Granting and Revoking Administration Permissions
You grant and revoke administrator permissions to users using the
grant
and
revoke
commands in
tibemsadmin
, or by means of the Java or .NET administration API. You can either grant global administrator permissions or permissions on specific destinations.
See Global Administrator Permissions for a complete list of global administrator permissions. See Destination-Level Permissions for a description of administrator permissions for destinations.
Global and destination-level permissions are granted and revoked separately using different administrator commands. See
Command Listing for the syntax of the
grant
and
revoke
commands.
If a user has both global and destination-level administrator permissions, the actions that user can perform are determined by combining all global and destination-level administrator permissions granted to the user. For example, if an administrator is granted the
view-destination
permission, that administrator can view information about all destinations, even if the view permission is not granted to the administrator for specific destinations.
The
admin
user or all users in the
$admin
group can grant or revoke any administrator permission to any user. All other users must be granted the
change-admin-acl
permission and the
view-user
and/or the
view-group
permissions before they can grant or revoke administrator permissions to other users.
If a user has the
change-admin-acl
permission, that user can only grant or revoke permissions that have been granted to the user. For example, if user BOB is not part of the
$admin
group and he has only been granted the
change-admin-acl
and
view-user
permissions, BOB cannot grant any administrator permissions except the
view-user
or
change-admin-acl
permissions to other users.
Users have all administrator permissions that are granted to any group to which they belong. You can create administrator groups, grant administrator permissions to those groups, and then add users to each administrator group. The users will be able to perform any administrative action that is allowed by the permissions granted to the group to which the user belongs.
Any destination-level permission granted to a user or group for a wildcard destination is inherited for all child destinations that match the parent destination.
If protection permissions are set up, administrators can only grant or revoke permissions to other users that have the same protection permission as the administrator. See Protection Permissions for more information about protection permissions.