Intro

Object accessibility management based on access policies is available in Unimus since 2.5.0.

Each account in Unimus can have its own access policies set independently of its role as to which objects a user can and cannot access in Unimus. Access can lead to three possible outcomes. The object is visible, the object is not visible, the object is only visible in read-only mode.

Object access policies are located in the User Management view, where only the Admin role can access and manage them. The following four options are available for configuration:

Base access:

All objects:

• User see all object without any kind of restriction outside of his role.

No objects:

• User do not see any objects except of those, of which is the owner

All objects with tag exceptions:

• User see all objects except of those, which are tagged by tags which are used in exceptions inside of this policy

No objects with tag exceptions:

• User see no objects except of those, which are tagged by tags which are used in exceptions inside of this policy

After creation of new access policy it’s possible to add tags to policies which support an tag exceptions by entering the edit mode followed by moving a tags from “Available tags” table to “Tag exceptions”.

Assigning of specific policy to the account is possible during account creation or by selecting particular account and pressing a “Manage permissions” button what open an window which allow to change an user role and policy.

Affected features

• 'Devices' view

• 'Zones' view

• 'Tags' view

• 'Backups' view

• ‘Backups' view’ > Filter configuration

• ‘Backups' view’ > Flow configuration

• 'Config search' view

• 'Mass config push' view

• ‘Basic import’ view

• ‘NMS Sync’ view

• ‘Network scan’ view

• 'Credentials' > 'Show usage'

• 'Schedules' > 'Show scheduled tasks'

• 'Other settings' > 'Per-Tag connectors'

Ownership

In case of device, tag or zone creation is owner set automatically to the user account who has created such an object. Information about ownership is visible and manageable only by Admin role. Please be aware, that ownership can have an influence on the accessibility to the various objects, because it have higher priority in comparison to access policies. That mean even if the access policies is set to ‘No object policies’ user can still see the object of which is the owner.

If you would like to make sure that all existing objects for the specific user behave only based on Access policies, there is an option to remove the ownership from all the objects which belong to such an user. It can be found in User Management screen in “Show object ownership” (accessible only for Admin role).

Object accessibility

It can be divided into two groups.

Objects to which only direct access per ownership or per set access policy is needed. Such an objects can behave only like visible or invisible to the users.

Here belongs

• Backups

• Devices *

• Sensitive data stripping

• Tags

* (information about zone can be hidden and field is in read only mode when user does not have access to such  zone)

Objects that are accessed by a combination of direct access + access to child objects. Such objects may behave as visible, invisible, or visible only in read-only mode or with limited "write" actions in the case that access to all child objects is not granted.

Here belongs:

• Backup filters

• Backups flows

• MCP presets

• Network scan presets

• NMS sync presets

• Per tag connectors

• Zones

Usage example

We want user 'Bob' to only have access to the WiFi APs in Unimus.
 For example, when Bob does a Config search for 'password', he would see results only in configs of the APs.

First we create user 'Bob' with 'Read-only' access role in User management > Users

Next we create the 'APs' device tag in "Tags" screen.

After the tag is created, we create new policy with base access: ‘No objects with tag exceptions’ in “User management > Object access policies” screen.

When the policy exist, we need to add the ‘AP’ tag into the exceptions per “Edit” by moving tag from ‘Available tags’ to ‘Tag exceptions’.

Newly created access policy can be now assigned to existing user per “Manage permissions” button in Users section

Now we need to tag the right devices with the 'APs' tag.
 In "Tags" screen, we select the tag, and press 'Tag devices'.
 We add the tag to the appropriate devices.

After this, our 'Bob' user will only see the devices that are tagged with the 'APs' tag when using Config search, or any other Unimus feature.

Here are some more examples to better understand how ownership and access policies can affect the visibility and accessibility of objects.

1. User is owner of the zone which is tagged by Tag1. Account of user is set with ‘All objects with tag exceptions’ policies in scope of which is Tag1 included.
   • Result: User can see zone in read-only mode because he do not have access to all devices under such a zone. User is still able to add new devices into such a zone.
2. User have access to all devices of type ‘HP 1920 switchers’, and only some devices of type ‘HP 1950 switchers’ (possible to achieve per Access policies or device ownership) and want to create a new Backup filter for both device types.
   • Result: User can create backup filter for ‘HP 1920 switchers’ but ‘HP 1950 switchers’ is not even available in the list of Device types because user does not have access to all the devices of this particular device type.
3. User have access to all devices of type ‘HP 1920 switchers’, and only some devices of type ‘HP 1950 switchers’ (possible to achieve per Access policies or device ownership) and edit existing Backup filter created for both device types.
   • Result: User can see a filter in ‘Read only’ mode. User is able to open edit window but all options are disabled and device type ‘HP 1950 switchers’ is not even visible to user.
4. User want to create new Per tag connector. User account is set with ‘No objects with tag exceptions’ policies in scope of which is only Tag2 included.
   • Result: User is able to create a new Per Tag connector only to Tag2 because he have access to the tag and also to all the device which are tagged by this tag. After creation user can see in table only this one particular Per-Tag connector because he does not have access to other tags.