Skip to content

Setting Permissions on the Security Sub-keys

Once you have completed the steps for setting the permissions on the base security key, the sub-keys, which represent the ChangeMan ZDD privileges, will now default to not granting users ZDD privileges. You must now explicitly allow groups or users “Read” permission to the registry key for the desired privilege.

Setting permissions for the sub-keys is easier than setting them for the base key. The sub-keys inherit the permissions for the base key, so we do not need to do that work again.

The “User” key, which allows a user to use the product, is only checked when ZDD is installed as a per-user installation. Otherwise, setting permissions on this key has no effect.

To set the permissions for a security sub-key, select the desired sub-key in the Windows Registry Editor (regedit.exe). In the illustration, we have selected the key for a server called D001.

Right click on the desired key and select “Permissions…” from the popup menu. Alternatively, you can select “Edit”  “Permissions” from the menu bar.

Notice that the general “Users” group does not have “Read” permission. We need to add permission entries for groups, or users, for whom we would like to grant permission to access this server.

Press the “Add” button to add a group or user to the access list.

In the text box for object name, enter the name of the group or user, which you would like to add. Press the “Check Names” button to validate the name, and then press “OK” to add the user or group. In the illustration, we are adding a group called “DL-Dev-AMC-All”.

The group or user that you added should now appear in the “User or group names” list. To allow the ZDD privilege, select the desired group or user name, and check the box to allow “Read” permission. Then press the “Apply” button the set the permissions on the key.

In most cases, that is all you need to do, and we are now finished.

However, in the case of the key for a server, we might have a special situation. Below the server key are sub-keys for ChangeMan instances for that server. If you allow “Read” permission for a server, all the sub-keys for the ChangeMan instances will inherit the “Read” permission.

If you want to allow access selectively for the ChangeMan instances below the server, we need to change the permission entry for the server so that the ChangeMan instance keys do not inherit the server “Read” permission.

To define permissions selectively for the ChangeMan instances, press the “Advanced” button.

Select the “Read” permission entry for the group or user, which you just added, and press the “Edit” button.

We do not want the ChangeMan instance sub-keys to inherit this server permission entry. In the “Applies to” dropdown list, select “This key only”. Now this permission entry will not be inherited.

Press the “OK” button.

Notice that the permission entry now shows “This key only”, indicating no inheritance.

Press the “Apply” button to save the changes to the registry key. You can now set permissions for the ChangeMan instance sub-keys individually.

Back to top