В процессе авторизации, пользователю присваивается роль безопасности. Роль безопасности определяет, что пользователь может делать и какие письма пользователь может видеть. Есть две основных причины в определении роли:
- Права доступа - то, что пользователь может делать (например, удалять электронную почту)
- Фильтр просмотра – какие сообщения пользователь может просматривать (т.е. обычный пользователь просматривает только свою почту)
В системе есть три встроенных роли: administrator, auditor and user. По умолчанию права доступа и фильтры просмотра, связанные с этими ролями описаны в ниже.
Права доступа
| Роль | Удаление | Просмотр | Печать | Экспорт | Сохранение результатов | Отправить | Настройки |
|---|---|---|---|---|---|---|---|
| User | Нет | Да | Да | Да | Да | Да | Нет |
| Audit | Нет | Да | Да | Да | Да | Да | Нет |
| Admin | Да | Да | Да | Да | Да | Да | Да |
| Master | Да | Да | Да | Да | Да | Да | Да |
Фильтр просмотра
| Роль | Фильтр просмотра | Значение по умолчанию |
|---|---|---|
| User | Просматривает только свою почту (все адреса должны совпадать с адресом электронной почты пользователя) | anyaddress:%email% |
| Audit | Просматривает всю почту | |
| Admin | Просматривает только свою почту (все адреса должны совпадать с адресом электронной почты пользователя) | anyaddress:%email% |
| Master | Просматривает всю почту |
User Role
The User Role is used for the purposes of enabling employees to access to their own emails in the archive. The macro “%email%” in the view filter restricts users who are assigned the role to viewing emails that concern themselves only. In addition, users assigned the User Role are, by default, unable to alter the configuration of the system.
When defining a view filter, the macro %email% will be replaced with the email address of the logged-in user. Thus, by selecting “any address” and entering “%email%” as a value, you will effectively limit the user to seeing their own emails only.
In a Role View Filter, it is possible to specify a complex filter query in accordance with the Архива query syntax. This is useful in a number of scenario's. For example, say one wanted to grant a particular user access to aНетther user's emails. One could create a role for that user, and specify anyaddress:(%email% OR john.adams@*). In this example, the logged in user will be able to see all John Adam's mail (for your reference: there are also other ways to accomplish the same behaviour. Hint: alternate email attribute and value inLDAP/AD authentication).
Tip: To restrict users to see their own emails only, set view filter on the assigned role to anyaddress:%email%
Tip: To restrict users to see all emails from their own domain, set view filter on the assigned role to anyaddress:%domain%
Audit Role
The main difference between the built-in Audit Role and the User Role is that its view filter is empty, meaning auditors are able to access the emails of every person in the company.
Administrator Role
Administrators are capable of modifying the configuration of Архива, excluding role definition and login configuration. For security reasons, they are Нетt permitted to view all emails of all users in the archive.
Нетte: By default, the Administrator Role is Нетt assigned the Role and Login permissions. This measure is necessary to prevent administrators from viewing sensitive company data.
Master Role
The master role is assigned when a user is logged in as the “admin” user. The master user is all powerful and has the ability to access all functions of the system, including view all emails in the archive.
Built-In Roles
If the built-in roles are Нетt suitable, you can define one or more custom roles. To define a custom role:
- Click on the “Add Role” button in the Roles section of the server console
- configuration screen
- Enter an appropriate name for the role
- Select the permissions associated with the role
- Add a view filter clause to limit which emails users assigned the role can view
It is possible to define a role that would allow all those who are assigned to it, the permission to view emails of all users belonging to a specific active directory group. This capability supports the scenario where the director of a department would like permission to view all emails sent and received by members of the department. To do this, simply select the User Group field in the role’s view filter and enter the name/DN of the corresponding group in Active Directory.