I'd like to be able to create ‘limited’ users/groups and merge those permission sets with other limited groups or non-limited. E.g. I have a user who is an application owner. He should be able to start services, initiate unmanage on nodes, update node details, etc. But I also want him to have read-only access to all nodes (read-only is our default for all IT staff).
So I have 7 nodes that are all pretty similar;
- - Windows Server
- - IIS
- - ERP Application (the one he’s responsible for)
- - SQL (on a few of them)
I have 2 problems;
- I created a limit to group of groups and such on a new group for his app. But the way it works now, I effectively took away his access to everything else.
- It’s clunky because if I grant him access to just the nodes the apps don’t tag along. I have to explicitly grant access to the apps. I did have a group for the ‘ERP Applications’ but not a group like ‘ERP IIS Instances’. Other than these permissions, there’s little value in having groups organizing the specific instances of IIS, SQL, and so on.
#2 wouldn’t really be an issue in my particular scenario as this individual likely wouldn’t do anything with IIS. He’s a local admin to these servers anyway so if he really had to he could log in and execute tasks directly. The problem is the read-only access. He gets alerts for the systems and now when clicking the link in the email is taken to an access denied page. He doesn’t have the permissions to view IIS details. #2 just makes it harder for me to expand the limited group to make up for the shortcomings.
I’d be happy with just this; if you’re in 2 or more groups merge the permissions/limitations. If the limitations overlap, the one with higher order trumps the lower. It would be even better if there was some method inside the limitations to say ‘group of nodes’ and ‘all apps/components under those nodes’.
