Enable granular user access using authorization attributes
Authorization attributes provide a more granular control in providing access to various inventory objects for a single user or a user group. While enabling the access to specific objects such as backup servers, switches, and ports in the inventory, you can restrict the access to only specific servers, switches, or ports nested within the object categories. Thus, the inventory view for a user or a user group can be controlled from allowing access to an entire object to permitting access to only a specific set of entities nested under specific objects.
The basic requirements that enable the use of authorization attributes are as follows:
The portal.supportAuthzAttributes attribute must be set to true. This step is essential to enable all the menus and UI elements related to authorization attributes on the portal UI.
Authorization attributes must be already created on the IT Analytics Portal. See Add attributes .
Assign authorization attributes to the portal users or user groups.
As a prerequisite you must set the portal.supportAuthzAttributes to True.
To set the attribute value:
- On the IT Analytics Portal, go to Admin tab > Advanced > System Configuration and click the Custom Parameters tab.
- Select portal.supportAuthzAttributes and click Edit.
- Set its value to True and save the attribute.
This configuration is essential to enable the tab from where admin users can assign the authorization parameters to various users or user groups..
This procedure assigns the authorization attributes to the users. This equips the users with a more granular control over the objects.
Note:
Ensure your objects are already assigned with the attributes that you plan to associate with the users in this procedure.
To assign authorization attributes to users:
- On the IT Analytics Portal, go to Admin tab > Users > Users and Privileges.
- Select a user from the user list and click the Authorization Attributes tab.
- On the Authorization Attributes window, specify the attribute values based on the descriptions below.
All Values: Select to allow the user to see all the data objects assigned with any of the attribute value.
For example, if an attribute Fruit has values Apple, Banana, and Orange, the user can see the data objects assigned with any attribute values.
Unassigned Values: Select to allow the user to see all the data objects without any assigned attributes or values.
Values: Enter specific attribute values separated by commas. The user can view only those data objects assigned with the specified values. If your entries fail to match the attribute values, you will see an error while saving the changes.
- Click OK to save the changes.
After assigning the authorization attributes, the user is able to view the objects in the Inventory view after logging on to the IT Analytics Portal. Ask the user to restart the portal in case the user had already logged onto the portal before you made the changes.
Note:
You can follow the same procedure mentioned above to assign authorization attributes to user groups.
Note:
If a user is authorized for the attributes using individual access permissions OR group access permission, the user is authorized to the attributes in any of the cases.
The below use case can help you understand how the selection of All Values and Unassigned Values checkboxes can impact the object visibility of the users.
For example, consider two authorization attributes Customer and Site with values specified below.
Table: Authorization attributes
Authorization attribute name | Values |
|---|---|
Customer | Coke, Pepsi |
Site | SFO, NY |
The inventory ports on the IT Analytics Portal are assigned the attributes and their values as below.
Table: Attribute assignment
Port Name | Customer attribute value assigned | Site attribute value assigned |
|---|---|---|
Port1 | Pepsi | |
Port2 | SFO | |
Post3 | Pepsi | SFO |
Port4 | Coke | |
Port5 | Coke | NY |
Port6 | NY | |
Port7 |
The port visibility of various users assigned with the Customer and Site attributes and depending on the selection of All Values and Unassigned Values checkboxes is explained below.
Table: Port (object) visibility for users assigned with authorization attribute
User | Customer | Site | Visible Ports | ||||
|---|---|---|---|---|---|---|---|
All Values | All Unassigned | Values | All Values | All Unassigned | Values | ||
User A | Yes | Yes | Ports 3 and 5 | ||||
User B | Yes | Yes | Yes | Yes | All ports | ||
User C | Yes | Yes | Port 7 | ||||
User D | Pepsi | SFO | Port 3 | ||||
User E | Pepsi | Yes | Port 3 | ||||
User F | Pepsi | None | |||||
User G | Pepsi | Yes | Port 1 | ||||
User H | Pepsi | NY | None | ||||
| User I | Coke | NY | Port 5 | ||||
Similar behavior is observed if you assign authorization attributes and their values to user groups instead of individual users.