The Authorization Manager is a tool designed to give specific users access to certain tasks within the Simplify Console. It can also be used to lock users out of the Simplify Console altogether. The tool currently uses the Authorization Manager snap-in for the Microsoft Management Console. In future releases this option will be available from within the Simplify Console.
Use these steps to setup and configure the Authorization Manager
1. Accessing the Authorization Manager MMC Snap-In
Accessing the Authorization Manager by opening the Microsoft Management Console (mmc.msc) and selecting or adding the Authorization Manager snap-in, or by running azman.msc.
2. Opening the Simplify Suite Authorization Store
Open the SImplify Suite authorization store by selecting the Open Authorization Store under the Action menu. The store file will be located in C:\Program Files\triCerat\Simplify Suite\Simplify Console\SimplifySuiteAS.xml
Note: If you are using a build of the SImplify Suite that is earlier than 4.6.x, you will need to turn off the read-only file attribute for the SimplifySuiteAS.xml file. This was corrected in SSv4.6.
3. Creating Role Definitions and Assigning Tasks
Now that we have the Simplify Suite authorization store opened, we can create role definitions that can be assigned to specific users. Under the Definitions container, right-click on Role Definitions and select New Role Definitions.
You will want to give the role definition a logical name (e.g. Printer Administrator, Desktop Administrator, Profile Administrator, etc).
You will now want to assign tasks to the role definition. Select the Add button, then select the Task tab. There will be a predefined task.
You can assign tasks to the role definition by putting a check in the desired task definition.
Note: The RunSimplifyConsole task is required to run the Simplify Console. You will want to assign this task to anyone that should have access to the Simplify Console.
Here is a complete list of the available tasks with their descriptions:
|
Task Name |
Description |
|
RunSimplifyConsole |
Required to run SimplifyConsole. |
|
FileManageDataSources |
Required to access the Manage Data Sources dialog. |
|
ToolsOptions |
Required to access the Options dialog. |
|
ToolsExternalCustomize |
Required to access the Customize External Tools dialog. |
|
ToolsLicenseManager |
Required to access the License Manager dialog. |
|
ToolsConfigureLockdown |
Required to access the Simplify Lockdown Configuration dialog. |
|
ToolsCustomizeLockdownMessages |
Required to access the Customize Lockdown Messages dialog. |
|
ToolsServicesLockdown |
Required to manage the Lockdown Service via the Tools menu. |
|
ToolsServicesResources |
Required to manage the Resources Service via the Tools menu. |
|
ToolsImportLearnModeApps |
Required to access the Import Learn Mode Applications dialog. |
|
ToolsShowUsersInLearnMode |
Required to access the Users in Learn Mode dialog. |
|
ToolsShowDeniedApps |
Required to access the Denied Applications dialog. |
|
ModifyLockdownMode |
Required to modify the Lockdown Mode setting in the Assignments pane. |
|
ModifyShellSetting |
Required to modify the Shell setting in the Assignments pane. |
|
AssignApplicationObjects |
Required to assign Application objects and groups. |
|
AssignLocalPrinterObjects |
Required to assign Local Printer objects and groups. |
|
AssignNetworkPrinterObjects |
Required to assign Network Printer objects and groups. |
|
AssignScrewDriversV3Objects |
Required to assign ScrewDrivers v3 objects and groups. |
|
AssignScrewDriversV4Objects |
Required to assign ScrewDrivers v4 objects and groups. |
|
AssignScrewDriversV4PrintServerPrinterObjects |
Required to assign ScrewDrivers v4 Print Server Printer objects. |
|
AssignRegistryObjects |
Required to assign Registry objects and groups. |
|
AssignTriShellConfigObjects |
Required to assign triShell Configuration objects and groups. |
|
AssignResourcesObjects |
Required to assign Resources objects and groups. |
|
AssignDriveMapObjects |
Required to assign Drive Map objects and groups. |
|
AssignDriveRestrictionObjects |
Required to assign Drive Restriction objects and groups. |
|
AssignExplorerObjects |
Required to assign Explorer objects and groups. |
|
AssignFolderRedirectionObjects |
Required to assign Folder Redirection objects and groups. |
|
ManageApplicationObjects |
Required to create, modify, move, delete, and disable Application objects and groups. |
|
ManageLocalPrinterObjects |
Required to create, modify, move, delete, and disable Local Printer objects and groups. |
|
ManageNetworkPrinterObjects |
Required to create, modify, move, delete, and disable Network Printer objects and groups. |
|
ManageScrewDriversV3Objects |
Required to create, modify, move, delete, and disable ScrewDrivers v3 objects and groups. |
|
ManageScrewDriversV4Objects |
Required to create, modify, move, delete, and disable ScrewDrivers v4 objects and groups. |
|
ManageScrewDriversV4PrintServerPrinterObjects |
Required to modify, delete, and disable ScrewDrivers v4 Print Server Printer objects. |
|
ManageRegistryObjects |
Required to create, modify, move, delete, and disable Registry objects and groups. |
|
ManageTriShellConfigObjects |
Required to create, modify, move, delete, and disable triShell Configuration objects and groups. |
|
ManageResourcesObjects |
Required to create, modify, move, delete, and disable Resources objects and groups. |
|
ManageDriveMapObjects |
Required to create, modify, move, delete, and disable Drive Map objects and groups. |
|
ManageDriveRestrictionObjects |
Required to create, modify, move, delete, and disable Drive Restriction objects and groups. |
|
ManageExplorerObjects |
Required to create, modify, move, delete, and disable Explorer objects and groups. |
|
ManageFolderRedirectionObjects |
Required to create, modify, move, delete, and disable Folder Redirection objects and groups. |
|
ToolsOptionsSimplifyConsoleSecurity |
Required to view and change Simplify Console security options. |
|
BlockAssignments |
Required to block assignments in the Assignments tree. |
|
ManageOwners |
Required to create, delete, and rename custom owners and groups. |
|
SearchOwners |
Required to access the Search Owners dialog. |
|
ManageScrewDriversV4PrintServerObjects |
Required to modify, delete, and disable ScrewDrivers v4 Print Server objects. |
4. Assigning Role Definitions to Specific Users
Now that you have created a role definition, you will want to assign the role to the desired users in order to give them access to the tasks defined within the role.
Right-clock on the Role Assignments container and select Assign Roles.
Place a check next to the desired role definitions and select the OK button.
Under Role Assignments, right-click on the role and select Assign Windows Users and Groups.
Enter the users that should be assigned to the role in the text box. User names should be delimited by a semi-colon.
You will want to repeat these steps until you have created the desired roles for your users.
5. Enabling the Authentication Manager for the Simplify Suite
From within the Simplify Console, select the Tools Menu and click on Options. Select the Security option located under Simplify Console. Place a check next to Enable use of Authorization Manager. Select the ellipses to browse for the store file.
Once the store file is selected, you will want to test is to check for possible issues by selecting the Test button.
The following message will be displayed if you have not added access to the Simplify Console for your current logon:
You will receive a message stating that the test has passed if the test is successful. Select the OK button to apply the changes. The Authentication Manager has now successfully been enabled.
6. Securing the Simplify Suite Authorization Store
It might be desired to modify the security settings for the SimplifySuiteAS.xml file so that only specified users are allowed to modify it. This can be done by opening the properties for the file and making the appropriate modifications on the Security tab. Please note that all users that access the Simplify Console will need to have read access to the file..