[Emerald] Emerald 2.5 Operator Group Security

Sheryl D. Stover ( (no email) )
Tue, 9 Feb 1999 13:44:46 -0800

I've gotten a few direct requests just in the last 10 minutes or so for
this, so here goes. :)

Please note this is an update to the documentation, which is correct in all
but the aspect of directing you to place users in the Emerald SQL group.

Emerald Security is enforced through the use of views rather than the
operator having direct access to the database itself. This is implemented
by placing the operator in the EmeraldSecure SQL group, which has access to
a series of views rather than the tables themselves. Any operator you
create, for whom you want the Operator Group Access parameters to apply,
must be in the SQL group EmeraldSecure. It has been my experience that
users you created prior to upgrading to Emerald 2.5 must be modified in SQL
rather than through the Security configuration in the Emerald Administrator.
This is done in Enterprise Manager, by going to the Manage menu and
selecting "Logins". You will need to select the operator you wish to modify
and then place them in the EmeraldSecure SQL group. Do this all at once -
preferably when people are not logging in and out of Emerald - as they will
not be able to access anything if they are not in a default Operator Access

Open the Emerald Administrator and click the "Security" button.

You will want an Operator Group created for each level of security you want
to enforce, whether it's to restrict an operator to a particular billing
group or to restrict functions an operator can perform on your entire
customer base. The first step in Operator Group configuration is just to
define the name of the group. It should be something that reminds you of
the type of functionality the group has, such as the name of the Billing
Group it will access, or the function the operator will be performing.

Once you have created these Operator Groups, skip the "Operators" tab and
move to the "Operator Group Access" tab. Highlight the name of the Operator
Group you want to configure and then, in the center column, highlight either
"Global" to give the group access to all Billing Groups, or highlight the
name of the Billing Group the Operator Group will be able to access. The
"Privileges" section then becomes available.

When defining Privileges, certain options are basically "placeholders" right
now and will apply at a later date. These are "Web" and "Classes". The
"All" option is a quick way of granting certain rights levels (for example,
Read, Add, and Modify) for all of the individual options listed below.

The five options following "All" correspond to the configuration buttons in
the Emerald Administrator. If you do not want the operator group to be able
to modify or view the system's global settings, do not select any of these
five options. If you want operators to be able to *see* how things are
configured, you can grant "Read" permission on these five options. Each
time you check a box, such as "RADIUS", and then check any privileges to the
right of the item list, you MUST click the save button before moving on.
This is similar to SQL, where you must first check off a privilege, and then
click "Grant" to make it effective. Always double-check your privileges
when you think you are done with an operator group to make sure you did not
neglect to save on one or more of the individual items.

If you wish to remove privileges for a particular item altogether, you must
not only uncheck the box to the left of the item, but highlight the item and
click the Remove button to the right to revoke all previously-held
privileges for that item.

Some notes on particular privilege items:

- The user must have MBR and Services read permission to view customer
information for their billing group.
- The user must have create invoice permission to be able to set a discount
level, override a setup fee, or assign a flat rate for a service other than
the normal service fee.
- The user must have permission to read reports in order to be able to see
the Calls Online tab.
- Granting a user permission to see the RadLogs, if they have access only to
one billing group, will only show them errors in the Radius logs related to
their own users. They cannot see passwords or login errors related to your
other billing groups.

Please note that even if you grant an operator the ability to delete an MBR
or Service, the command will fail. This is a limitation of SQL, and we are
working on a stored procedure to take its place. For now, if you have an
Operator who has the ability to delete accounts, it should be safe to assume
that Operator is a true administrator and can be in the Emerald SQL group,
with access to the database directly, to facilitate deleting information in
the database.

Once you have configured your Operator Group Access information, you can
begin adding your Operators to the correct groups. The changes will take
effect when they re-log into Emerald. Remember: SQL Group=EmeraldSecure,
Operator Group=the group you want them to have affect their access.

Hope this helps some of you out there who are still a little confused about
Operator Groups and security. :)

Sheryl D. Stover - sds@iea-software.com - http://www.iea-software.com
IEA Software Account Management and Customer Service
Phone: (509) 444-2455 ext. 51 - Fax: (509) 624-9903
Billing and Customer Care for ISPs and Communications Companies

For more information about this list, including removal,
please see http://www.iea-software.com/maillist.html