Security Areas

The DSM Explorer › Common Security › Security Areas

Security Areas

Security area is an optional feature that is suitable for large implementations with thousands of objects managed by different users.

A security area can be a geographical, organizational, or topological division. Defining security areas is helpful if you want to restrict users' access to only the objects linked to their security area by enforcing object level security. A security area can be linked to one or more profiles and one or more objects. A user can access an object, if at least one security area linked to the object is also linked to at least one security profile of the user.

The following conditions must also be fulfilled before the area permission of the user is evaluated:

The user must have object access (View or Read) to the object.
The security area support on the domain manager must be enabled.
All security profiles the user is member of, must be enabled for security area support.

If the first condition is not fulfilled, the object access for the user is denied regardless of the second and third condition. If the second or third condition is not fulfilled, the user will not be restricted based on the area permissions and be allowed to access all the objects.

Note: All the objects are accessible to the users who are members of security area disabled security profiles. We recommend that the administrator ensures that all security profiles are enabled for security area support.

Example: Security Area

The following example explains the security areas concept and how the area permissions affect a user's permissions:

User U1 is a member of the security profiles P1 and P2.

User U2 is a member of the Administrators profile.

User U3 is a member of the security profile P3.

The security profiles P1, P2, and P3 are enabled for security area support. The Administrators profile is disabled for security area support, so no restrictions apply for the administrator and to objects created by the administrator.

Profile P1 is linked to security area A1.

Profile P2 is linked to security area A2.

Profile P3 is linked to security area A3.

Objects created by U1 are initially linked to security areas A1 and A2. This means, these objects are visible for U1 and U2 but not for U3.

Objects created by U2 are initially linked to all security areas. This means, these objects are visible for all users.

Objects created by user U3 are initially linked to security area A3. This means, these objects are visible for user U2 and U3 but not for user U1.

Notes:

Security Area support is not available on DSM Enterprise Manager.
The “Distributions” profile is the only built-in profile that can be enabled for security area support. All other built-in profiles are disabled for security area support.
Objects belonging to the Procedure and Software Job classes cannot be linked to any security area within the DSM Explorer. They are automatically linked to the areas of their parent containers, Software Package and Software Job Container respectively.

More information:

Security Areas Dialog

Security Profile Linkages Dialog