Node Security
Determining access privileges for additional Shopping administrators and understanding access rights in the Shopping Admin Console.
Determining access privileges for additional Shopping administrators
During installation, you would have determined the primary Shopping administrator account. Even though this account is not displayed in the Allowed Users/Groups in the Node Security, it is granted access to all the nodes in the Shopping Admin console by default.
Note
If the Shopping administrator account or group is renamed or is deleted and a new one is created in your AD, additional configuration is necessary for the account to function as expected.
Contact our Technical Support team for details on how to do this.
If this is the only account required to access the Shopping Admin console, the default settings are sufficient to configuration of Shopping. If you need additional accounts to manage Shopping, use the default Shopping administrator account to create new accounts and enable them access to the Shopping Admin console nodes and the underlying databases.
To manage access privileges for Shopping administrators:
In the Shopping Admin Console, choose Node Security.
To grant or modify access to a particular node, choose Applications under Node Name and from the context menu, click Change Security...
In the Node Security Properties dialog, click Add.
In the Select Users of Group dialog, choose the Object Types and Locations for the user or group you want to add.
Click OK.
Additional users added in this way can run the Shopping Admin console and configure Shopping subject to their privileges, but they do not necessarily administrative access to the Shopping Web portal. Web administration is only available to Shopping administrators, members of the Shopping Administrators AD group and Branch administrators.
Note
If the Shopping Admin console Web setting Admin-Console-Manages-Groups is set to True, Shopping automatically adds the user to the associated AD group so that they have the necessary database access.
If it is False, you will need to do this step manually. The relationship between the Shopping Admin Console Node and the associated database access AD group is described in Shopping nodes and console access groups.
Revoking permissions to a node
To revoke permissions to a node:
In the Shopping Admin Console, choose Node Security.
Under Node Name, right-click Applications and from the context menu, click Change Security...
In the Node Security Properties dialog, select the user or group from the list.
Click Remove.
Note
If the Shopping Admin console Web setting Admin-Console-Manages-Groups is set to True, Shopping automatically removes the user from the associated AD group in order to prevent unnecessary database access. If it is False, you will need to do this step manually. The relationship between the Shopping Admin Console Node and the associated database access AD group is described in Shopping nodes and console access groups.
Understanding access rights in the Shopping Admin Console
This section describes the relationship between user account membership of the three Shopping console security access groups specified during installation and the ability to access specific nodes in the Shopping Admin console.
Accessing the Shopping Admin Console
When an Admin Console user starts up the Shopping Admin Console, a check is made in the Shopping database to determine which nodes that user has access to.
Shopping and Configuration Manager database access
Access to each of the nodes in the Shopping Admin Console has an implied set of permissions to access the Shopping and Configuration Managerdatabases. Prior to installing Shopping, three AD groups must be created and supplied to the Shopping installer. These groups govern the level of access to the Shopping and Configuration Manager databases, with the permissions being added by the Shopping installer.
When changes are made to a user's Shopping Admin Console Node access, via Node Security, membership of the associated AD database access groups is set automatically by Shopping.
Shopping nodes and console access groups
The following table shows which groups are updated when changing a user's Shopping Admin Console Node access:
Admin Console node | Full Shopping database admin access group | Limited Shopping database admin access group | Configuration Manager database access group |
|---|---|---|---|
Sites | Yes | - | Yes |
Approvers | - | Yes | - |
User Categories | - | Yes | - |
Computer Categories | - | Yes | - |
Applications | Yes | - | Yes |
Settings | Yes | - | - |
Node Security | Yes | - | - |
Event Log | - | Yes | - |
Determining Shopping Console access via AD groups
If your organization has adopted Delegation of Administration and you need to change Shopping to use AD group membership alone to handle security, you will need to run through the following steps:
Define an AD group per Shopping Admin Console node.
Configure Node Access in the Shopping Admin Console so that each AD group has access to its associated node.
Set Admin-Console-Manages-Groups web setting to False.
For example, an Administrator creates eight AD groups with the following names:
admShoppingNodeSites
admShoppingNodeApprovers
admShoppingNodeUserCategories
admShoppingNodeComputerCategories
admShoppingNodeApplications
admShoppingNodeWebSettings
admShoppingNodeSecurity
admShoppingNodeEventLog
The following picture shows these groups added into AD.
The Administrator then sets these groups to have access to their associated Shopping nodes in the Node Security section of the Shopping Admin Console, as shown in the following picture
The Administrator then sets the Admin-Console-Manages-Groups setting to False, as shown in the following picture.
From this point on membership of the eight AD Shopping Admin Console groups will govern both the visibility of the Admin Console and the associated access to the Shopping and Configuration Manager databases.
