Assigning privileges to users

You must grant privileges to users for them to do anything in Security Center, including logging on, using Security Desk, and so on.

What you should know

Users have a set of basic privileges that are grated to them, or inherited from parent user groups. They also have a set of privileges for every partition in which they are an authorized user. Privileges granted or denied at the partition level replace the basic privileges.

BEST PRACTICE: Individual users should only have the minimum required privileges. When assigning privileges, Security Center offers templates, with predefined sets of privileges, that can be applied to users or groups.

To help you better understand what your users can do, Security Center includes a Privilege troubleshooter. The Privilege troubleshooter is a tool that helps you investigate the allocation of user privileges in your Security Center system. Use the troubleshooter to verify access rights and help you fix issues.

To assign privileges to a user:

From the Config Tool home page, open the User management task.
Select the user to configure, and click the Privileges tab.
Use one of the predefined privilege configurations as your starting point.
At the bottom of the page, click (), and select one of the following:
- Apply template:
  Select one of the privilege templates to apply.
  Privilege templates can be combined. This means that when you apply a privilege template, you always add privileges. Existing privileges can never be removed as a result of applying a privilege template. To start with a clean slate, go to the top of the privilege hierarchy (All privileges) and click Undefined.
- Set configuration to read-only:
  Set all entity configuration privileges found under the Administrative privileges group to View properties with Modify properties denied.
- Set configuration to read-write:
  Set all entity configuration privileges found under the Administrative privileges group to View, Modify, Add, and Delete.
Fine tune the user privileges by changing the individual privilege settings if necessary.
Keep in mind that if your user has a parent user group, the privilege inheritance rules apply.
- Allow:
  Grant the privilege to the user. You cannot select this option if the privilege is denied to the parent user group.
- Deny:
  Deny the privilege to the user.
- Undefined:
  Inherit this privilege from the parent user group. If there is not parent user group, this privilege is denied.
If necessary, configure the privilege exceptions for each partition the user has access to.
When a user is given access to a partition, their basic privileges are applied by default to the partition. As a system administrator, you can overwrite the privileges a user has over a specific partition. For example, a user can be allowed to configure alarms in partition A, but not in partition B. This means that a user can have a different set of privileges for each partition they have access to. Only Administrative and Action privileges, plus the privileges over public tasks, can be overwritten at the partition level.
1. At the bottom of the page, click Exceptions ().
  The Privilege exception dialog box opens.
2. In the Create an exception for drop-down list, select a partition.
3. Change the user's basic privileges as required.
4. Click Create.
  The privilege exceptions are added at the bottom of the privilege list.
Click Apply.