Can I hide the Ci Relationship Edit button for certain roles?

Go to solution
MikeB2
Kilo Contributor

‎08-06-2018 06:03 AM

We want to stop ordinary users from managing CI relatiosnhips.  Can we hide the + button? Depending on role?

 

find_real_file.png

 

Preview file
6 KB
0 Helpfuls
  • 2,331 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Stanger
Giga Sage

‎08-06-2018 05:29 PM

Looks like that button is tied to the row-level 'Write' security ACL for the actual CI record.  In order to remove that button, you need to set up (or edit) a 'write' ACL with the correct roles.  In my out-of-box instance, I just had to remove the 'itil' role frorm the 'write' ACL on the 'cmdb_ci' table.

While that removes the relationship button, it's less-than-optimal that it also disallows writing to the entire CI record.  You could also do the following...

1)  Adjust the 'Create' ACL on the 'cmdb_rel_ci' (CI Relationship) table so that it requires specific roles.  If they can't create records on this table, it won't matter if they can see the plus icon...other than it's a bad user experience because they see the icon and believe they can.

2)  If you still want to remove that button and retain access for restricted users to actually edit the CI record, you could set up an 'onLoad' client script on the 'cmdb_ci' table with the 'Inherited' checkbox checked (so that it applies to the entire CMDB).  That client script would need to include code like this...

// Hide the 'Add' icon on the relationship editor unless the user has the 'asset' role
if (!g_user.hasRole('asset')) {
    $('add_relationship').hide();
}

View solution in original post

11 REPLIES 11

Go to solution
Mark Stanger
Giga Sage

‎08-06-2018 05:29 PM

Looks like that button is tied to the row-level 'Write' security ACL for the actual CI record.  In order to remove that button, you need to set up (or edit) a 'write' ACL with the correct roles.  In my out-of-box instance, I just had to remove the 'itil' role frorm the 'write' ACL on the 'cmdb_ci' table.

While that removes the relationship button, it's less-than-optimal that it also disallows writing to the entire CI record.  You could also do the following...

1)  Adjust the 'Create' ACL on the 'cmdb_rel_ci' (CI Relationship) table so that it requires specific roles.  If they can't create records on this table, it won't matter if they can see the plus icon...other than it's a bad user experience because they see the icon and believe they can.

2)  If you still want to remove that button and retain access for restricted users to actually edit the CI record, you could set up an 'onLoad' client script on the 'cmdb_ci' table with the 'Inherited' checkbox checked (so that it applies to the entire CMDB).  That client script would need to include code like this...

// Hide the 'Add' icon on the relationship editor unless the user has the 'asset' role
if (!g_user.hasRole('asset')) {
    $('add_relationship').hide();
}

Go to solution
MikeB2
Kilo Contributor
In response to Mark Stanger

‎08-08-2018 02:42 AM

Wonderful! Thanks for that. I'd got as far as putting ACLs on cmdb_rel_ci which isn't a good solution.

The client script does it. Thank you!

Go to solution
chidanandadhath
Kilo Guru
In response to Mark Stanger

‎03-25-2019 10:53 AM

I have written below client script to hide "+" icon in cmdb_ci_service table, when I impersonate and check I'm able to see "+" on on the user having no roles

 

function onLoad() {
//Type appropriate comment here, and begin script below
if (!g_user.hasRole('ecmdb_admin')||!g_user.hasRole('u_cmdb_sr')) {
$('add_relationship').hide();
}


}

0 Helpfuls

Go to solution
Mo27
Kilo Expert
In response to Mark Stanger

‎09-10-2019 12:43 AM

Hi Mark,

 

I am also having the same issue. Have you got any insight on what could be causing this? Is there specific anything additional required to for this to work?

Thanks

0 Helpfuls