Table of Contents
Advertisement
Security Concepts for Policy Manager
system. The OS then uses this information, together with information it has about the user session
making the request, to determine if a user or user group has the permission they are requesting.
Let's assume that JSmith wants to view live video on camera 13. Our three fundamental questions
are:
• Who are you, and are you who you say you are? (JSmith, YES)
• What do you want to access? (Camera 13)
• What do you intend to do with it once you have it? (View live video)
Advanced security in Intellex first loads the security descriptor for live video from the security
environment. Then, using the information from the logon session it created for JSmith during
authentication, it asks the operating system:
Does JSmith have access to live video on camera 13?
The system processes that request as though JSmith were asking for the file in the previous
example, but now, the security descriptor is a special one created and maintained by Intellex. As
before, if he has permission, he can view live video on camera 13.
Users, groups and inheritance
Policy Manager employs users and groups from your existing corporate network. It is unnecessary
to maintain a separate list outside your normal network environment. Consequently, the
administration client has no mechanism that allows you to add new users or groups; they are
already there.
For a user or user group to have instrument access, the domain where Policy Manager is installed
must recognize that user or group. If you need additional users or groups, you or your network
administrator must add them to the enterprise.
You can authenticate only users. Groups are collections of users who share common permissions.
For example, if JSmith is a member of the marketing group, and the marketing group has full
permissions for the 'Forcasts.xls' file on a file server, then JSmith has full access to that file even
though JSmith has not been explicitly granted access to it. In other words, a user's access
permissions are actually the sum of all permissions that he or she is explicitly granted, plus
whatever permissions are granted to any and all groups that user is a member of.
This principle also applies to Intellex Advanced Security. Building on the example above, if the
Boston group has access to live video on cameras 1 through 16 on Intellex1, JSmith can also see
those cameras, even if he does not appear in the list of users and groups who have been granted
access to those cameras.
The preceding examples illustrate a central concept in network security: inheritance. In the above
scenario, JSmith inherited the permissions, which the Boston group holds. Further, JSmith not only
inherits the permissions granted to the group(s) he is a member of, but also the explicit denials.
Thus, if Boston is explicitly denied access to live video for camera 3, JSmith cannot see camera 3.
Denial takes precedence over permission, so even if JSmith is granted (either explicitly or
indirectly via inheritance) access to live video on camera 3, he still cannot see it.
Three forms of access permissions
There are three basic types of access permissions that an administrator can assign to a user or
user group:
• Implicit access
• Explicit access
• Explicit denial.
32
Intellex® Policy Manager
Advertisement
Table of Contents
