Permissions in the DOC

Configuration: DOC -> Administration -> Accounts -> Accounts or Roles

You can configure the DriveLock permissions settings only in the DriveLock Operations Center (DOC). These settings in the DOC also apply to the DriveLock Management Console (DMC).

User accounts and permissions can be defined in the Administration menu in the Accounts view.

Accounts

An account contains a user's security-related data and provides access to DriveLock functionality. Each account has roles assigned to it (role assignments), which include various rights (role permissions) to perform actions.

  • Accounts in the cloud environment

    Role assignments are evaluated directly for email accounts

  • Active Directory accounts

    Accounts can be created for both individual users and groups in Active Directory. When a user logs in, their Active Directory groups are resolved and the user's role assignments are completed with the role assignments for any group accounts found.

  • Microsoft Entra ID accounts

    The groups and memberships of Microsoft Entra ID can be synchronized. In combination with the login via SAML, the user's group memberships are queried by Microsoft Entra ID. This enables role assignments to the Microsoft Entra ID groups in which the user is a member, similar to Active Directory.

Roles and role permissions

  • Different permissions are combined in a role. DriveLock checks whether the required permissions are assigned when actions are performed.

  • DriveLock provides several built-in roles (e.g. Supervisor, Administrator). But you can also define and use your own roles.

Role assignments

  • A role assignment links an account to a role and optionally a context that restricts how the role and its permissions are applied to specific objects.

  • Available contexts for role assignments:

    • Global: the role applies globally with no restrictions on objects.

    • OU: the role applies only to computers included in the selected Active Directory OU

    • Group: the role applies only to computers that are members of the specified DriveLock group

    • Policy collection: the role applies only to policies that are included in a policy collection

    In the computer context (OU or group), it is only possible to have permissions on computers, even if the role originally includes permissions to other areas.
    In the policy collections context, permissions only apply to policies, but not to other objects.

  • Examples:

    • In the Global context, a user with the Helpdesk role is allowed to see all computers and events, the entire inventory, etc., and also to open policies (but not save them).

    • In the Active Directory OU context, a user with the Helpdesk role is allowed to see only computers, events, etc. that are contained in the specified Active Directory OU. However, this user is not allowed to open policies because the role assignment to OUs applies only to computers, but not to policies. You can add an additional role assignment to allow that.