Aim
To provide information on how to setup delegable access control to someone familiar with the network registry tools such as `regedit'.Introduction
All Zeus configuration information is stored in a central registry that is built into the admin server. The interface to the registry is via a TCP/IP connection allowing remote applications to share centralised configuration settings. With each configuration setting, the registry also holds access control information to implement a secure delegable configuration system.The registry settings are a set of key/value pairs which are structured into a hierarchy. The `regedit' tool can be used to visualise and interact with the registry directly, and this tool is also used to delegate configuration settings.
Users
In order to setup delegation, extra users must be created, and these users assigned to portions of the registry hierarchy which they are allowed to configure. By default, there is a single user called `admin'. This user has access to configure the entire registry hierarchy.The list of valid users, and their passwords lives in the registry under the `conf!reg!users' branch. Each user is a setting with an encrypted password field.
To add a new user, use the regedit program to create a new setting under this branch. The name of the setting will be the user name, its value will be the password for this user, the type should be set to encrypted.
To delete a user, simply delete their setting from this branch. Warning, do not delete the admin user!.
To rename a user, rename their setting.
To edit a user's password, you can use the web-form on the admin controller, or use the regedit program to give the setting a new value.
Allowing users to configure portions of the registry tree.
Once you have created the users, you then need to specify which portions of the registry tree you wish them to be able to configure. The access control in the registry tree is based on a model of progressive weakening. Any setting or branch can have a list of users assigned to it whom are allowed to configure it. If a user is given configuration rights to a branch, then that user has configuration rights to that branch and all settings benath that branch.To apply a user to a branch or leaf setting, use the regedit program to select the setting to modify, and then press 's' for security. A dialogue box will appear which allows you to enter a comma delimited list of users who can edit this setting (the admin user is implied).
Note, in order to do this, you will need modification rights for this setting. A user with such rights can further delegate the access control of this setting, or settings beneath this setting to other users (but not create new users unless they also have modification access to the 'conf!reg!users' branch).
Any setting which has a security setting applied to it is flagged with an asterisk in the regedit program.
Delegating permissions for individual applications
Each Zeus application stores its settings in the registry in a hierarchy designed for delegation in this manner. See the information supplied with the relevant application for examples on how the registry hierarchy for that application is used and how different delegation models maybe employed.