Multiple permissions
To work on devices, a user must have permissions for one or more actions and one or more device groups.
Errors occur if a user has:
- Action permissions, but no device group permission
- For example, the user has the set of action permissions that include view, create, modify, delete. However, the user has no device group permission to receive an action.
- Device group permissions, but no action permission
- For example, the user has device group permissions that include
LTO
and3592
. However, the user has no action permission to take against a device group. - A new role for a new device group, but no action permissions
- For example, the user has a new role
myLTO
that was created for a new device group namedmyLTO
. However, the user has no other action permissions.
Permissions might be:
- Directly assigned.
For example, your role as a user might have view and modify permissions for a specific device group.
- Obtained by group membership.
Permissions are specific to a device group. You might be a member of two user groups. For example, membership in one user group might grant view and modify permissions for use with an LTO device group. A second user group might grant view, create, and modify permissions for use with a 3592 device group. You can view and modify a device in either device group. However, you can complete a create action only for devices in the 3592 device group.
Data such as keys and certificates are associated with a device group. Such data is visible only in graphical user interface pages for the device group to which the data is associated. A user with permissions to several device groups can change the association of data from one device group to another for which the user holds appropriate permissions.
Some properties or attributes in the IBM® Security Guardium® Key Lifecycle Manager database are associated with device groups. For example, the symmetricKeySet attribute in the IBM Security Guardium Key Lifecycle Manager database is associated with the predefined LTO device group. To change the attribute, your role must have a permission to the modify action and a permission to the LTO device group.