Role-based access control (RBAC)
Regulate access to various functionality based on user roles and permissions. This would include granular access to capabilities such as:
- Logon to KBE
- Access to specific production images
- Server/workstation roles
- Samba share access
- Differentiate between access to deploy images, and access to log into connected machines as an admin.
Any update on when this is going to be rolled out? Would be very useful...
David Coe commented
setup an account that has configurable rights to the Samba share folders,
or allow Ldap accounts have configurable access to the Samba Share
It would be nice to give one of my team members access to the samba share without having to give them the Admin Account information.
Yin Etzel commented
We what to give our Techs the right to pull down an image only. So since the above comment by Alex Au Yeung is over 11 months old, have we a version that has the integrated K1-style permissions released yet? If so, which version?
Looks like it didn't make it into the 3.7 update...
Looking forward to this added feature. Hopefully it will show up in 3.7 Would vote more on this if I had them.
It would be nice to be able to restrict the imaging of server hardware. That way, if someone tried to image a server, they would have to have seperate credentials to do so.
Even further, be able to use the K1's smart labels or some other mechanism , maybe even just IP range, to restrict who has what access to imaging certain groups of machines.
Anxiously awaiting this feature...
J. Bautista commented
Paul Kochie commented
The only thing I'd like my "ReadOnly Admin" users to be able to do is capture User States.
Our desktop team uses the PXE features of the k2 to logon to the KBE to image machines. The problem being that they then have access to all of the images stored on the k2. I would be nice to have the ability to define roles on the k2 and assign them certain functionality and access to certain production images.
Karl Ng commented
I would like the ability to create roles in the k2000 and also in the rsa. I would like my techs to be able to vnc into a scripted install and kick off there installs without having to physical be in front of the machine. The techs may have 50 machines to image and it would be benefical for them to remotely manage them. I do not want to give them access to the k2000 because they would have the ability to change the scripted installs or alter, delete or change the operating systems, boot files, etc.
Kenny Tu commented
This would help me a lot.
This would really help make things more granular in our organization. I am hesitant to assign work for parts of the server when other parts will be vulnerable to people who do not need access to server settings and the like.
In our environment, the IT team and the R&D team have to deploy OSes. But they not have to deploy the same environments.
This would be very useful to delegate the managing of part of our computers
Philip Langlois commented
This would be awesome. Could be based on an AD OU or locally named users. To be able to restrict some image deployment to specific user would be great (i.e.: Server image not available to a specific project user).
Currently giving helpdesk staff the password to deploy an image gives them access to deploy every image, and to log into machines remotely with administrator priviledges. It would be nice to at least differentiate between personnel with access to deploy images, and personnel with access to log into connected machines as an admin. This is espeically important with RSAs, where remote offices may have an "advanced user" rather than actual helpdesk personnel. The significant problem with allowing people to deploy images is that it also currently grants those people full access to remotely administrate any workstation or server they can reach.
Phil Crosby commented
Take the current idea of Orgs in the K1000 and use it in the K2000. This way users from different departments in the same LAN can manage their own images and not touch anyone elses.
Why was this functionality not 'built-in'? I cannot think of a single use-case where the 'readonly admin' will be used. Enterprise customers need the ability to segregate who does what--the team that builds the images is not the team that deploys the images in our organization.
I would give this suggestion 3 votes if I had any leftover.
Ability to set unique password for separate boot environments will allow people setting up workstations (typically not high level sysadmins) access to that and nothing more. Currently the password to get into KBEs is one of the main passwords for the K2000 itself.