Restricting who can create a relationship from one CI to another
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-20-2009 01:15 AM
Hi there,
I have restricted the roles that can write to the cmdb-rel_ci table (the one that holds relationships) and removed the new and edit buttons on the related list. But when I switch to a user that does not have the role that permits it, the buttons have indeed disappeared from the related list BUT if I use the + button on Related Items I can (as this unprivileged user) select a CI and relate it.
I cannot see where I can control this - I am sure I am being stupid here and missing something obvious but can someone please point me at where I can prevent the use of the + button except for certain roles.
thanks in advance, Ruth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-20-2009 09:42 AM
You would need to restrict the create on relationship table since adding a relationships adds a new record when you remove the relationship it deletes the record.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-25-2009 01:22 AM
Thanks for this - in fact more was needed. You need to put an access control on the cmdb_ci table for the operation edit_ci_relations. there is a known issue that means if this does not work, create a new operation called editCIRelations and set up an access control for that as well.
I have done both of these and now it works fine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-25-2009 09:09 AM
So long as both edit_ci_relations and editCIRelations are both covered, it should be fine. Stable 3 fixes this issue, and automatically arranges your system properly.
