Determining access privileges for additional Shopping administrators

During installation, you would have determined the primary Shopping administrator account. Even though this account is not displayed in the Allowed Users/Groups in the Node Security, it is granted access to all the nodes in the Shopping Admin console by default.

If the Shopping administrator account or group is renamed or is deleted and a new one is created in your AD, additional configuration is necessary for the account to function as expected. Contact our Technical Support team for details on how to do this.

If this is the only account required to access the Shopping Admin console, the default settings are sufficient to configuration of Shopping. If you need additional accounts to manage Shopping, use the default Shopping administrator account to create new accounts and enable them access to the Shopping Admin console nodes and the underlying databases.

To manage access privileges for Shopping administrators:

  1. In the Shopping Admin Console, choose Node Security.
    Managing administrative access privileges in the node security
  2. To grant or modify access to a particular node, choose Applications under Node Name and from the context menu, click Change Security...
    Granting or modifying node permissions
  3. In the Node Security Properties dialog, click Add.
    Adding users or groups
  4. In the Select Users of Group dialog, choose the Object Types and Locations for the user or group you want to add.
    Choosing users or groups to add
  5. Click OK. 
    Displaying the recently added group

Additional users added in this way can run the Shopping Admin console and configure Shopping subject to their privileges but they do not necessarily administrative access to the Shopping Web portal. Web administration is only available to Shopping administrators, members of the Shopping Administrators AD group and Branch administrators.

If the Shopping Admin console Web setting Admin-Console-Manages-Groups is set to True, Shopping automatically adds the user to the associated AD group so that they have the necessary database access. If it is False, you will need to do this step manually. The relationship between the Shopping Admin Console Node and the associated database access AD group is described in Shopping nodes and console access groups.

Revoking permissions to a node

To revoke permissions to a node:

  1. In the Shopping Admin Console, choose Node Security. 
  2. Under Node Name, right-click Applications and from the context menu, click Change Security...
  3. In the Node Security Properties dialog, select the user or group from the list.
    Revoking permissions
  4. Click Remove.
If the Shopping Admin console Web setting Admin-Console-Manages-Groups is set to True, Shopping automatically removes the user from the associated AD group in order to prevent unnecessary database access. If it is False, you will need to do this step manually. The relationship between the Shopping Admin Console Node and the associated database access AD group is described in Shopping nodes and console access groups.

Understanding access rights in the Shopping Admin Console 

This section describes the relationship between user account membership of the three Shopping console security access groups specified during installation and the ability to access specific nodes in the Shopping Admin console.

Accessing the Shopping Admin Console

When an Admin Console user starts up the Shopping Admin Console, a check is made in the Shopping database to determine which nodes that user has access to.

Shopping and Configuration Manager database access

Access to each of the nodes in the Shopping Admin Console has an implied set of permissions to access the Shopping and Configuration Managerdatabases. Prior to installing Shopping, three AD groups must be created and supplied to the Shopping installer. These groups govern the level of access to the Shopping and Configuration Manager databases, with the permissions being added by the Shopping installer.

When changes are made to a user's Shopping Admin Console Node access, via Node Security, membership of the associated AD database access groups is set automatically by Shopping.

Shopping nodes and console access groups

The following table shows which groups are updated when changing a user's Shopping Admin Console Node access:

Admin Console nodeFull Shopping database admin access groupLimited Shopping database admin access groupConfiguration Manager database access group
SitesYes-Yes
Approvers-Yes-
User Categories-Yes-
Computer Categories-Yes-
ApplicationsYes-Yes
SettingsYes--
Node SecurityYes--
Event Log-Yes-

Determining Shopping Console access via AD groups

If your organization has adopted  Delegation of Administration and you need to change Shopping to use AD group membership alone to handle security, you will need to run through the following steps:

  1. Define an AD group per Shopping Admin Console node.
  2. Configure Node Access in the Shopping Admin Console so that each AD group has access to its associated node.
  3. Set Admin-Console-Manages-Groups web setting to False.

For example, an Administrator creates eight AD groups with the following names:

  • admShoppingNodeSites
  • admShoppingNodeApprovers
  • admShoppingNodeUserCategories
  • admShoppingNodeComputerCategories
  • admShoppingNodeApplications
  • admShoppingNodeWebSettings
  • admShoppingNodeSecurity
  • admShoppingNodeEventLog

The following picture shows these groups added into AD.

The Administrator then sets these groups to have access to their associated Shopping nodes in the Node Security section of the Shopping Admin Console, as shown in the following picture

The Administrator then sets the Admin-Console-Manages-Groups setting to False, as shown in the following picture.

From this point on membership of the eight AD Shopping Admin Console groups will govern both the visibility of the Admin Console and the associated access to the Shopping and Configuration Manager databases.