Multiple role assignment

Estimated reading: 10 minutes 159 views

Visual Guard offers 9 predefined roles to the user. The users can be assigned one or more roles simultaneously.

Depending on the assignment the system will automatically decide the level of access.

For example Create a user and grant him two special roles namely Restricted Developer and Auditor.

The list of privileges assigned to the user will be as below:

	Restricted Developer	Auditor
Applications		ø
\Applications\CanReadAllApplications		ø
\Applications\CanReadApplication	ø
\Applications\CanUpdateApplication	ø
Audit and Reporting
\AuditAndReporting\CanGenerateDocumentation		ø
\AuditAndReporting\CanReadEventLog	ø	ø
Groups
\Groups\CanReadGroup	ø	ø
\Groups\CanReadAllGroups		ø
Permissions
\Permissions\CanCreatePermission	ø
\Permissions\CanDeletePermission	ø
\Permissions\CanReadPermission	ø	ø
\Permissions\CanUpdatePermission	ø
Permission Sets
\PermissionSets\CanCreatePermissionSet	ø
\PermissionSets\CanDeletePermissionSet	ø
\PermissionSets\CanReadPermissionSet	ø	ø
\PermissionSets\CanUpdatePermissionSet	ø
\PermissionSets\CanGrantRevokePermissionSetsToApplicationRoles	ø
\PermissionSets\CanGrantRevokePermissionSetsToSharedRoles	ø
Roles
\Roles\CanCreateApplicationRole	ø
\Roles\CanUpdateApplicationRole	ø
\Roles\CanGrantRevokeApplicationRolesToGroups	ø
\Roles\CanGrantRevokeApplicationRolesToUsers	ø
\Roles\CanReadApplicationRole	ø	ø
\Roles\CanReadSharedRole	ø	ø
\Roles\CanReadSystemRole		ø
Users
\Users\CanReadAllUsers		ø
\Users\CanReadUser		ø
Domains
\Domains\CanReadDomain		ø

Impact of Restricted Developer and Auditor Role on Applications

This module explains the impact on the applications if the user has been granted the Restricted Developer and Auditor Role.

The User will be assigned following permissions:

Description	Remarks
Can Read All Applications	This permission gives access to read all the applications.
Can Read Application	This permission gives you the right to read applications for which you have the role “Membership Manager”.
Can Update Application	This permission gives you the right to update an application.

Once the user logs in using the assigned mode of authentication, the following screen will be displayed.

Since the user has permissions to Can Read All Applications and Can Read Application, the Can Read All Applications will override.
The user will be able to view list of all the applications (A).
The user can click on the Application name to view the application information as shown below:

The application information will be available in an editable mode, since the user has the Can Update Application privilege.
The user can update information related to all the applications.

Impact of Restricted Developer and Auditor Role on Audit and Reporting

This module explains the impact on the audit and reporting if the user has been granted the Restricted Developer and Auditor Role.

The User will be assigned following permissions:

Description	Remarks
CanGenerateDocumentation	This permission gives you the right to generate documentation.
Can Read Event Log	This permission gives you the right to read an Event Log.

Once the user logs in using the assigned mode of authentication, the following screen will be displayed:
The user will be able to view list of all the applications (A).

Since the user has permissions to Can Generate Documentation he can use Generate Documentation option to generate documentation of each entity in the Visual Guard console.

Can Read Event Log permission allows access to viewing the event log as shown below:

Impact of Restricted Developer and Auditor Role on Groups

This module explains the impact on the groups if the user has been granted the Restricted Developer and Auditor Role.

The User will be assigned following permissions:

Description	Remarks
\Groups\CanReadGroup	This permission gives access to read a group for which you have the role “Membership Manager”.
\Groups\CanReadAllGroups	This permission gives you the right to read all the groups.

Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

Since the user has permissions to Can Read All Groups and Can Read Groups, the Can Read All Groups will override.
The user will be able to view list of all the groups.

The user cannot rename, remove or add a new group, the options will be disabled as shown below:

Impact of Restricted Developer and Auditor Role on Permissions

This module explains the impact on the permissions if the user has been granted the Restricted Developer and Auditor Role.

The User will be assigned the following permissions:

Description	Remarks
Can Create Permission	This permission gives you the right to create a permission.
Can Delete Permission	This permission gives you the right to delete a permission.
Can Read Permission	This permission gives you the right to read a permission.
Can Update Permission	This permission gives you the right to update a permission.

Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

The user will have the permission Create Permission as a result the New Permission option will be enabled.

Additional permission related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below.

The Can Read Permission allows the user to view the Permission information when the user clicks on the permission name.

Impact of Restricted Developer and Auditor Role on Permission Sets

This module explains the impact on the permission sets if the user has been granted the Restricted Developer and Auditor Role.

The User will be assigned the following permissions:

Description	Remarks
Can Create Permission Set	This permission gives you the right to create a permission Set.
Can Delete Permission Set	This permission gives you the right to delete a permission Set.
Can Grant Revoke Permission Sets To Application Roles	This permission gives you the right to grant or revoke the permission sets of the application roles.
Can Grant Revoke Permission Sets To Shared Roles	This permission gives you the right to grant or revoke the permission sets of the shared roles.
Can Read Permission Set	This permission gives you the right to read permission Set.
Can Update Permission Set	This permission gives you the right to update a permission Set.

Once the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

The user will have the permission Create Permission Sets as a result the New Permission Set option will be enabled.

Additional permission set related privileges that have been assigned to the user comprise of Update and Delete permissions, these privileges allow access to Rename, Remove, and Duplicate options to the user as shown below.

The Can Read Permission Set allows the user to view the Permission Set information when the user clicks on the permission name.

Additionally the user will also have access to Can Grant Revoke Permission Sets To Application Roles this permission will allow the user to modify the permission sets belonging to the application role.
Can Grant Revoke Permission Sets To Application Roles permission allows access to the Edit Permission Set option as shown below:

When the user clicks on the Edit Permission Sets he will be able to grant or revoke the permission sets.

Can Grant Revoke Permission Sets To Shared Roles permission allows the user to grant or revoke the permission sets listed under the shared role
The Edit Permission Set will be available.

When the user clicks on Edit Permission Sets he will be able to grant or revoke the permission sets.

Impact of Restricted Developer and Auditor Role on Roles

This module explains the impact on the roles if the user has been granted the Restricted Developer and Auditor Role.

The User will be assigned following permissions:

Description	Remarks
Can Create Application Role	This permission gives you the right to create an application role.
Can Update Application Role	This permission gives you the right to update an application role.
Can Grant Revoke Application Roles To Groups	This permission gives you the right to grant or revoke application roles to groups.
Can Grant Revoke Application Roles To Users	This permission gives you the right to grant or revoke application roles to users.
Can Read Application Role	This permission gives you the right to read an application role.
Can Read System Role	This permission gives you the right to read a system role.

When the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

The user can create a new role under an application , since the user has the Can Create Application Role privilege.

The new role will be listed under the Application>Roles option. The user can view the role details by clicking on the role name as shown below:

Since the user has the Can Read Application Role and Can Update Application Role privilege the user can view and update the role details.
Since the user has also been granted the Can Grant Revoke Application Roles To Users privilege the user can grant/revoke new roles to user using options “Grant role to users” & “Revoke role from users” available under tab “Granted User”

Please Note: You can also grant/revoke roles of users Users> Username> Roles> Edit Roles option. Click here to know more.

Grant role to users: When you select option “Grant role to users” you are provided with a screen to select users to whom the role is to be assigned.

Once the users are successfully assigned to the Group, below message will appear

Revoke role from users: When you select option you will be asked for confirmation, as shown below:

Once confirmed by clicking on option “Yes” , the role will be successfully revoked and below message will appear:

The user can also grant the new role to the groups, since the user has the Can Grant Revoke Application Roles To Groups privilege.

The new role will be listed under the application, the user can select and grant role.

Since the user has the Can Read System Role privilege the system role information will be displayed in read only mode.
Since the user has the Can Read Shared Role privilege the shared role information will be displayed in read only mode.

Additionally the Can Read Special Role privilege will allow the special role information to be displayed in read only mode.

Impact of Restricted Developer and Auditor Role on Users

This module explains the impact on the users if the user has been the granted Restricted Developer and Auditor Role.

The User will be assigned following permissions:

Description	Remarks
Can Read All Users	This permission gives you the right to read all users
Can Read User	This permission gives you the right to read a user

When the user logs in using the assigned mode of authentication, the following screen will be displayed.
The user will be able to view list of all the applications (A).

Since the user has both the privileges Can Read All Users and Can Read User permission, Can Read All Users permission will override.
Can Read All Users permission will allow the user to view the list of all users.
The user can view the user details by clicking on username.

All details will be displayed in the read only mode.

See Also:

Special Roles
Impact of granting multiple roles
Special Roles & Permission Matrix