background image

Security Concepts for Policy Manager

 

32

 Intellex® Policy Manager

system. The OS then uses this information, together with information it has about the user session 
making the request, to determine if a user or user group has the permission they are requesting. 

Let’s assume that JSmith wants to view live video on camera 13. Our three fundamental questions 
are:

• Who are you, and are you who you say you are? (JSmith, YES)

• What do you want to access? (Camera 13)

• What do you intend to do with it once you have it? (View live video)

Advanced security in Intellex first loads the security descriptor for live video from the security 
environment. Then, using the information from the logon session it created for JSmith during 
authentication, it asks the operating system:

Does JSmith have access to live video on camera 13?

The system processes that request as though JSmith were asking for the file in the previous 
example, but now, the security descriptor is a special one created and maintained by Intellex. As 
before, if he has permission, he can view live video on camera 13.

Users, groups and inheritance

Policy Manager employs users and groups from your existing corporate network. It is unnecessary 
to maintain a separate list outside your normal network environment. Consequently, the 
administration client has no mechanism that allows you to add new users or groups; they are 
already there.

For a user or user group to have instrument access, the domain where Policy Manager is installed 
must recognize that user or group. If you need additional users or groups, you or your network 
administrator must add them to the enterprise.

You can authenticate only users. Groups are collections of users who share common permissions. 
For example, if JSmith is a member of the marketing group, and the marketing group has full 
permissions for the ‘Forcasts.xls’ file on a file server, then JSmith has full access to that file even 
though JSmith has not been explicitly granted access to it. In other words, a user’s access 
permissions are actually the sum of all permissions that he or she is explicitly granted, plus 
whatever permissions are granted to any and all groups that user is a member of.

This principle also applies to Intellex Advanced Security. Building on the example above, if the 
Boston group has access to live video on cameras 1 through 16 on Intellex1, JSmith can also see 
those cameras, even if he does not appear in the list of users and groups who have been granted 
access to those cameras.

The preceding examples illustrate a central concept in network security: inheritance. In the above 
scenario, JSmith inherited the permissions, which the Boston group holds. Further, JSmith not only 
inherits the permissions granted to the group(s) he is a member of, but also the explicit denials. 
Thus, if Boston is explicitly denied access to live video for camera 3, JSmith cannot see camera 3. 
Denial takes precedence over permission, so even if JSmith is granted (either explicitly or 
indirectly via inheritance) access to live video on camera 3, he still cannot see it.

Three forms of access permissions

There are three basic types of access permissions that an administrator can assign to a user or 
user group:

• Implicit access

• Explicit access

• Explicit denial.

Summary of Contents for Intellex Policy Manager

Page 1: ...Intellex Policy Manager Version 1 30 User s Guide Part Number 8200 2603 12 A0...

Page 2: ...extensive worldwide network of dealers The dealer through whom you originally purchased this product is your point of contact if you need service or support Our dealers are empowered to provide the v...

Page 3: ...rts e g documentation hardware box software key The Software may contain software from third parties that is licensed under a separate End User License Agreement EULA Read and retain any license docum...

Page 4: ...r use of or inability to use the Software or its documentation This limitation will apply even if Sensormatic or an authorized representative has been advised of the possibility of such damages Furthe...

Page 5: ...11 Binding an Instrument to a Different Site 11 Editing Security Settings of an Intellex 12 Adding or Removing Users or User Groups 13 Propagating Copying Security Settings from one Intellex to Anoth...

Page 6: ...ntend to do with it once you have it 31 Security descriptors 31 Users groups and inheritance 32 Three forms of access permissions 32 Implicit access 33 Explicit access 33 Explicit denial 33 Appendix B...

Page 7: ...ge of Intellex resources and functions Take advantage of a Microsoft security level for their video information Centrally administer security control over multiple Intellex units Policy Manager for In...

Page 8: ...eo on a private LAN that is separate from their corporate LAN WAN Policy Manager s advanced security eliminates the IT administrator s concern regarding breach of security in the corporate network via...

Page 9: ...of all types and statuses Intellex Policy Manager This view is the tool for managing advanced security Intellex Archive Manager This view is the tool for archiving and retrieving data from network at...

Page 10: ...Policy Manager 4 Intellex Policy Manager...

Page 11: ...ruments in your system This icon represents a single Intellex instrument that is operational under advanced security This icon represents a secured Intellex instrument in advanced security mode that i...

Page 12: ...s provides optional views of objects The views are large icon small icon list or details This icon represents the license of a specific module such as Policy Manager or Archive Manager This icon repre...

Page 13: ...s to the site on a global basis The figure below shows how the information is displayed in the right hand pane when you select Global Site Policies 1 Select Global Site Policies to display a right han...

Page 14: ...t the number of minutes a user must wait before trying to log onto the system once the maximum number of failed logons has been reached A prompt notifies you if values are out of range The system will...

Page 15: ...e tree view on the left shows all the instruments Selecting a specific instrument displays the security environment for that instrument in the right hand pane Appendix C has a complete list of securab...

Page 16: ...s Intellex units on the domain and configures them for advanced security they automatically register themselves with the Policy Manager site based on the information the administrator provides Intelle...

Page 17: ...ion is running on the instrument exit the application to the desktop 2 Open the component services MMC found in Control Panel Administrative Tools Component Services 3 In Component Services navigate t...

Page 18: ...at the instrument local access or accessing the data remotely via Network Client or the API When a user or user group is added to a container and then inherited to that container s child objects Multi...

Page 19: ...features is that with one entry you can set access permissions for an entire list of items or for the whole Intellex Adding or Removing Users or User Groups Once the access control editor is visible y...

Page 20: ...s permission to a feature you must check the box in the Deny column If you are removing a user or user group that you previously added note the following If the user or user group you added is listed...

Page 21: ...ears in the check box 2 If at least one but not all zone members are checked the zone state is partial and the check box is checked against a gray background 3 If all zone members are checked the zone...

Page 22: ...Managing Intellex Advanced Security through Security Settings 16 Intellex Policy Manager...

Page 23: ...ruments in the site All newly registered instruments are first assigned to this zone and inherit these default security settings Creating a New Zone Grouping Instruments with Common Security Propertie...

Page 24: ...ocess Click Cancel if you want to override the deletion The Single Zone View The single zone view shows the instruments that are members of that zone Each zone also contains a default instrument as me...

Page 25: ...only if an instrument has previously been cut Pasting an instrument moves the instrument from the source zone to the paste or destination zone The paste operation is permissible only if the instrument...

Page 26: ...ment are different Policy Manager sees it as a new instrument records its information and notifies all currently active administration clients that a new instrument has just been registered 4 Open the...

Page 27: ...iption Change text in the edit control Updates the description Select OK Accepts the changes Select Cancel Abandons the changes Select Help Brings up context sensitive help on changing the description...

Page 28: ...Working with Zones 22 Intellex Policy Manager...

Page 29: ...zed to operate under advanced security In addition the PID includes information concerning the Network Client NC Corporate License if you purchased this feature It allows you to distribute a single co...

Page 30: ...ectly to the serial number embedded in the hardware key and not to the server hosting the Policy Manager software Features eight individually selected on off bits Integrity checksum A corporate licens...

Page 31: ...le a new administration session starting on the server Warning Caution that the step taken or data entered may lead to an error Also indicates that the administrator s attention is required to deal wi...

Page 32: ...y Manager Adding the Event Viewer Snap in To add the Event Viewer snap in to the MMC console app that was set up during installation 1 Select Console Add Remove Snap in 2 Select Add The Add Standalone...

Page 33: ...Event Viewer entry in the list The Select Computer dialog appears Note Be sure to select the computer where the Policy Manager server is running If necessary navigate to the correct computer with the...

Page 34: ...Working with the Event Viewer 28 Intellex Policy Manager...

Page 35: ...require a custom installation Custom installations are outside the scope of this manual If you are planning a custom installation we strongly recommend that you discuss the installation with your IS...

Page 36: ...policies and permissions Policy Manager applies both general and specific rules General rules are site policies that are applied to all users who access the system regardless of which instrument they...

Page 37: ...our three general questions into a specific query Can JSmith open the back door Now the request can be fully processed and JSmith can either get to work or not get to work Security descriptors In Win...

Page 38: ...eed additional users or groups you or your network administrator must add them to the enterprise You can authenticate only users Groups are collections of users who share common permissions For exampl...

Page 39: ...the list of users or user groups in the files security descriptor The administrator grants access with the access control editor adding JSmith to the security descriptor for the file and then checkin...

Page 40: ...Security Concepts for Policy Manager 34 Intellex Policy Manager...

Page 41: ...ct for multi media streams access is allowed for all 16 streams for Administration Utility access is allowed to Generate Alarms Clear Latched Alarms and Erase CD RW All other features are not allowed...

Page 42: ...the difference between an active and inactive instrument An active instrument is one that is ready for use i e it is recording video and can receive commands to perform searches and other functions f...

Page 43: ...f data on the inserted CD RW media View Activity Log allows viewing of internal activity log Setup Setup Record Mode allows switching between linear and circular mode as well as linear warning thresho...

Page 44: ...ng to live audio on audio stream 1 All Recorded Audio Audio Stream 1 allows playback of recorded audio on stream 1 All Advanced Dome Control Cameras 1 16 allows dome control for the selected camera Al...

Reviews: