Skip to main content

1E 8.1 (on-premises)

Management group changes in Tachyon v8

Changes that have been made in Tachyon v8 relating to management groups. These changes mean that some PowerShell cmdlets are only available either for this version or later versions, or in some cases, the cmdlets are only available for earlier versions of Tachyon.

Management groups, roles, and principals

Note

The parent page on RBAC cmdlets discusses the RBAC concepts associated with management groups, roles and principals.

In releases of Tachyon prior to release 8, management groups were associated with roles. In versions from release 8 onwards, management groups are instead associated with a role/principal pair. The same role or principal may therefore be associated multiple times with a management group, provided that its pair member differs. You cannot assign the same role and principal pair more than once to a management group, but you can assign the same role and a different principal to it, or conversely, a different set of roles but the same principal, multiple times, to the same group.

Management group hierarchies

Management groups now support hierarchical relationships. A management group may stand alone, or it may have a parent or child management group associated with it. In turn, these child groups may have children, and so on.

A management group can have at most a single parent. However, a parent management group can have multiple children.

When a management group is associated with a role/principal pair, the rights granted to the pair are those of the management group plus its children, if any.

Note

It is possible to assign a role/principal pair to a management group at any level. This means that you can, potentially, assign a role/principal pair both to a parent and one or more child groups. However, if you do so, the net resulting permissions remain unchanged.

Management group rules

Prior to version 8 of Tachyon, management group rules, as defined in the SLA subsystem, and then imported into Tachyon, did not support operator precedence. This meant that you could not define rules where certain logical terms (AND/OR) bound more tightly.

In version 8, rules now support precedence, so you can define in a rule how the various terms will be bound. When creating rules using the PowerShell Integration Toolkit, the rule expression you supply simply uses brackets to specify operator precedence, exactly as you would when specifying a scope or filter expression in Tachyon.

To find out more about management group rules, please refer to SLA management groups and rule expressions.

Management groups and role delegation

It is now possible to define roles which can be delegated by users who lack global privileges to the 'all devices' virtual management group. This is discussed in the documentation for the add-tachyonrole cmdlet.