Delegation: Difference between revisions

From Telcred documentation
Jump to navigation Jump to search
Line 73: Line 73:
== Sharing between organizations ==
== Sharing between organizations ==


=== Policy sharing ===
=== Privilege sharing ===


With delegation, each organization can manage their own users, doors, and access rights. However, it is common that users belonging to one organization need access rights to doors belonging to another organization. For example, in an office building with tenants, all tenants need access to the entrance doors to the building, as well as garages, and elevators.
With delegation, each organization can manage their own users, doors, and access rights. However, it is common that users belonging to one organization need access rights to doors belonging to another organization. For example, in an office building with tenants, all tenants need access to the entrance doors to the building, as well as garages, and elevators.


Telcred solves this problem through ''policy sharing''. The administrator of a door can create a policy which provides access to that door, and then share it with one or more of the other organizations. The administrator(s) of those organization can then assign this policy to their own users.
Telcred solves this problem through ''privilege sharing''. The administrator of a door can create a privilege which provides access to that door, and then share it with one or more of the other organizations. The administrator(s) of those organization can then assign this privilege to their own users.




Line 83: Line 83:




Policy sharing enables fine-grained control of when, how, and by whom doors can be accessed. For example, the building owner may want to share the door to a common storage room with all the tenants, but only during office hours, while the same door should be available for the security company at all times.
Privilege sharing enables fine-grained control of when, how, and by whom doors can be accessed. For example, the building owner may want to share the door to a common storage room with all the tenants, but only during office hours, while the same door should be available for the security company at all times.


=== User sharing ===
=== User sharing ===

Revision as of 09:06, 11 July 2019

Officers and capacities

The people involved with the administration of a system are referred to as officers. An officer can have one or more of the following capacities:

  • System owner
    • Create and edit organizations
    • Create and edit new officers
    • Assign officers to be system owners, organization owners, and administrators
  • Organization owner (for one or more organizations)
    • Edit organization
    • Create and edit new officers
    • Assign officers to be organization owners, and administrators
  • Administrator (for one or more organizations)
    • Monitor events
    • Manage access rights, i.e. doors, users, devices, schedules...
    • Configure door groups and hardware

Administrator views

The administrator GUI is separated into three different views that mirror the capacities system owner, organization owner, and administrator. For a large installation, these may be used by different people. For a smaller installation, it is likely that the same person(s) will use all three views, but for different things.

System owner

This view is accessible to officers with the system owner capacity, and is available at:

https://access.telcred.com/sys


System owner


When creating a new organization, the system owner specifies the default time zone (can be changed for individual door controllers). In the same screen, the system owner can assign officers to be organization owners and / or administrators.

The system owner can also appoint other officers to be system owners. This is done when creating or editing an officer. In the same screen it is also possible to assign the officer to be organization owner for one or more organizations:


Create system owner


Telcred Access Manager supports two-factor authentication for officer login and we highly recommend to use it. The only method currently supported is Yubikey OTP (One Time Password). More information about two-factor authentication can be found here.

An officer can be temporarily blocked, in which case he or she will not be allowed to login.

Organization owner

This view is accessible to officers with the organization owner capacity, and is available at:

https://access.telcred.com/org


Organization owner


An organization owner can edit the organization name and default time zone, and assign officers to be organization owners and / or administrators (for the current organization). Assigning officers can be done when updating the organization information OR when creating or editing officers:


Create organization officer

Administrator

This is the normal administrator view, where an officer with the administrator capacity can add new users, assign access rights to users, etc. This view is available at:

https://access.telcred.com

Switching between organizations

One officer can be administrator or organization owner in several organizations. In this case, the officer can switch between organizations using the selector at the top of the screen:

Switch organization

Sharing between organizations

Privilege sharing

With delegation, each organization can manage their own users, doors, and access rights. However, it is common that users belonging to one organization need access rights to doors belonging to another organization. For example, in an office building with tenants, all tenants need access to the entrance doors to the building, as well as garages, and elevators.

Telcred solves this problem through privilege sharing. The administrator of a door can create a privilege which provides access to that door, and then share it with one or more of the other organizations. The administrator(s) of those organization can then assign this privilege to their own users.


Policy sharing


Privilege sharing enables fine-grained control of when, how, and by whom doors can be accessed. For example, the building owner may want to share the door to a common storage room with all the tenants, but only during office hours, while the same door should be available for the security company at all times.

User sharing

User sharing solves another use case, namely when a user belonging to one organization often needs access to doors belonging to another organization. For example, the building owner can create a user for service staff and then share this user with all the tenants. This allows the tenants to maintain control of when service staff can access their premises.


User sharing