Security view

Access to information in Snow License Manager can be managed on both a role level and a user level. The assigned role determines what functionality, what object categories, and what reports the user will have access to, while settings on user level determine access to objects based on the organizational structure.

Administration of users and roles in Snow License Manager is done in the Security view of Snow Management and Configuration Center.

Users

Each user in Snow License Manager requires a separate user account. User rights and available functionality are then adjusted by assigning one or multiple roles to each user.

In the Users view, new users can be created and existing users can be edited or deleted. The properties of a user consist of the four tabs User, Roles, Organization Restrictions, and Login History:

  • The User tab holds general information on the user.

  • The Roles tab lists the roles that the user has been granted.

  • In addition to the roles, Organization Restrictions can be defined for each user. They determine user access to information on computers, applications, agreements, and licenses available within the different nodes of the organizational structure.

    • If one or several organization nodes are specified, the user will only have access to see information for these nodes.

    • If no organization nodes are added, the user will have access to information for all nodes.

  • The Login History tab shows information on user logins. The View Daily Logins option shows them by date and time, while the View Monthly Login Count option shows them by month and count.

User report

The User report shows an overview of all users including general user information as well as last logon and logon counts. Click the plus sign to the left of the username to see information on Roles and Organization Restrictions.

Roles

Roles define what the users can do in Snow Management and Configuration Center and in the SLM Web UI, and every user of the system must be assigned one or several roles.

Roles can be created either in Snow Management and Configuration Center or by integrating Active Directory groups with Snow License Manager. Both can be used, but our recommendation is to choose only one to minimize the risk of allowing users access to areas to which they should not have access. For more information about integrating Active Directory groups with Snow License Manager, see the separate document User Guide for Active Directory group integration.

In the Roles view, new roles can be created and existing roles can be edited, copied, or deleted. Settings for a role are made on the Object Security, Report Security, and Users tabs:

  • The Object security grants the role access to views, objects, alerts, and functionality in the Web user interface of Snow License Manager and in Snow Management and Configuration Center. Defined accesses for the Web application are sorted under Web and per category, for example Agreement, Application, Computer, License, MobileDevice, and User.

  • The Report security grants the role access to stock reports and charts (based on reports) in the Web user interface of Snow License Manager. By default, no stock reports or charts are available for the roles License administrators and Viewers.

  • The Users tab lists the users that the role has been assigned to.

A role can be assigned to multiple users, and multiple roles can be assigned to a single user. A user with multiple assigned roles will have access to all items granted for each role.

Example 51.

If role A denies the user access to Custom Report 1 but role B allows access to the same report, a user assigned to both roles will be able to access Custom Report 1.



Predefined roles

A set of predefined roles are delivered with Snow License Manager. Use the roles as they are, or use them as examples when creating customized roles for access to selected functionality. A role is typically created for a certain type of user.

A detailed comparison of the two roles License administrators and Viewers is presented in Appendix B - Role privileges.

Role

Description

Administrators

The Administrators role grants complete access to the entire system, both Snow MACC and SLM Web UI. This role is assigned to administrators, such as the global SAM owner and technicians from the IT department.

API Users

The API Users role grants access to the Snow License Manager Web API. By default, an account assigned to this role cannot be used for user login to the SLM Web UI.

License Administrators

The License Administrators role is perhaps the most commonly used role. The role grants no administrative access rights, but can add licenses, agreements, and information in SLM.

Viewers

The Viewers role grants the right to view and export information, only. Viewers cannot make any changes to the information in SLM.

Note

When adjustments are needed for a predefined role, the recommendation is to use a copy of that role and keep the original one unaltered. This, since any updates of Snow MACC will reset the granted accesses of the predefined roles.

Audit Log

The Audit Log keeps track of events related to Snow License Manager user accounts. Events like changed access rights (both added and removed rights), passwords, user names, and role permissions are logged with a time stamp and information on who made the change. The information can be exported to provide Security and Governance teams with the information they need about changes on user account privilege level.

To filter the log by date, use the calendar to select a specific date range.

To export the log to an Excel or .csv file, click Export in the menu.

The following table shows the changes that are logged in the audit log.

Category

Logged change

User

User was created or deleted.

User was renamed.

Role was added to or removed from user.

User password was changed.

User organization was changed.

Organization restriction was added to or removed from user.

Role

Role was created or deleted.

Role was renamed.

Object was added to or removed from role.

Report was added to or removed from role.

Note

The Audit Log is encrypted by default. To allow Audit Log to write un-encrypted, clear Configuration > Customer Settings > AUDITLOG_ENCRYPT. This allows the audit logs to be readable by centralized log-management systems.