Protection Permissions

Protection permissions allow you to group users into administrative domains so that administrators can only perform actions within their domain. An administrator can only perform administrative operations on a user that has the same protection permission as the user.

There are four protection permissions (protect1, protect2, protect3, and protect4) that allow you to create four groups of administrators. Protection permissions do not apply to the admin user or users in the $admin group — these users can perform any action on any user regardless of protection permissions.

To use protection permissions, grant one of the protection permissions to a set of users (either individually, or to a defined group(s)). Then, grant the same protection permission to the administrator that can perform actions on those users.

For example, there are four departments in a company: sales, finance, manufacturing, and system administrators. Each of these departments has a defined group and a set of users assigned to the group. Within the system administrators, there is one manager and three other administrators, each responsible for administering the resources of the other departments. The manager of the system administrators can perform any administrator action. Each of the other system administrators can only perform actions on members of the groups for which they are responsible.

The user name of the manager is mgr, the user names of the other system administrators are admin1, admin2, and admin3. The following commands illustrate the grants necessary for creating the example administration structure. 

add member $admin mgr
grant admin sales protect1
grant admin admin1 protect1,all
grant admin manufacturing protect2
grant admin admin2 protect2,all
grant admin finance protect3
grant admin admin3 protect3,all
Note: You can grant a protection permission, in addition to the all permission. This signifies that the user has all administrator privileges for anyone who also has the same protection permission. However, if you revoke the all permission from a user, all permissions, including any protection permissions are removed from the access control list for the user.

An administrator is able to view users that have a different protection permission set, but the administrator can only perform actions on users with the same protection permission.

For example, admin1 can perform any action on any user in the sales group, and can view any users in the manufacturing or finance groups. However, admin1 is not able to grant permissions, change passwords, delete users from, or perform any other administrative action on users of the manufacturing or finance groups. The mgr user is able to perform any action on any user, regardless of their protection permission because mgr is a member of the $admin group.