Alllow all Configuration Items for a role

Henrik Jutterst
Tera Guru

What is the best way to allow access to all classes/types under Configuration Items so that they are visible both as a module (if there is one) and in the list view. I want everyone with the role asset to have access to these objects for viewing.

  1. Is there a way to do this from base table Configuration Items [cmdb_ci] to all the tables that extend from it?
  2. Also, if I want to add a role for creating and updating only certain classes extended from Hardware class. Is there any good article that handles this relating to CMDB?
1 ACCEPTED SOLUTION

Chuck Tomasi
Tera Patron

Hi Henrik,



The security is hierarchical and contextual, so it is very flexible. The downside is that it is a bit complex to manage.



For #1, yes, create a role, and then create an ACL that grants read access to anyone with that role. If you grant read access on cmdb_ci for that user, it is inherited to the child classes. You can see an example of this on task. Per best practices, create a group and assign the role to that group, then as you add/remove people from the group, they automatically have the role granted/removed. This is preferred over granting access to individual users.



For #2, It is a similar approach. Grant your create and write operation ACLs on cmdb_ci_hardware and it is inherited to child classes for those with that role.



Docs: Access control rules


Docs: Contextual security  


View solution in original post

5 REPLIES 5

No. ACLs control access to records and fields. You need to modify the individual application menus and modules to recognize that role as well.