Granting and Revoking Administration Permissions

You grant and revoke administrator permissions to users using the grant and revoke commands in tibemsadmin, or by means of the Java or .NET administration API. You can either grant global administrator permissions or permissions on specific destinations.

See Global Administrator Permissions for a complete list of global administrator permissions. See Destination-Level Permissions for a description of administrator permissions for destinations.

Global and destination-level permissions are granted and revoked separately using different administrator commands. See Command Listing for the syntax of the grant and revoke commands.

If a user has both global and destination-level administrator permissions, the actions that user can perform are determined by combining all global and destination-level administrator permissions granted to the user. For example, if an administrator is granted the view-destination permission, that administrator can view information about all destinations, even if the view permission is not granted to the administrator for specific destinations.

The admin user or all users in the $admin group can grant or revoke any administrator permission to any user. All other users must be granted the change-admin-acl permission and the view-user and/or the view-group permissions before they can grant or revoke administrator permissions to other users.

If a user has the change-admin-acl permission, that user can only grant or revoke permissions that have been granted to the user. For example, if user BOB is not part of the $admin group and he has only been granted the change-admin-acl and view-user permissions, BOB cannot grant any administrator permissions except the view-user or change-admin-acl permissions to other users.

Users have all administrator permissions that are granted to any group to which they belong. You can create administrator groups, grant administrator permissions to those groups, and then add users to each administrator group. The users will be able to perform any administrative action that is allowed by the permissions granted to the group to which the user belongs.

Any destination-level permission granted to a user or group for a wildcard destination is inherited for all child destinations that match the parent destination.

If protection permissions are set up, administrators can only grant or revoke permissions to other users that have the same protection permission as the administrator. See Protection Permissions for more information about protection permissions.