Access Rights Management

The software comes with the Access Rights Management feature that allows you to customize the software's permissions. This feature is disabled by default in CodeTwo Exchange Rules Pro, but you can easily enable it from the toolbar (Fig. 1.).

Access Rights button on the top menu bar of the Administration Panel.
Fig. 1. The Access Rights button on the toolbar of the Administration Panel.

To enable it, check the Switch on Access Rights Management checkbox (Fig. 2.) and submit the changes.

Access Roles list and General tab of Access Rights Management.
Fig. 2. Access Rights Management configuration window.

Important

We strongly recommend configuring access rights right after you install the software.

Info

In version 2.6 of the software, Access Rights Management changed significantly compared to the previous releases.

How does it work?

Older releases of CodeTwo Exchange Rules Pro featured a user-based access rights model in which the software administration rights were configured individually for each user. In version 2.6 this was changed to a role-based rights management model to more easily manage access rights for a larger number of users and to better satisfy admins' security needs.

In CodeTwo Exchange Rules Pro you create a list of roles (the four most common usage examples are already added). These roles define access level to particular features of the program. When you assign a role to a user, this user inherits role-defined permissions. The same user can be added to multiple roles that grant him or her different access rights. Additionally, for each role you can customize per rule access.

Old access rights conversion

If you had any rights configured in version 2.5 or older, these are going to be automatically converted to the new access rights model introduced in version 2.6 upon updating or upgrading. In general, the software converts the old access rights of each user, group or external user to a separate access role. However, the software will also attempt to merge the roles together - this will be successful only for the users who had an identical set of permissions in a previous version.

Roles management

You can freely edit the existing access roles, clone or remove them and add new ones in the Access Rights Management window (Fig. 2.). The order of the roles on the list does not have any impact on permissions. Members of roles can be added as domain users, domain groups or custom external users.

Access rights are pulled from a server when the Administration Panel starts - if another user modifies the access rights while you have the Administration Panel open, you will not see those changes until you restart the application.

Important

Changes to Access Rights Management are applied only after clicking the Submit changes button in the main window of the Administration Panel.

Predefined access roles

As presented in Fig. 2., the Access Rights Management window displays list of access roles. A few most useful ones are preconfigured:

Program and rules administrators - this is a full access kind of role that can manage rules and access all features in the software, including the administrative ones. By default, the software automatically adds the Administrators group to this role when you enable Access Rights Management for the first time. This is to make sure that at least one account has permissions to manage access rights, so you do not lock yourself out of the software.

Rules administrators - this role has full access to rules configuration but does not have access to rights management and the program's administrative features.

Signatures editors - quite a limited role created for people who should be allowed only to manage signature-related actions. For example, you can assign your marketing department staff or graphic designer(s) to this role so they can create nicely looking signatures, disclaimers or advertisement banners but should not be able to modify anything else other than signature/disclaimer adding action properties. In other words, members of this role will not be able to edit other rules or even conditions, exceptions and other actions within signature/disclaimer adding rules.

Autoresponders management - another example of a task-oriented, limited access role. You can use this role to give your human resources department access to rules with an auto respond action. This will come in very handy when an employee is absent for some reason - an autoresponder should be set for this person's account but you do not want to set it directly on the Exchange server. By assigning your HR people to this role, you will enable them to set autoresponses themselves, without bothering you or your IT staff.

Access role rights

Roles can be customized by enabling or disabling access to a specific feature, rule type or action (see the Access role rights tab in Access Role Properties).

Be advised that at least one user must be always assigned to a role that holds the Manage access rights permissions. The software has a built-in mechanism that protects you from locking yourself out - if you attempt to revoke Manage access rights for the only role that has this permission, such action will be stopped and a warning will pop up (Fig. 3.). The same will happen if you delete the only role that holds these permissions or remove all users from all roles that Manage access rights.

A warning that is displayed if you attempt to remove the only member of the Manage access rights role.
Fig. 3. A warning that is displayed if you attempt to remove the only member of the Manage access rights role.
Access role rights tab in Access Rights Management.
Fig. 4. Access role rights tab in Access Rights Management.

To move actions up and down on the actions list, a user must be granted permissions to edit, add and delete all action types in all already configured rules.

Access Role Rights permissions

Users that are members of the following roles are given permissions to do the following:

  • Manage the program's administrative features
    • Access to all tabs in the Settings window except for Rule categories (governed by the Manage rules order and their General properties right), Logon settings and Connection which are available to anyone regardless of their role membership
    • Use the Import/Export feature
    • Gather diagnostic files via Help, Collect all log files
    • Open the licensing window and activate the software's license
    • Change notification settings (Help, Notifications)
  • Manage access rights
    • Modify Access Roles in the Access Rights Management window - at least one user must always be assigned to a role that holds this permission
  • Create new rules
    • Add and configure new rules
  • Manage rules order and their General properties
    • Change order on the list of rules
    • Edit the content of the General tab of every rule
    • Manage rules categories via the Settings, Rule categories tab, as well as via Category Manager available in the category picker.
  • Manage rules Conditions and Exceptions
    • Edit the content of the Conditions and Exceptions tabs in every rule
  • Manage rules Actions
    • Edit the content of the Actions tab in every rule; this can be enabled for all rights - edit, add, delete or customized:
      • Edit existing actions
        • Edit properties of the already added actions - this can be enabled for all actions or for selected only
      • Add actions selected above
        • Add new actions - limited to actions selected in the Edit existing actions right
      • Delete actions selected above
        • Delete existing actions - limited to actions selected in the Edit existing actions right
          For example, if you granted permissions in Edit existing actions only to the Insert disclaimer action and also added Delete actions selected above, a user will be able to edit and delete only the Insert disclaimer action and nothing else.
  • Manage rules Options
    • Edit the content of the Options tab in every rule

Access Role Rights conflicts

It is possible to add the same user to multiple access roles. In such a scenario, permissions from different roles are added.

Note that particular Access Role Rights grant you permissions to do something, there are no rights to specifically prohibit doing something. To easily understand that, let us assume that each granted permission has the value of 1 and the lack of it has the value of 0. If a user is a member of a role that e.g. grants him rights to create new rules but is also a member of another role that does not have this right, effectively this user will be able to create new rules (the value of the right to create new rules is 1 for the first role and 0 for the second role; their sum is therefore 1, so in the end the user is able to create new rules). To forbid a particular user from having a specific permission, you must review Access Role Rights of all the roles this user is a member of and either make sure none of those roles grants the permission in question or remove the particular permission from the role if necessary or remove the user from that role.

Rules Rights

Aside from the above-mentioned Access Role Rights, you can configure per rule access rights. This will be useful if, for example, you want to delegate rules management tasks to other people but do not want them to see some specific rules. You can limit their visibility in the Rules rights tab (Fig. 5.).

Rules rights tab in Access Rights Management.
Fig. 5. Rules rights tab in Access Rights Management.

Please note that the order on the list of rules is always the same as the order of rules list in the main Administration Panel window. However, you can sort them alphabetically by clicking on the Rule name column header. The original order is restored by closing and reopening this window. Also, selecting a checkbox in the header of one of the columns (View, Edit, Delete) will automatically select the checkboxes below in the whole column.

When creating a new rule the software will ask you which access role should be used to create this rule if more than one role has permissions to create rules. This is to establish which role should be the owner of this rule and which role's Rules rights will be applied in the future.

Selecting a role that will be the rule owner.
Fig. 6. Selecting a role that will be the rule owner.

Please note that a role, not a user, is considered the owner of a rule. A user can be a member of such a role and therefore enjoy all of the owner's privileges defined in the Rules rights tab. If this user creates a new rule, it will automatically be owned by the selected role (see Fig. 6.) and this role will have all rights (View, Edit, Delete) to this rule. It is not possible to limit those rights for the rules that have not been created yet. If you remove the mentioned user from that role, they will lose all of the associated rules rights and will only have the rules rights of whatever role he is assigned to now.

See next

Configuration of rules - this article describes typical examples of using rules, how to create them, the actions that can be applied to the processed mail, conditions and exceptions that trigger/exclude rules from triggering certain actions as well as additional options that boost the program's functionality.

See also

Logon settings - this article describes how to define what type of authentication will be used to log on to a particular Administration Panel to access Exchange Rules Pro Service and configure the program

Was this information useful?