.. meta::
   :description: Access control management with the Management Console in Micetro by Men&Mice
   :keywords: access control, access control management, role-based access, security, Micetro

For detailed information on the preferred method of access management, see :ref:`access-control`.

.. _acl-console:

Managing access control in the Management Console
-------------------------------------------------

Access control management in the Management Console uses the new access control model, but its features are slightly different than those available in the Web Application.

.. note::
  Men&Mice recommends configuring and managing access through the Web Application, as the preferred method. Functionality in the Management Console is mostly implemented in a transitional capacity.

Key differences between the Web Application and the Management Console
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Effective access
""""""""""""""""

In the Management Console's :menuselection:`Tools --> User Management`, the functionality for :ref:`acl-effective-access` is not available.

Users and groups
""""""""""""""""

In the Management Console's :menuselection:`Tools --> User Management`, users and groups cannot be edited to assign roles. Instead, roles need to be configured with users and groups.

Roles
"""""

In the Management Console's :menuselection:`Tools --> User Management`, adding a new role doesn't allow configuring access for it.

Configuring access in the Management Console
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Adding a new role
"""""""""""""""""

1. Open :menuselection:`Tools --> User Management` and switch to the **Roles** tab.

2. Click :guilabel:`Add`.

3. Fill in the name and description for the role. Optionally, you can add users and groups to the role.

4. Click :guilabel:`Ok`.

.. important::
  The function for *creating* the role doesn't contain options to set access for it in the Management Console. For configuring access, follow the steps in :ref:`console-role-perms`.

.. _console-role-perms:

Configuring access for a role
"""""""""""""""""""""""""""""

.. note::
  Unlike the in Web Application, configuring access for roles is sectioned by object type (i.e. DNS servers, zones, clouds, etc.).

1. Open :menuselection:`Tools --> Role access for` and select the object type from the menu.

.. note::
  To manage access for Micetro (module access, setting user admins, etc.) use :menuselection:`Tools --> Micetro access`.

.. image:: ../../images/acl-console-access-for.png
  :width: 90%
  :align: center

2. In the **Access control** dialog, you'll see all roles that have relevant access configured on them.

.. image:: ../../images/acl-console-access-control-dialog.png
  :width: 60%
  :align: center

3. To configure access for the selected object type to a role:

  3/1. Select the role in the top window, or click :ref:`Add...` to add a role that doesn't have access configured for the object type yet.

  3/2. In the bottom panel, select all checkboxes for the access permissions you'd like to enable.

  .. note::
    Selecting **Deny** is the equivalent of **Block** in the Web Application. See :ref:`block-permission` for more details. Setting 'deny' on a permission will block any other role to overwrite this setting.

4. Click :guilabel:`OK` when all the desired access permissions are set.

Removing a role
"""""""""""""""

To *remove a role's access permissions from an object type* use the :menuselection:`Tools --> Role access for` menu. Select the role in the top panel and click on :guilabel:`Remove`. This will remove all configured access permissions from the role, but **not the role itself**.

To *remove a role from Micetro* use :menuselection:`Tools --> User Management` and click on the **Roles** tab. Select the role(s) to remove, and click :guilabel:`Remove`. This will remove **the role and all its configured access permissions** from Micetro completely.

Adding users and groups to a role
"""""""""""""""""""""""""""""""""

To add users or groups to a role:

1. Open :menuselection:`Tools --> User Management`.

2. Select the user(s) and/or group(s), click :guilabel:`Edit` and in the bottom panel select the roles to attach the user(s)/group(s) to.

.. image:: ../../images/acl-console-user-role.png
  :width: 90%
  :align: center

3. Click :guilabel:`OK` to save the new membership settings.

.. note::
  Using the **Roles** tab of :menuselection:`Tools --> User Management`, examining a role will display the users and groups attached to the role, but cannot be used for adding users/groups to it.