Can you help us with this?
We has implemented CA SDM 14.1 Cum 4 with CA CMDB Visualizer PHOENIX.0003 on Windows SVR 2012 R2
When a new user logs in the Visualizer, he can see ALL the CIs and his relationships.
The new user has predefined the Employee role, with the Employee access type and his respective restrictions in the Employee Partition, but the restriction of the partition and the access function of the role employee has been modified. All this happens only in prod env.
Action that we taked:
All this happen only in prod. env. so we replicated the same modifications in dev. env. to know if these modification are the cause of the problem, but after making this the problem was not replicated.
I want to know if exist another way to modify the exploration of the CIs in the CMDB, i understand that the only way to limit the exploration is by permissions attached to the role, partition and access type.
Visualizer is obtaining the information from Service Desk via web service calls, and the information it is able to gather should be based on the web services Role associated to the user's Access Type. Can you confirm if this Role has the "Licensed" option checked or not? By default the "Employee" Role is unlicensed, so should only be able to see things directly associated to themselves, they shouldn't be able to see anything else.
I'd also like to see if you can provide some information as to why Employee users are given access to Visualizer? Typically Visualizer should only be viewed by a Change or Asset Management team, and allows them to track the relationships between CIs, and also how changing a CI will effect other CIs in the environment. I don't see the use case where an Employee user would need access to this information.
Hi alexander, i`ve checked that the acces type "employee" has the lincensed checked (in prod env.) this can be the cause of the problem?
Regarding to your question, we are supporting the platform that has implemented in a group of providers, we are only one of the group, the configuration was maked for another person, we neither see the use cas where an employe need full access to the CI's
Yes, having "licensed" checked would allow the user to see everything in the environment. You'll need to find another method of restricting the CIs from view (maybe a data partition constraint).
My personal recommendation is that Visualizer access should not be given to a regular "Employee" users.
With that check in licensed checkbox i was able to replicate the issue in dev. env. as a way to demonstrate the cause of the issue.
I take your recommendation, and i thank your for your quick response.