Ability to connect to server using current Win/AD account (do NOT enter password) critical for enterprise security management.

This has been asked for before but we have some questions that we could discuss here with you:

1. at what stage would you suggest that integration is added. I am talking about when and how are the configuration done in VisualCron.
2. do you have any idea what you expect from the configuration interface?
3. how do you suggest that users or groups should be mapped to specific users and permissions in VisualCron?

---

That's a lot to talk about! I would suggest you look at how MS SQL Server handles this, it is a great example of this type enterprise-level security.

There is one thing how to handle it and how we see it. What I am saying is that we are open for discussions how you would like it to work. In this forum we discuss with our customers to find a consensus on a generic solution that fits all.

---

VC needs a "Role" object, you would assign permissions to roles instead of users. Then, instead of creating users, would would select AD Groups/Users that can access VC, and assign one or more Roles to that "User".

One way to implement in UI would be to convert the VC "User" object to a "Role" object and add a "Members" collection which would be the AD Groups/Users. Would need a special fixed Admin role with all permissions (cannot change permissions on Admin role).

instead of creating users, would select AD Groups/Users that can access VC, and assign one or more Roles to that "User".

What if VC is used at a standalone pc? Than VC still needs a user to logon to.

I'm thinking why changing the authorization? VC isn't build to give people easy access to. The things you can do with VC are erormous and rights should be managed very carefully.

I like the idea of creating roles with certain rights and assign people to it. Thoughout the AD, or within VC itself.


Regards,
Erik

---

Please see post http://visualcron.com/forum.aspx?g=posts&t=85  re this topic.

The security can be kept with-in VC, I have no problem with that and a role based scheme would be a great additional. However until you can assign rights per job (user or role), if you can login into VC you have the potential to start any job that has been set-up. The point is that we use VC for both operational purposes and system admin functions. You cannot allow someone that is monitoring and possibly restarting a nightly production run to have access to system admin jobs.

AD integration as part of the VC login authentication; From an auditing point of view if you hold a password in your software then you are responsible to implement measures like encryption, password aging, password length, rules of password naming, retention of passwords to prevent re-use etc, etc, etc. It is the first question asked in every system audit. Either you bring in the measures and make your software complaint or let AD do it since typically all your security policies aligning to the business is defined there.

instead of creating users, would select AD Groups/Users that can access VC, and assign one or more Roles to that "User".

What if VC is used at a standalone pc? Than VC still needs a user to logon to.

I'm thinking why changing the authorization? VC isn't build to give people easy access to. The things you can do with VC are erormous and rights should be managed very carefully.

I like the idea of creating roles with certain rights and assign people to it. Thoughout the AD, or within VC itself.


Regards,
Erik

Even a standalone PC still has user accounts.

Please continue discussion here and test this version:

http://www.visualcron.co....aspx?g=posts&m=6509 

---

Please continue discussion about Roles and new permissions here:

http://www.visualcron.co....aspx?g=posts&t=1424 

---