Community
User access control
Links used in this discussion
Ross Ditlove,
User (Posts: 3)
Feb 26, 2017 12:04:54 am EST
Support level: Free or trial
Hi All,
I am struggling a bit with regard to user security control when using the RU Sync server and Address Book Sync.
Lets say we have computer A and B and we have Users 1 and 2:
User 1 is Full Access to Comp A and B
User 2 is Full Access to Comp A and B
Both use the same desktop computer to support Comp A and B (day shift and night shift)
We then via the remote server utility/ Address Book Manager, change User 2 to NO ACCESS to Comp B, Save and Sync
What I am experiencing is that when logged into the RU Viewer, User 2 continues to have full access to Comp B even though his rights were removed. I have restarted the viewer, restarted the Host, rebooted Comp A and B. It seems once a RU Viewer login has had access to a Comp, that it can not be "UN-accessed"?
What am I doing wrong?
Thank you for the help
Ross
I am struggling a bit with regard to user security control when using the RU Sync server and Address Book Sync.
Lets say we have computer A and B and we have Users 1 and 2:
User 1 is Full Access to Comp A and B
User 2 is Full Access to Comp A and B
Both use the same desktop computer to support Comp A and B (day shift and night shift)
We then via the remote server utility/ Address Book Manager, change User 2 to NO ACCESS to Comp B, Save and Sync
What I am experiencing is that when logged into the RU Viewer, User 2 continues to have full access to Comp B even though his rights were removed. I have restarted the viewer, restarted the Host, rebooted Comp A and B. It seems once a RU Viewer login has had access to a Comp, that it can not be "UN-accessed"?
What am I doing wrong?
Thank you for the help
Ross
Conrad,
Support (Posts: 2987)
Feb 26, 2017 2:40:43 pm EST
Hello Ross,
Thank you for your message.
When you set user 2 to no access to computer B you effectively only tell the program not to show the computer B record in user 2 address book. However, they can still access the remote Host (computer B) if they know access credentials for that Host.
In other words, address book access rights and Host access rights are two different independent things. But you can combine them (see option 2 below).
There are two options to resolve that:
1) Change security settings on the Host. For example, create user accounts on each Host and then if you need to prevent a certain user from accessing a Host just disable their account on that specific Host.
2) Use the "authorization server" role of the RU Server. This is described here (see "Authorization role" section) and we'll also soon update our documentation with detailed instructions on how to set up custom server security as we call it.
With option two properly configured your users will only have to sign in their Viewer to be able to access the Hosts. The advantage of using auth server option is that you can centrally manage Host permissions and change them in one place instead of having to change security permissions on each Host (as is with option 1).
Sorry for the lack of documentation on setting up auth server, it will be available very soon and appear in this chapter. Feel free to ask any questions you might have.
Thanks.
Thank you for your message.
When you set user 2 to no access to computer B you effectively only tell the program not to show the computer B record in user 2 address book. However, they can still access the remote Host (computer B) if they know access credentials for that Host.
In other words, address book access rights and Host access rights are two different independent things. But you can combine them (see option 2 below).
There are two options to resolve that:
1) Change security settings on the Host. For example, create user accounts on each Host and then if you need to prevent a certain user from accessing a Host just disable their account on that specific Host.
2) Use the "authorization server" role of the RU Server. This is described here (see "Authorization role" section) and we'll also soon update our documentation with detailed instructions on how to set up custom server security as we call it.
With option two properly configured your users will only have to sign in their Viewer to be able to access the Hosts. The advantage of using auth server option is that you can centrally manage Host permissions and change them in one place instead of having to change security permissions on each Host (as is with option 1).
Sorry for the lack of documentation on setting up auth server, it will be available very soon and appear in this chapter. Feel free to ask any questions you might have.
Thanks.
Ross,
User (Posts: 3)
Feb 26, 2017 7:38:48 pm EST
Support level: Free or trial
Conrad,
Thank you for the response. I am in fact using the Authorization server for my testing. I have also found what may be a bug, let me describe further.
1. I can not use your Example 1 above, though our example used two users and two computers, in fact it would we two users (or more) and ten computers or more. To change each host and remove/change one user from each host is a major pain in the butt as you know... :-)
2. I actually have 4 computers (Comp 1...4) I am testing with Comp 4 also running all the Server applications (RUS, Address Book Sync) as well as RU Host. I have observed the following which I think could be bugs?
-When on Comp 1 and User 1 has full rights on only Comp 2, User 1 can not see any address book entries nor Comp 2. So this prevents (for me anyway) any access including View to the address book. Yet, if I add the User 1 to the "Parent" Address book with No Rights, and No rights to any child Comp's (Shows User 1 Inherited yet no check marks for any rights), User 1 can now see the address book and even control Comp1-4. Again, User 1 has No Rights yet now has full control. This seems broken to me?
It appears to me that the (synced) Address book itself should be a Right which can be controlled independently of the Comps or a new Right for each Comp and should be "Display in Address Book" (per user or group) so that what is seen in the AB by each User/Group is controlled. This aside there does appear to be a flaw in the Rights controlling given that access is now granted without any Rights.
You are welcome to private message me and I would gladly give you full rights to my RU setup in order to better see what I am seeing?
Let me know how I can help further.
Regards,
Ross
Thank you for the response. I am in fact using the Authorization server for my testing. I have also found what may be a bug, let me describe further.
1. I can not use your Example 1 above, though our example used two users and two computers, in fact it would we two users (or more) and ten computers or more. To change each host and remove/change one user from each host is a major pain in the butt as you know... :-)
2. I actually have 4 computers (Comp 1...4) I am testing with Comp 4 also running all the Server applications (RUS, Address Book Sync) as well as RU Host. I have observed the following which I think could be bugs?
-When on Comp 1 and User 1 has full rights on only Comp 2, User 1 can not see any address book entries nor Comp 2. So this prevents (for me anyway) any access including View to the address book. Yet, if I add the User 1 to the "Parent" Address book with No Rights, and No rights to any child Comp's (Shows User 1 Inherited yet no check marks for any rights), User 1 can now see the address book and even control Comp1-4. Again, User 1 has No Rights yet now has full control. This seems broken to me?
It appears to me that the (synced) Address book itself should be a Right which can be controlled independently of the Comps or a new Right for each Comp and should be "Display in Address Book" (per user or group) so that what is seen in the AB by each User/Group is controlled. This aside there does appear to be a flaw in the Rights controlling given that access is now granted without any Rights.
You are welcome to private message me and I would gladly give you full rights to my RU setup in order to better see what I am seeing?
Let me know how I can help further.
Regards,
Ross
Edited:Ross - Feb 26, 2017 7:39:38 pm EST
Conrad,
Support (Posts: 2987)
Feb 26, 2017 7:59:40 pm EST
Hello Ross,
Thanks.
Yes, that is why we came up with option 2 (auth server) in version 6.5 :) Albeit it requires that you use a self-hosted server, i.e. this option is not available if you stick with our public server infrastructure.1. I can not use your Example 1 above, though our example used two users and two computers, in fact it would we two users (or more) and ten computers or more. To change each host and remove/change one user from each host is a major pain in the butt as you know... :-)
I'm not sure I can understand the example without actually looking at your settings, so yes - perhaps we could use a remote session. Let me know if you can - just end an email to support@remote-utilities.com or PM through the forum.-When on Comp 1 and User 1 has full rights on only Comp 2, User 1 can not see any address book entries nor Comp 2. So this prevents (for me anyway) any access including View to the address book. Yet, if I add the User 1 to the "Parent" Address book with No Rights, and No rights to any child Comp's (Shows User 1 Inherited yet no check marks for any rights), User 1 can now see the address book and even control Comp1-4. Again, User 1 has No Rights yet now has full control. This seems broken to me?
Thanks.
Ross,
User (Posts: 3)
Feb 26, 2017 10:32:12 pm EST
Support level: Free or trial
Conrad,
Thank you for the assistance and clarification.
Great product!
Regards,
Ross
Thank you for the assistance and clarification.
Great product!
Regards,
Ross
Conrad,
Support (Posts: 2987)
Feb 26, 2017 10:35:18 pm EST
Thank you Ross! We'll do our best to publish the relevant tutorials and concept explanations as soon as possible to ease the adoption/migration process for new users.
* Website time zone: America/New_York (UTC -4)