Using Security Groups
Trust Lockdown Security Groups
What are Security Groups?
Similar to Windows Active Directory, Trust Lockdown uses Security Groups to collect organizations, accounts, computers and software policies into manageable units.
Types of Security Groups
Each organization has its own "main" Security Group at the root of its Security Groups Tree. This group can have one or more child Security Groups that can be:
- a Security Group (for App Policies, Trust Profiles or associated Endpoints)
- a Software Profile Groups
- an Admin Group
Policy Inheritance
An Inheritance Tree
Children of a Security Group inherit the App Policies and Admin Access rights of this Security Group, unless the Child Security Group has disabled "Inheritance" in its Profile Settings.
Disabling "Inheritance" in a Security Group defines it as the root of a new "Inheritance Tree".
New Inheritance Trees
Disabling Inheritance in any Security Group establishes that group as the root of a new independent Security Group Tree. Any App Policies, Software Profiles or Admin Groups trusted in this Security Group will be inherited by all of the subgroups beneath, down to where any of them disable their own "inheritance".
Using Inheritance anywhere
Similarly, any App Policy, Software Profile or Admin Group trusted in any part of an "Inheritance" tree will be inherited by all of the subgroups beneath it, down to where any of them disable their own "inheritance".
Simplified Management
Using "Inheritance" simplifies management of App Policies, Software Profiles and Admin Access Rights for an organization or any part of it.
"Inheritance Tree" Policies
Policies that should be applied across an entire group of Endpoint only need to be applied once at the top of that "Inheritance Tree" a single time.
Removing that Policy later removes it from the entire tree with a single operation.
Narrow Policy Usage
When a Policy only needed for a portion of an organization or inheritance tree, it can be trusted at just those points in the Security Groups Tree that require it.
Changing Inheritance
When conditions require that an "Inheritance Tree" be divided, the Admin can "select" just the policies that should be continued into the new inheritance tree, and then disable inheritance where the necessary policies have been trusted directly.
Inheritance for Admin Groups
Admin Groups give the Administrators (trusted in the Admin Group) access to any Security Group that inherits trust for that Admin Group. To use Admin Group Inheritance:
- Create an Admin Group (e.g. "WCS Admins")
- Trust Administrators in the Admin Group (e.g. Mike, David)
- Trust the Admin Group (e.g. "WCS Admins") in a Security Group
Now Mike and David have admin access to that Security Group and any of its subgroups inheriting the trust for the "WCS Admins" admin group