#145 (click image for info)MOVEit Central uses Windows authentication to control access to its configuration. Specifically, all remote users who authenticate to MOVEit Central will only be allowed access if:
MOVEit Central installs two new groups by default: MOVEit Admin and MOVEit Log. MOVEit Admin is the administrators group - users belonging to this group have full power over MOVEit Central. MOVEit Log is a "read-only" group - users belonging to this group may only monitor MOVEit Central. (It is not necessary for users to belong to both the MOVEit Admin and MOVEit Log groups; MOVEit Admin includes all the rights allowed MOVEit Log.)
It is possible to sign onto MOVEit Central through MOVEit Central Admin using a domain account, as long as the machine on which MOVEit Central is installed is part of the domain, the user the MOVEit Central service is running under is a domain account, and the users or groups you would like to control MOVEit Central have been added to the appropriate Windows user groups.
The proper syntax to use when signing on to MOVEit Central with a domain account is "[DOMAIN]\[username]", even if you regularly use syntax such as "[username]@[DOMAIN]".
MOVEit Central also supports setting up additional groups with customized permissions. These groups are collectively known as "MOVEit-User" groups and are configured from the Settings menu in MOVEit Central Admin. (A user must be a member of the MOVEit Admin group to make changes to these settings.)
Users who sign into MOVEit Central Admin with a username that belongs to the "MOVEit Admin" Windows group can edit or start any task. To control access to tasks in specific task groups, operators can create restrictive administrative users based on site-specific Windows groups. These groups have names beginning with "MOVEit Users-". By default, a restricted user has no permissions.
Note: MOVEit Central Enterprise supports customized permissions by selecting Permissions on the Settings menu. Though this functionality is not available in the Corporate version, users of the Corporate version can manually create a MOVEit-User group, or add a user to the MOVEit Admin and MOVEit Log groups, by using Windows Computer Management.
Selecting the "Permissions" option in the Settings menu will open the Permissions dialog. Here, the groups associated with MOVEit Central permissions will be listed in the Windows Groups tab, and the members of those groups in the Members tab.
On the Windows Groups tab, new "MOVEit Users" groups can be added, and existing ones deleted using the Add and Delete buttons. Groups can be edited by double-clicking the group or selecting the group and clicking the Edit button.
On the Members tab, new Windows users can be created, and administrators can change the password of, unlock, and delete existing users that were created by MOVEit Central. Administrators are not allowed to edit or delete Windows users that were not created by MOVEit Central. Administrators can, however, change the group memberships of all Windows users and groups listed using the Groups button.
Clicking the Add button on the Windows Groups tab will open the Add User Group dialog. Here the user is prompted to enter a name for the new group, as well as select whether the group will be added to the local system, or to the domain that the Central server is a member of. The name must begin with the string "MOVEit Users-" in order to be recognized as a MOVEit Central user group. Entering a name that does not begin with this string, or a name that is already in use, will cause an error message to be displayed.
In addition to allowing a user to authenticate to MOVEit Central, membership in a MOVEit Central permissions group also determines which tasks, hosts, scripts, and other elements a user is allowed to view, use, and edit. While membership in the MOVEit Admin group allows full access to all tasks and other elements, and membership in the MOVEit Log group allows read-only access to all tasks and other elements, which tasks and elements a user in a MOVEit Users group has access to is determined by which task groups are associated with the MOVEit Users group, and which permissions are assigned to those task groups. The list of task groups associated with a MOVEit Users group, as well as the list of members of that Windows group, can be viewed and edited by double-clicking a group in the Windows Group tab, or selecting it and clicking the Edit button. This will open the Permissions dialog for the group.
In this dialog, current members of the Windows group are listed, and members can be added, created, maintained, removed, or deleted. Only those users created through MOVEit Central will be fully editable. Task group associations are also listed and maintained here. Each task group associated with the Windows group is listed, along with counts of the various elements in the task group, and what permissions are assigned for each element type. Administrators may add existing task group associations, create new task groups, edit existing task group, edit the permissions of a task group association, and remove task group associations. Creating and editing task groups here is the same as creating and editing task groups through the Edit Task Groups dialog. See the Task Groups page for more information.
Task group associations have permissions assigned for each of the types of elements that can belong to a task group. These permissions can be changed by double-clicking a task group, or selecting a task group and clicking the Edit Permissions button. This will open the Edit Permissions dialog for the task group.
For tasks, there are four different permissions:
For all other elements, there are only two different permissions:
MOVEit Central permissions group memberships can be managed from the Members tab of the main Permissions dialog, or from the membership list on an individual Windows group permissions dialog. In both locations, existing users can be added as members, new users can be created as members, and existing members can have their password reset, be unlocked if they are marked as "locked out", or removed from the group, and even deleted. Only those users who were originally created through MOVEit Central will be fully editable. Otherwise, the Reset, Unlock, and Delete options will not be available. Users originally created through MOVEit Central are recognizable by the string "*Added/Maintained by MOVEit Central*" in the user's description.
New members are added or created via different options on the Add New Group Member dialog. Clicking either the Add or Create buttons leads to this dialog - the appropriate selection or creation option will be selected initially depending on which button was clicked.
Clicking the Add button, or selecting the "Select existing user account" option on the Add New Group Member dialog, allows a user to select an existing user from either the local system, or from the domain which the MOVEit Central server is a member of. The "Select existing group" option works similarly, but allows the user to select a Windows group. However, only domain groups can be selected from here - local Windows groups cannot be added as members of a MOVEit Central permissions group.
NOTE: For performance reasons, both the user and group selection lists are limited to displaying up to 2,000 entries. If you need to manage more users or groups than this, please use the Windows user management tools.
If the Add New Group Member dialog was opened from the main Permissions dialog, the "Group to add to" option to select which existing MOVEit Central permissions group the user should be added to will be displayed. Otherwise, if the dialog was opened from an individual Windows group permissions dialog, the selected user or group will be added to that group.
Clicking the Create button, or selecting the "Create new user account" option on the Add New Group Member dialog, allows a user to create a new user account by entering the appropriate user information into the provided fields. The user may be created on either the local system, or on the domain the MOVEit Central server is a member of. As with selecting an existing user, the "Group to add to" will be displayed if necessary.
Users originally created through MOVEit Central can have their full name and description changed by selecting the user and clicking the Edit button.
Users originally created through MOVEit Central can have their password reset, or be unlocked if necessary, by selecting the user and clicking either the Reset or Unlock buttons. If a user needs to be unlocked, clicking the Reset button to change the user's password will also provide an option to unlock the account.
On the Members tab of the main Permissions dialog, an additional button is available which allows administrators to edit the group memberships of a select member. Double-clicking a member, or selecting a member and clicking the "Groups" button, opens the Member Groups dialog. In this dialog, all MOVEit Central permissions groups the user or group is a member of are listed, and the user or group can be added to additional groups with the Add button, or removed from existing groups with the Remove button.
