Access Rights Management
You can customize permissions to use CodeTwo Exchange Rules Pro thanks to the Access Rights Management functionality. Right after installation, the software can be managed by every person who has access to the Administration Panel. That is why we recommend configuring access rights directly after you install the software in your organization. Use the links below to learn more.
- How Access Rights Management works
- How to turn it on
- Managing access roles
- Conversion of access rights (old versions of the software)
The software lets you create a list of access roles. These roles define access level to particular features of the program (these features are managed in the Administration Panel). When you assign an access role to a user, this user inherits role-defined permissions. The same user can be added to multiple access roles, which gives this person different access rights. Additionally, for each access role you can customize per-rule access (see the Rules rights section to learn more).
You can open access rights settings from the Administration Panel's toolbar (Fig. 1.).
|Fig. 1. The Access Rights button on the toolbar of the Administration Panel.|
Access Rights Management is disabled by default. To turn it on, select the Switch on Access Rights Management checkbox (Fig. 2.). Click OK to close the window and click the Submit changes () button on the toolbar to save the configuration.
To manage access roles, click the Access Rights button on the Administration Panel's toolbar (Fig. 1.) to open the Access Rights Management window (Fig. 3.).
The ACCESS ROLES pane contains a list of access roles in your organization and allows you to add new roles, clone them, or remove the existing ones. The order of the roles displayed on the list does not have any impact on permissions. Right after installation of the software, the list of access roles includes several predefined roles. See Predefined access roles to learn more.
The ACCESS ROLE PROPERTIES pane is divided into three tabs:
- General: here, you can modify the name, description, and members of each access role (Fig. 3.). Members of access roles can be added as domain users, domain groups, or custom external users.
- Access role rights: here, you can manage access to the program's features, email rule types, and actions. Learn more about Access role rights
- Rules rights: here, you can manage access rights to specific rules that are created in your organization. Learn more about Rules rights
Each time you make any changes in Access Rights Management, you need to confirm by clicking the Submit changes() button in the main window of the Administration Panel. Otherwise, your changes will not be applied.
Access rights are pulled from a server when the Administration Panel starts and are synchronized between the panels. If another user modifies the access rights while you have the Administration Panel open, you will not see those changes in your panel until you restart it.
By default, the Access Rights Management window (Fig. 3.) includes predefined access roles:
- Program and rules administrators - this is a full-access type of role. Users belonging to this role can manage all rules and access all features of the software (including the administrative functionalities such as Server Monitor). By default, the software automatically adds the Administrators domain group to this role when you enable Access Rights Management for the first time (see Fig. 2.). This is to make sure that at least one account has permissions to manage access rights, so you do not lock yourself out of the software. Learn more
- Rules administrators - members of this role have full access to email rules (they can add, remove and configure them), but do not have access to Access Rights Management and the program's administrative features.
- Signatures editors - this role is created for people who should be allowed to manage only signature-related actions. For example, you can assign your marketing department staff or graphic designers to this role, so they can design signatures, disclaimers, or advertisement banners, but should not be able to modify anything else. In other words, members of this role will not be able to edit other types of rules or edit the conditions, exceptions and other actions within signature/disclaimer adding rules.
- Autoresponder management - another example of a task-oriented, limited-access role. You can use this role, for example, to give your human resources department access to rules with the Auto respond action. This may be useful when an employee is absent for some reason, and an auto-reply should be set for this person's account, but you do not want to set it directly on the Exchange server. By assigning your HR people to this role, you enable them to set automatic responses themselves, without bothering you or your IT staff.
Access roles can be customized by enabling or disabling access to specific features, rule types, or actions. You can do that on the Access role rights tab in ACCESS ROLE PROPERTIES (Fig. 4.).
|Fig. 4. Access role rights.|
Manage program administrative features
- Access all tabs in the Settings window except Rule categories (this access is governed by the Manage rules order and their General properties right), Logon settings and Connection which are available to anyone regardless of their role membership.
- Use the Import/Export feature.
- Gather diagnostic files via Help > Collect all log files. Learn more
- Open the licensing window and activate the software's license.
- Change notification settings (Help > Notifications). Learn more
Manage access rights
- Modify access roles in the Access Rights Management window.
To avoid situations in which your organization is locked out of the software, at least one user must be assigned to an access role that holds the Manage access rights permissions. If you try to revoke Manage access rights for all access roles or delete all roles that hold these permissions, the software stops you by displaying a warning (Fig. 5.).
Create new rules
- Add and configure new rules.
Manage rules order and their General properties
- Change the order on the list of rules.
- Edit the contents of the General tab of every rule.
- Manage rules' categories via the Settings > Rule categories tab as well as via Category Manager available in the category picker. Learn more
Manage rules Conditions and Exceptions
Manage rules Actions
- Edit, add or delete the content of the Actions tab in every rule. Select the Manage rules Actions checkbox to enable this permission for all actions, or expand it for customized selection:
- Edit existing actions
- Edit the properties of the already added actions - this permission can be enabled for all actions or actions selected from the list.
- Add actions selected above
- Add new actions - this permission applies only to the actions selected in the Edit existing actions right.
- Delete actions selected above
- Delete existing actions - this permission applies only to the actions selected in the Edit existing actions right.
- Edit existing actions
Example: You selected only 2 actions: Compress attachments and Insert disclaimer in the Edit existing actions permission, and also selected the Delete actions selected above permission (Fig. 6.) for an access role. As a result, the members of this role will only be able to edit and delete the Compress attachments and Insert disclaimer actions, and will not be able to edit/delete/add any other actions.
To move actions up and down on the Actions list, a user must be granted permissions to edit, add and delete all actions in all configured rules.
Manage rules Options
- Edit the content of the Options tab in every rule.
It is possible to add the same user to multiple access roles. In such a scenario, permissions from different roles are added.
Note that access role rights give you permissions to perform specific tasks/operations; there are no rights that prohibit you from doing something. To help you understand that, let us assume that each granted permission has the value of 1, and the lack of this permission has the value of 0. If a user is a member of a role that e.g. grants him rights to create new rules, but is also a member of another role that does not have this right, effectively this user will be able to create new rules (the value of the right to create new rules is 1 for the first role and 0 for the second role; their sum is therefore 1 = permission is granted). To prevent a user from having a specific permission, you need to review the access role rights of all the roles this user is a member of, and either:
- make sure that none of these roles grants the permission in question
- or remove the particular permission from the role.
- or remove the user from that role.
Besides access role rights, you can also configure per-rule access rights (that is, rights to individual rules created in your organization). This is useful if, for example, you want to delegate rule management tasks to other people, but you do not want them to see some specific rules. You can limit their visibility on the Rules rights tab (Fig. 7.).
|Fig. 7. Configuration of the rights to individual email rules.|
The order of rules on the Rules rights tab is always the same as the order of rules listed in the main window of the Administration Panel. You can sort them alphabetically by clicking on the Rule name column header. The original order will be restored when you reopen the window.
When you create a new rule, the software asks you which access role should be used to create this rule (Fig. 8.) if more than one role has permissions to create rules. The selected role becomes the owner of this rule, and this role's Rules rights will be applied in the future.
|Fig. 8. Selecting a role that will be the rule owner.|
Note that a role (not a user!) is considered the owner of a rule. A user can be a member of such a role and therefore enjoy all of the owner's privileges defined in the Rules rights tab. If this user creates a new rule, it is automatically owned by the selected role (see Fig. 8.) and this role has all rights (view, edit, delete) to this rule. It is not possible to limit those rights for the rules that have not been created yet. If you remove the mentioned user from that role, they will lose all of the associated rules rights and will only have the rules rights of whatever role they are assigned to now.
If you had any access rights configured in version 2.5 or older, these are going to be automatically converted to the new access rights model introduced in version 2.6 upon updating or upgrading. In general, the software converts the old access rights of each user, group, or external user to a separate access role. The software also attempts to merge the roles together - this operation is successful only for users who had an identical set of permissions in the previous version of the software.
Configuration of rules - this article describes typical examples of using rules, how to create them, the actions that can be applied to the processed mail, conditions and exceptions that trigger/exclude rules from triggering specific actions, as well as additional options that boost the program's functionality.
Logon settings - learn how to define the type of authentication used to log on to an instance of the Administration Panel.