JetPatch Manager supports a robust RBAC (Role-Based Access Control) system, enabling fine-grained access management for users and groups. This system is designed to work seamlessly with Active Directory (AD) for domain users and groups, Azure Active Directory for cloud-based identities, and local users created within JetPatch itself. Here's an enhanced overview of how you can manage access and permissions within JetPatch Manager:
User and Group Types
- Domain Users and Groups (Active Directory): Users and groups managed through AD can access JetPatch Manager using their AD credentials. This integration facilitates seamless access management for organizations leveraging traditional AD infrastructures. For more information on setting up this integration, see Authentication with Active Directory Domains.
- Domain Groups (Azure Active Directory): For organizations utilizing Azure AD, JetPatch Manager accommodates Azure AD groups, enabling cloud-based identities to interact with the system similarly to traditional AD groups. Details on integrating Azure AD can be found in Authentication with Azure Active Directory.
- Local Users: Beyond domain-based management, JetPatch Manager allows the creation of local user accounts. These accounts are defined and managed directly within JetPatch, offering an alternative for environments that may not use AD or Azure AD.
- Permission Types
JetPatch Administrator: Users with this level of access enjoy comprehensive control over all aspects of the JetPatch Console, including full permissions for all console tabs, actions, endpoints, and managed agents.
Regular User: By default, regular users are assigned minimal permissions. They cannot perform most actions; no endpoints appear to them by default. In the Policy and Tools section, they can view all management tools and services but cannot configure, provision, or operate them. Furthermore, some console tabs may not be visible.
Configurable User Roles and Permissions
JetPatch Manager allows the creation of configurable user roles to assign additional permissions beyond the default settings. These roles can be tailored to fit specific operational needs and responsibilities within the organization. For a step-by-step guide on configuring roles, refer to RBAC: Configuring Roles.
Permissions can be fine-tuned based on:
- Endpoint Scope: Permissions can be limited to specified smart groups, affecting the user's ability to view endpoints, provision management services, and operate those services, all within the confines of their assigned roles and management tool permissions.
- Management Tools: Users may be granted permissions related to specific management tools, enabling them to configure, provision, and operate management services on endpoints as allowed by their roles.
For detailed instructions on configuring user accounts and permissions, including endpoint scope and management tools, see RBAC: Configuring User Accounts and Permissions.
Aggregated Permissions and Domain Group Handling
- Role Aggregation: When a user or group is assigned multiple roles, permissions are aggregated, ensuring comprehensive access as required.
- Domain Group Selection: In cases where a user belongs to multiple domain groups with differing access levels within JetPatch, the system selects the domain group that grants the most permissive access in JetPatch's context. This selection ensures users have the necessary permissions for their roles without manual intervention for conflict resolution.