CMDB Archive Tables ACL's

Go to solution
smfoister
Giga Expert

‎06-06-2019 08:07 AM

Good morning,

 

I'm attempting to clean up some CMDB tables and create a real CI lifecycle management process at my organization. I've created some CMDB archive rules for just "servers" and I was expecting to be able to create ACL's for the server team to generate historical reports on these tables.

 

I've created ACL's that I think should have worked but the server team is still getting the error that access is restricted based on security policies.

 

I've created a read ACL record on ar_cmdb_ci_win_server and added the ITIL role

I've created a report_on rule for the same table for the Server Admins group, ITIL role, and experimented with other roles and groups.

I've turned on security debugging and it appears that the rules evaluate properly so I'm at a point where I'm out of my depth and I'm missing something. Any suggestions would be helpful.

Labels:
0 Helpfuls
  • 1,266 Views
1 ACCEPTED SOLUTION

Go to solution
smfoister
Giga Expert
In response to Anurag Tripathi

‎06-11-2019 05:19 AM

So the official way of handling these turns out to be ACL's on the archived table. That's the table you are archiving. So if your users have READ to the table you are archiving they will have the same permissions to the archive table.

 

The reason this wasn't working for me is because even though ITIL users have read permissions to cmdb_ci_win_users inherited from cmdb_ci they did not have permissions to the archive table because archive tables don't inherit permissions. I had to add read for ITIL users straight to cmdb_ci_win_server and it fixed my issue on ar_cmdb_ci_win_server.

View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
Anurag Tripathi
Mega Patron
Mega Patron

‎06-06-2019 08:12 AM

Hii,

 

Along with the report on ACL, create another 'read' one on the same archived table with same conditions(roles = ITIL in your case) and you should be good then.

 So in all, 2 ACL should be there, one 'read' and one 'report on'.

-Anurag

-Anurag
0 Helpfuls

Go to solution
smfoister
Giga Expert
In response to Anurag Tripathi

‎06-06-2019 08:29 AM

This is currently what I have, I thought this would be enough also.

 

find_real_file.png

Preview file
8 KB
0 Helpfuls

Go to solution
Anurag Tripathi
Mega Patron
Mega Patron
In response to smfoister

‎06-06-2019 08:31 AM

This should be enough. I have implemented the same in past and it works fine.(im assuming these both allow itil to view the records)

-Anurag
0 Helpfuls

Go to solution
smfoister
Giga Expert
In response to Anurag Tripathi

‎06-06-2019 09:52 AM

Yes they are both allowing ITIL. I've tried with several other roles as well.

0 Helpfuls