By default, members of the predefined group Administrator have full permissions for the Access Controller. You can enable these permissions for other groups as well.
When no members belong in the Administrator group, all users with full permissions for the Access Controller will have Administrative access.
It is not possible to disable or delete the last active user with full permissions for the Access Controller. This is to prevent system lockout.
Members that are not part of the Administrator group will not be able to remove or modify the Administrator group and any of its group members.
Only one user may use the Access Controller with write permissions at any given time.
It is not possible to delete the last group with members that have full permissions for the Access Controller. This is to prevent system lockout.
By setting the Platform property mz.security.user.restricted.login to true, access is restricted to one login for each interface type:
Desktop
Web Interface
Command Line Tool mzsh
It is possible to use SCIM via the REST HTTP interface to POST, GET, DELETE, PUT and PATCH user and group configurations.
By default, MZ is installed with Platform property mz.userserver.filebased = True, where Access Controller data is stored in files under $MZ_HOME directory, so it is important that the read/write permissions for $MZ_HOME are given only to authorized users or user groups.