- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2019 08:07 AM
Good morning,
I'm attempting to clean up some CMDB tables and create a real CI lifecycle management process at my organization. I've created some CMDB archive rules for just "servers" and I was expecting to be able to create ACL's for the server team to generate historical reports on these tables.
I've created ACL's that I think should have worked but the server team is still getting the error that access is restricted based on security policies.
I've created a read ACL record on ar_cmdb_ci_win_server and added the ITIL role
I've created a report_on rule for the same table for the Server Admins group, ITIL role, and experimented with other roles and groups.
I've turned on security debugging and it appears that the rules evaluate properly so I'm at a point where I'm out of my depth and I'm missing something. Any suggestions would be helpful.
Solved! Go to Solution.
- Labels:
-
Reporting
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2019 05:19 AM
So the official way of handling these turns out to be ACL's on the archived table. That's the table you are archiving. So if your users have READ to the table you are archiving they will have the same permissions to the archive table.
The reason this wasn't working for me is because even though ITIL users have read permissions to cmdb_ci_win_users inherited from cmdb_ci they did not have permissions to the archive table because archive tables don't inherit permissions. I had to add read for ITIL users straight to cmdb_ci_win_server and it fixed my issue on ar_cmdb_ci_win_server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2019 02:20 AM
I have done the same on my instance on Task tables(incident , change problem etc ) and it works fine.
I checked my system and i guess there is 1 more component toi it.
Find the OOB Read ACL *.none and add the below condition in there:
if (current.getRecordClassName().startsWith("ar_") && gs.hasRole('itil'))
answer=true;
-Anurag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2019 05:19 AM
So the official way of handling these turns out to be ACL's on the archived table. That's the table you are archiving. So if your users have READ to the table you are archiving they will have the same permissions to the archive table.
The reason this wasn't working for me is because even though ITIL users have read permissions to cmdb_ci_win_users inherited from cmdb_ci they did not have permissions to the archive table because archive tables don't inherit permissions. I had to add read for ITIL users straight to cmdb_ci_win_server and it fixed my issue on ar_cmdb_ci_win_server.
