This article explains the five special roles available for the general administration of DRACOON and how they can be delegated to users or groups so that they can perform appropriate administrative tasks. You will also learn how to view all users and groups with a particular role.
Topics of this article
Overview: roles to manage DRACOON
In DRACOON, there are the following five administrative roles for the general administration of the DRACOON environment:
User managers are allowed to create new users and edit and delete existing users.
Group managers are allowed to create, edit, and delete groups and add and remove users from groups.
Room managers are allowed to structure all top-level data rooms in DRACOON, i.e. create new data rooms there, rename and delete existing ones, and set a quota (storage space limit) for these rooms if necessary. However, you are not allowed to add users and groups to these rooms and also do not have access to the contents (files) of these data rooms - this is determined solely by the respective room administrators of the data rooms.
Delegate or revoke roles to a user or group
Who is allowed to delegate or revoke roles?
Only users who hold a specific role can delegate or revoke that role. So, only an existing auditor, for example, can appoint other users as additional auditors or revoke that role from other auditors.
A role owner ("User A") can abdicate a role to another user ("User B") by first assigning the role to this user ("User B") and then the new role owner ("User B") revoking the role from the previous role owner ("User A").
A role owner cannot revoke the role from himself - removal of an existing role from a user must always be done by another user who also holds that role.
DRACOON's granular role concept allows access and authorization requirements to be implemented flexibly and securely, and, for example, privacy policies to be taken into account when accessing the audit log.
- Click Settings in the left sidebar. User management will be displayed.
- If you want to delegate or revoke roles to a group, click Groups in the left sidebar.
- Tick the desired user or group.
You can search for a user or for a group above the list.
- The existing roles of the user or group are displayed at the bottom of the right sidebar under Customize User Roles.
- To delegate a role to the user or group, select the corresponding checkbox. To revoke an existing role from the user or group, clear the corresponding check box.
If the checkbox in front of a role is displayed in light gray and does not respond to a mouse click, you cannot assign or revoke this role to the user or group because you do not hold this role yourself.
- The changes become active immediately.
For each role, there must always be at least one user with that role in DRACOON. For example, if there is only one user with the Auditor role, it cannot be revoked from that user, as otherwise, there would no longer be an auditor in DRACOON. In this case, you must first delegate the role to another user before you can revoke it from the original user.
Determine all holders of a specific role (e.g. all auditors)
Sometimes, it is necessary to determine all users or groups in DRACOON that hold a certain role - for example, to get a list of all auditors. For this purpose, the user and group list can be filtered by role.
Who is allowed to determine all owners of a given role?
Only users who themselves hold one of the five roles are allowed to list all role holders. This is not limited to their own role - for example, if a user has the auditor role, they are allowed to list not only all other auditors but also all configuration managers, user managers, etc.
Discover all users with a specific role
- Click Settings in the left sidebar. The user management will be displayed.
- Select the desired role as a filter above the user list.
- Only those users who hold the selected role will be listed.
Note that only those users who have been explicitly assigned the role will be listed. Users who hold the role via a group membership will not be listed.
Discover all groups with a specific role
- Click Settings in the left sidebar, and then click Groups.
- Select the desired role as a filter above the group list.
- Only those groups that hold the selected role will be listed.
If you want to know which users are included in any of the listed groups, click Members in the right column to list all users in the group.
All listed users hold the selected role through group membership.