Filtering on principal class

KB15 · ‎02-09-2021

I'm trying to figure out what rights are needed for a non-admin to display principal classes.

From the CI table, there's a filter for principal classes. Would anyone know off hand what table/field access is required for a non-admin to show these records? Would it be a CMDB related role?

GV Saranesh Kum · ‎03-05-2021

Create a Read ACL on the class cmdb_class_info to the desired roles as per your requirement, that should solve the issue.

OOB, there are no ACL's on cmdb_class_info, because of which it is stoppind non-admin users from accessing the records.

Please mark as correct Answer, if it resolves your issue.

Regards

Saranesh

View solution in original post

Brad Bowman · ‎02-09-2021

Your question implies that in your instance an admin can display principal classes. To do that you first must have the supporting data, or else nothing will be displayed to anyone, so let's start there just to make sure. In the left nav type cmdb_class_info.list to display all of the CMDB Class Information records. There is a column on this table named principal_class that needs to be checked on a record for that Class to be considered a Principal Class, so CIs in that class will show up in the Principal Class filter. Once you're sure you have at least one record with a CI class that's used in your instance which has the Principal Class box checked, run the filter on the CI table as an admin and confirm that you can see the expected CIs. Once you've made it this far (sorry for starting from the beginning if you already were this far when you asked the question), there really shouldn't be an ACL or anything in place to prevent a non-admin from seeing the same results.

The filter calls a script include named PrincipalClass, and the function inside of there named getPrincipalClasses, which really just calls another function named getClasses with a flag to be used in the query. All that is to say the filter is really just calling a script that runs a query on the cmdb_class_info table to return all of the records where the principal_class field is checked/true, then pushes the class names into an array. In short the filter is really just saying "show me all of the CI records who have a class that is one of the principal classes". So if you have cmdb_ci_computer and cmdb_ci_server flagged as principal classes, the filter will show you all of the computers and servers. If a user can view the records in a list view without the filter, or in the example above manually applying a filter that says Class is Computer or Class is Server, then applying this filter can't shouldn't prevent them from seeing the same results.

KB15 · ‎02-19-2021

The weird issue is that the user appears to have the correct roles to view the cmdb_ci table but no matter what I try, the filter does not show the principle class devices.

It works if they're admin. I can only think that something was customized on our side or there's a role missing.

Brad Bowman · ‎02-19-2021

Sounds like an ACL, but you should see a message something about 'Security constraints' rather than just 0 records. So this user without admin can view the unfiltered Configuration Items table and see the same number of records as an admin? Can they manually filter on Class is <<one of the classes you have denoted as Principal>> and see any records?

KB15 · ‎02-19-2021

Yes, there are no warnings that there are restricted records.

The test setup is that we have a class of "IP Firewall" set as a "Principal Class" via CI Class Manager.

I go in and impersonate the user and use the preset class filter however nothing appears for him. I can manually select the class as "IP Firewall" and the records appear. So it doesn't appear to be a record visibility issue.

I see it fine as an admin via the filter. Would there be any fields to check or ACLs that could possibly prevent visibility from the filter?

I can see that there's a restriction of the cmdb_class_info table based on debug information but this ACL covers all tables without the admin role, I believe.