add "alice" to the "devel" group. Go to the properties page of that group and click on "Edit", and then add her to the group:
Once you click on save, the change is done and "alice" will have access privileges to the machines in the "devel" group.
Similarly, to remove an administrator from an Access Group, just go to the group page and unselect the check box next to the administrator's name.
The "Full Access" Special Group
By default, all new administrators are part of the "Full Access" group. Existing administrators by the time this feature was added also were made part of this group, so there was no unexpected behavior.
This group has the following important property: its members have access to all computers in the account, regardless of other group membership they might have, or what group the computers may be in.
The administrator invitation form will default to no access group, which means the new administrator will get full access privileges. If you don't want that, specify the group as explained earlier.
In other words, if you don't want to use access groups, there is nothing that needs to be done. Just keep using Landscape as usual.
Computers and Access Groups
The next step in delegating the management of certain computers to specific administrators is to actually add the computers to the access groups. This is done in the computer info page.
Only an administrator with full access privileges can change the access group membership of a computer
The computer info page has a new section regarding access groups. To make the displayed computer a member of the "devel" group, for example, just select it from the list:
If you need to add several machines to an access group, no problem. Just select them all first in the computers page and then go to the info page and select the access group you want them all to be a part of.
A computer can only be part of one access group at a time
Access Groups and Alerts
Since access groups restrict the computers to which an administrator has access, this has effects in other areas of Landscape.
For example, an administrator who is not a member of the Full Access group will only get alerts about computers that are in his or her access groups, even though the alert rule is said to apply to "all computers". In this context, that means "all computers to which I have access".
The activities page will also behave a bit differently. It will only show activities that affect the computers in the same access groups as the administrator.