...
Base access
All objects:
User see sees all object without any kind of restriction outside of his role.
No objects:
User do does not see any objects except of for those, of which is the owner
All objects with tag exceptions:
User see sees all objects except of for those, which are tagged by tags which are used in exceptions inside of this policy
No objects with tag exceptions:
User see sees no objects except of for those, which are tagged by tags which are used in exceptions inside of this policy
After creation of new access policy it’s possible to add tags to policies which support an tag exceptions by entering the edit mode followed by moving a tags from “Available tags” table to “Tag exceptions”.
Assigning of specific policy to the account is possible during account creation or by selecting particular account and pressing a “Manage permissions” button what open an window which allow to change an a user role and policy.
Affected features
...
Ownership may have an influence on the accessibility to the various objects, because it have higher priority in comparison to access policies. That mean means even if the access policies is set to ‘No object policies’ user can still see the objects of which is they are the owner. For more information please check Object Ownership
...
Objects to which only direct access per ownership or per set access policy is needed. Such an objects can behave only like visible or invisible to the users.
Here belongsbelong:
Backups
Devices *
Sensitive data stripping
Tags
* (information about zone can be hidden and field is in read only mode when user does not have access to such such zone)
Objects that are accessed by a combination of direct access + access to child objects. Such objects may behave as visible, invisible, or visible only in read-only mode or with limited "write" actions in the case that access to all child objects is not granted.
Here belongsbelong:
Backup filters
Backups Backup flows
MCP presets
Network scan presets
NMS sync presets
Per tag connectors
Zones
...
We want user 'Bob' to only have access to the WiFi APs in Unimus.
For For example, when Bob does a Config search for 'password', he would see results only in configs of the APs.
...
After the tag is created, we create new policy with base access: ‘No objects with tag exceptions’ in “User management > Object access policies” screen.
When the policy existexists, we need to add the ‘AP’ tag into the exceptions per “Edit” by moving tag from ‘Available tags’ to ‘Tag exceptions’.
...
Here are some more examples to better understand how ownership and access policies can affect the visibility and accessibility of objects.
- User is owner of the a zone which is tagged by Tag1. Account of user is set with ‘All objects with tag exceptions’ policies in scope of which Tag1 is Tag1 included.
- Result: User can see zone in read-only mode because he does not have access to all devices under such zone. User is still able to add new devices into such zone.
- User has access to all devices of type ‘HP 1920 switches’, and only some devices of type ‘HP 1950 switches’ (possible to achieve per Access policies or device ownership) and wants to create a new Backup filter for both device types.
- Result: User can create backup filter for ‘HP 1920 switches’ but ‘HP 1950 switches’ are not even available in the list of Device types because user does not have access to all the devices of this particular device type.
- User has access to all devices of type ‘HP 1920 switches’, and only some devices of type ‘HP 1950 switches’ (possible to achieve per Access policies or device ownership) and edits existing Backup filter created for both device types.
- Result: User can see a filter in ‘Read only’ mode. User is able to open edit window but all options are disabled and device type ‘HP 1950 switches’ is not even visible to user.
- User wants to create new Per tag connector. User account is set with ‘No objects with tag exceptions’ policies in scope of which only Tag2 is included.
- Result: User is able to create a new Per Tag connector only to Tag2 because he has access to the tag and also to all the device which are tagged by this tag. After creation user can see in table only this one particular Per-Tag connector because he does not have access to other tags.