Automation Analytics & Intelligence (AAI)

  • Private Community
 View Only

  • 1.  AAI 24.4 with EEM Authentication and Group Restrictions

    Posted 13 days ago

    Hello Community,

    i try my luck to restrict some Active Directory Groups, that they can only see specific Business Areas and Jobstreams,
    which are in this Business Areas.

    Login via EEM is ok and if I deny access to an AD Group for all Resources, this works too.

    But I wasn't successfull, to explicit grant access to an AD Group, so that they can only view specific Business Areas.

    The document has stated, that it is enough to configure the Business Area and JobstreamV2 policies with the specific Groups and Rights for the Resources,
    but that doesn't work.

    My Business Areas looks like:

    -- All Jobstreams
         -- Money
         -- Utilities

    and some Jobstreams are mapped to those Business Areas

       -- Money -> gold_digging -> ( gd_job1, gd_job2, etc... )
       -- Utilities -> make_funny_things -> ( mft_job1, mft_job2, etc... ) 

    In those policies I also have added the Ressource to the AD Group, like:

    Money/*
    Money

    But without succes!

    What is your way to restrict Groups, they only can see specific Business Areas and there Jobstreams?
    Should we delete JawsUser Rights from default Policies?

    Thank you
    Robert



  • 2.  RE: AAI 24.4 with EEM Authentication and Group Restrictions

    Broadcom Employee
    Posted 11 days ago

    Hi Robert,

    In order to manage user/group access to Business Areas you can create Business Area policies in the way that you describe.

    In your example, creating a BusinessArea policy as follows will allow members of ADGroup1 to perform any of the permitted actions on the Money business area (and any child business area within it). This will also permit members of ADGroup1 to view any Jobstreams within the Money business area (and any child business area within it).

    Resources:
    Money
    Money/*  

    Identities:
    ADGroup1

    Actions:
    view
    create
    edit
    delete

    The JobstreamV2 policy is used to manage the level of access members of ADGroup1 have on the jobstreams within the Business Areas they are permitted to access. Adding ADGroup1 to the default JobstreamV2 policy and assigning the relevant actions (view, create, edit, delete) will suffice here. The support for creating Jobstream policies using jobstream names/strings/regex as the Resource is yet to be added.

    If you go through the above and are still facing some issues, try using EEM's internal Permission Check to determine if the users group/dynamic group is causing the access issue. You might find that your user is also added to the JawsUser group, and that might be blocking the access. Alternatively, you may have another policy causing a conflict.

    If all else fails, please raise a Support Case via broadcom.com/support and our engineers will be happy to help you trouble shoot and get this resolved.

    Have a nice weekend!

    Many thanks and kind regards,
    Jon