Tuesday Tip: Limiting user access to a specific Global Collection
CA Spectrum Tuesday Tip by Joe Ackley, Support Engineer
Limiting user access to a specific Global Collection
Description:
The following is a practical application for limiting a user to viewing a specific Global Collection in Spectrum OneClick
Scenario:
You have modeled your Spectrum database and created Global Collections to represent different sets of models. You wish to limit a users access to only a specific Global Collection and the models contained within that Global Collection
Solution:
To accomplish the solution, you will need to configure Security Strings on the Global Collections, Security Communities on the User Group and modify the Privileges for the User Group
A Security String establishes permission to various modeled elements in a OneClick topology view such as a modeled device. Some things to note about Security Strings:
Please refer to the “Modeling and Managing Your IT Infrastructure Administrator Guide” for more information regarding Security Strings.
Security Communities limit user access to specific sets of models and views that use the same Security String. Some things to note about Security Communities:
•
Only users with membership in a Security Community that matches the Security String on a model can access the model
•
You can assign Security Communities to an individual User or to a User Group
•
All Users in a User Group inherit the privileges of the Security Communities assigned to the Group
•
The ADMIN is the default Security Community. Users assigned the ADMIN Security Community overrides model security no matter the Security String configured on the model
One thing specific to note is no matter the Security Communities assigned to the user, if a model is not configured with a Security String, the user will have the access permitted by the Roles assigned to the User to that model.
A Privilege is a specific access to a model or functionality in Spectrum. For example, a user may have access to a model but may not have the Privilege to put that model into Maintenance Mode.
Please refer to the “Administration Guide” for more information on Security Communities and Privileges
Implement the solution against our scenario:
The first step is to configure a Security String to the Global Collection. This can be done at the creation of the Global Collection by filling in the Security String field or after creation by filling in the Security String field in the General Information field in the General Information folder in the Information tab of the Global Collection.
For this scenario, we have created a Global Collection called “Region A Devices” that contains all of the device models within Region A. When we created the Global Collection, we configured a Security String of “REGIONA”. Please see Figure 1 below.
The next step is to create the User Group with Users configured with a Security Community of “REGIONA” and modify the Privileges so that the user only has access to the “Region A Devices” Global Collection.
For our scenario, we will do the following to accomplish this:
•
Create the User Group
o
Click on the Users tab in the Navigation panel
o
Click on the Create User Group icon
o
Give the new Group a name
o
Give the User Group an Operator license
•
After the Group has been created, remove the default ADMIN Security Community and add the REGIONA Security Community
o
Click on the Users tab in the Navigation panel
o
Find and select the Region A User Group
o
Click on the Access tab in the Contents panel
o
Highlight the ADMIN Security Community and click on the Remove button
o
Click on the New button
o
Create the REGIONA Security Community and Add it to the Region A User Group
•
After adding the REGIONA Security Community, we need to modify the Privileges so the user only has access to the “Region A Devices” Global Collection
o
Click on the Users tab in the Navigation panel
o
Find and select the Region A User Group
o
Click on the Access tab in the Contents panel
o
Select the REGIONA Security Community
o
Click on the Roles tab in the Component Detail panel
o
Click on the Add/Remove button
o
Add the OperatorRO Role to the Exists in/Create in column then click on the OK button. The OperatorRO should have a check box in the “Member Of” column
o
Click on the OperatorRO entry
o
Click on the Privileges tab
o
Click on the Add/Remove button
o
Expand the Explorer Views folder, uncheck the following then click on the OK button (see Figure 2 below)
TopOrg Hierarchy
Universe Hierarchy
World Hierarch
•
Create the User models
o
Click on the Users tab in the Navigation panel
o
Find and select the Region A User Group
o
Click on the Create User icon
o
Enter user name in the Name field
o
Enter the user password in the Web Password and Confirm Web Password fields
o
Click on the OK button
Best practice is to create the User Group first and configure the Security Communities, License, Landscapes, and Roles to the User Group and then create the User models within the User Group. That way, the User model inherits the configuration of the User Group model. See Figure 3 below for the results of the creation of the User Group, User and modifying the Privileges for our scenario.
Based on the work done in our scenario, when Spectrum UserA logs into the OneClick console, they will have access to the Region A Devices Global Collection but they will not have access to the TopOrg, Universe or World hierarchies. Please see Figure 4 below.
You will notice in Figure 4, the user does have access to the following:
•
eHealth Manager
•
Policy Manager
•
Service Performance Manager
•
Service Manager
•
Multicast Manager
The above listed functionality is also controlled by Privileges and can be removed following the same steps as outlined above when the TopOrg, Universe and World Hierarchy Privileges were removed from the User Group.