Management group changes in version 8 of the 1E Platform

This article describes changes related to management groups made in version 8 of the 1E Platform. These changes mean that some PowerShell cmdlets are only available either for this version or later versions, or in some cases, the cmdlets are only available for earlier versions of the platform.

Management groups, roles, and principals

For information about the RBAC concepts associated with management groups, roles, and principals, refer to Role-Based Access Control cmdlets.

In releases prior to release 8, management groups were associated with roles. In versions from release 8 onwards, management groups are instead associated with a role/principal pair. Therefore, the same role or principal may be associated multiple times with a management group, provided that its pair member differs. You cannot assign the same role and principal pair more than once to a management group, but you can assign the same role and a different principal to it, or, conversely, a different set of roles but the same principal, multiple times, to the same group.

Management group hierarchies

Management groups now support hierarchical relationships. A management group may stand alone, or it may have a parent or child management group associated with it. In turn, these child groups may have children, and so on.

A management group can have at most a single parent. However, a parent management group can have multiple children. 

When a management group is associated with a role/principal pair, the rights granted to the pair are those of the management group plus its children, if any.

It is possible to assign a role/principal pair to a management group at any level. This means that you can, potentially, assign a role/principal pair both to a parent and one or more child groups. However, if you do so, the net resulting permissions remain unchanged.

Management group rules

Prior to version 8, management group rules, as defined in the SLA subsystem and then imported into the platform, did not support operator precedence. This meant that you could not define rules where certain logical terms (AND/OR) bound more tightly.

In version 8, rules now support precedence, so you can define in a rule how the various terms will be bound. When creating rules using the 1E PowerShell Toolkit, the rule expression you supply simply uses brackets to specify operator precedence, exactly as you would when specifying a scope or filter expression in the 1E Platform. Refer to Scope and filter expressions.

Management groups and role delegation

It is now possible to define roles that can be delegated by users who lack global privileges to the All Devices virtual management group. This is discussed in the documentation for the add-1Erole cmdlet.