Certero Role Permissions
In Administration > Roles , you can build customised bundles of Certero application permissions to use as user security roles. The permissions are quite extensive and provide up to three levels of access to datagrids, data types, management objects, etc.
The access levels are:
No Access: The data or management functionality is not visible to the Role.
View: The data or management functionality is visible but can’t be edited or otherwise managed.
Edit: The role has full access to see and manage the data or management function. If Edit permission is not available for an item, it means that the data is only designed to be viewed and there’s no possibility to modify, archive, assign ownership, change user-defined fields; or otherwise manage it.
In the Role properties dialog, the sections down the left typically correspond to the Certero modules . Modules are the units of functionality enablement in Certero customer licence keys. If, for example, a customer is licensed for Microsoft Licensing , they will see the Microsoft Licensing Runtime and UI section.
On the right-hand pane of the currently selected section, you will see headings for permission groups . The permissions in a group will have something in common. Let’s work through the pages, permissions groups and permissions to understand their characteristics.
Any permission item referencing a Connector means that the permission will control access to the data-grid for that Connector type. If there is No Access, then the main menu item to access the data-grid will not appear. If there is View access, the menu item will be available, the data-grid will be accessible for reporting, but no changes to the connectors can be made. We can now skip any further mention of Connectors permissions while we explore the permission sections.
The table below explains the permissions for the sections Core Runtime and Inventory Runtime . These two sections are the most heavily populated with permissions and are the most challenging to understand.
Section | Permission Group | Permission | Access Control Targets |
Core Runtime | Assets | Computers | Client Management > [all datagrids] Computer Systems > All Systems (no access to the OS-specific datagrids in Computer Systems) Miscellaneous > Duplicate Systems Miscellaneous > Operating Systems |
|
| Active Directory Objects | All datagrids in the Active Directory menu that contain objects and data from AD Connectors. Drive Mappings , Printer Mappings and Profiles are not included as these come from Windows computer inventory. |
|
| Network Discovery Objects | Network Devices > [all datagrids] |
|
| Data Groups | Data Groups > [all items] (requires Active Directory Objects permission, above) |
|
| User-defined Assets | User-defined Assets > [all items] Access to other main menu sections will be granted if where user-defined asset tables are configured to appear in them, but other items in such main menu sections will not appear unless granted by the relevant permissions. |
| Administration | Networks | Administration > Networks |
|
| Logins and Roles | Administration > Logins Administration > Roles Administration > User Profiles |
|
| DNS Servers | Administration > DNS Servers |
|
| Plugin Tools | Administration > Plugin Tools |
|
| Zones | Administration > Zones |
|
| API Keys | Administration > API Keys |
|
| Endpoint Servers | Administration > Endpoint Servers Edit permissions are not available here and are bestowed by membership of the built-in SysAdmin Role |
|
| User-defined Fields/Assets | Administration > User-defined Assets Administration > User-defined Fiels |
|
| Computer Configurations | Computer Systems > Configurations |
|
| Reporting Levels | [to be confirmed / deprecated] The ability to assign Reporting Levels to Roles is bestowed by the Logins and Roles permission, above. Access to manage Orgs and OUs requires access to the Global Settings menu via the SysAdmin Role. |
|
| Currencies | Administration > Currencies |
|
| Rules | Administration > Object Rules |
|
| Filters | Governance > Filters |
|
| Policies | Governance > Policies |
|
| Authentication Providers | Administration > Authentication Providers |
Inventory Runtime | Assets | Computers | Computer Systems > [all except All Systems] Docker > [all datagrids] Miscellaneous > Monitors Software > [all except Autodesk Products] |
|
| SQL Servers | Miscellaneous > SQL Instances |
|
| User Profile Information | Active Directory > Drive Mappings Active Directory > Printer Mappings Active Directory > Profiles |
|
| Virtualization | Virtualization > [all datagrids except for VMware Licences] |
|
| Product Keys | Exposes the Product Keys properties group on the Software section of the properties dialog of a Microsoft Windows Computer System. Possibly also applies to other locations in Certero where product keys are displayed. |
|
| Microsoft Exchange | Microsoft Exchange > [all datagrids] |
|
| Certificates | Miscellaneous > Certificates |
| Administration | [per connector] | [per connector] |
Full (edit) access to a data-grid doesn’t guarantee you will be able to see and do everything on that data-grid without permissions to additional, associated things. For example, access to a computer data-grid without access to AD data will prevent you from opening computer property pages or assigning ownership to users. Although it’s unlikely that Certero administrators would require such unusual splitting of permissions, the facility is there in Certero to achieve it; so be mindful of possible consequences.
The permission sections not listed in the table above are for non-core Certero modules, e.g. Distribution, Patching, AppsMonitor, Passworks, Cloud, and the large range of general and specialist licensing modules. The permissions for these are uncomplicated, not expansive and should be self-explanatory for users who understand those modules.
If there’s an administrative permission or function in the Certero application that’s not visibly managed by custom Roles, then the built-in SysAdmin Role will bestow the access.
A user with no permissions assigned, nor membership of the SysAdmin Role, will only see Reports in the main menu; but reporting access to various data types will not be available unless the relevant permissions are assigned.
If a user has multiple roles assigned, then they will receive the sum of the highest level of permissions for all the roles. For example, if one role gives the user read only permissions to a certain thing, and they are assigned another role that gives edit permissions to the same thing, then the user will have edit permissions for that thing.
Users will typically need to sign out and back into Certero realize permission changes.