What's the connection between the MainBoss Administration security role and outside privileges (e.g. Windows Administrator privileges or SQL Server Administration privileges)?
IT personnel sometimes worry about granting the MainBoss Administration security role to non-IT personnel. We believe this should not be a concern; the MainBoss Administration security role is primarily intended for people who manage MainBoss itself. By granting the role to, say, a manager within the maintenance department, IT personnel can save themselves from day-to-day administration chores, without having to worry about non-IT personnel introducing difficulties.
Giving people the MainBoss Administration security role does not
give them any privileges outside of MainBoss.
In particular, it does not give them any aspect of Windows Administrator or SQL Server Administrator privileges.
The MainBoss Administration security role grants control over MainBoss
itself, but nothing outside MainBoss.
On the other hand, if a user already has SQL Server Administrator privileges, the MainBoss Administration security role can make life easier by providing access to certain information and abilities.
For example, MainBoss Administration lets you add a user name to the MainBoss Users table. This authorizes that user to use MainBoss. Now consider two cases:
- If you do not have SQL Server Administrator privileges:
- The new user will be added to the MainBoss Users table but will not be given SQL Server permission to access the MainBoss database. Someone who does have SQL Server Administrator privilege must separately grant the user access to the database. Until that happens, the user can't access the MainBoss database.
- If you do have SQL Server Administrator privileges:
-
You can configure MainBoss so that user activation is still a two-step process:
adding the user to the Users table inside MainBoss, and separately granting
appropriate SQL Server access (e.g. with SQL Server Management Studio).
However, you can simplify the process to a single step by turning on MainBoss's option MainBoss manages SQL security (in the Defaults for User section of MainBoss's Users table). In this case, MainBoss will make use of your SQL Server Administrator privilege to give users access to the MainBoss database automatically, whenever you add users to the MainBoss Users table.
Note that if you have SQL Server Administrator privileges, you can start MainBoss in "Administration" mode whether or not your login name appears in MainBoss's list of recognized users. This lets an IT person perform various administrative functions within MainBoss without requiring that person to be a registered MainBoss user.
The MainBoss Administration security role does not give anyone extra SQL Server Administrator permissions; however, it can save you time if you do have such permissions.
Also in keeping with the "save you time" principle, MainBoss can list message log entries related to MainBoss Service. You can only start and stop the Service if you have Windows Administration privileges, but the MainBoss Administration security role lets you see the log messages. Letting non-IT personnel read these messages should be no risk to the smooth operation of the software; however, being able to read these messages should help IT personnel with troubleshooting.
Note: The MainBoss Administration security role will let non-IT personnel change the configuration information for MainBoss Service. This may cause MainBoss Service to stop servicing MainBoss properly; for example, if the name of MainBoss Service mailbox is changed, MainBoss Service won't be able to find its mail. Incoming messages won't be processed, but they won't be lost either—they'll just be queued up until the configuration is corrected.
While this interferes with the smooth operation of MainBoss, it doesn't interfere with any other software. Furthermore, most of the configuration information for MainBoss Service has nothing to do with software operation at all. For example, the configuration information includes standard email messages to be sent out by the maintenance department when work requests are received; this is the sort of thing that maintenance managers should be allowed to set, as opposed to having it set by IT personnel.