Intro

Object accessibility management based on access policies is available in Unimus since 2.5.0.

Each account in Unimus can have its own access policies set independently of its role as to which objects a user can and cannot access in Unimus. Access can lead to three possible outcomes. The object is visible, the object is not visible, the object is only visible in read-only mode.

Object access policies are located in the User Management view, where only the Admin role can access and manage them. The following four options are available for configuration:

Base access

All objects:

• User sees all object without any kind of restriction outside of his role.

No objects:

• User does not see any objects except for those, of which is the owner

All objects with tag exceptions:

• User sees all objects except for those, which are tagged by tags which are used in exceptions inside of this policy

No objects with tag exceptions:

• User sees no objects except for those, which are tagged by tags which are used in exceptions inside of this policy

After creation of new access policy it’s possible to add tags to policies which support tag exceptions by entering the edit mode followed by moving tags from “Available tags” table to “Tag exceptions”.

Assigning of specific policy to the account is possible during account creation or by selecting particular account and pressing a “Manage permissions” button what open an window which allow to change a user role and policy.

Affected features

• 'Devices' view

• 'Zones' view

• 'Tags' view

• 'Backups' view

• ‘Backups' view’ > Filter configuration

• ‘Backups' view’ > Flow configuration

• 'Config search' view

• 'Saved search' view

• 'Mass config push' view

• ‘Basic import’ view

• ‘NMS Sync’ view

• ‘Network scan’ view

• 'Credentials' > 'Show usage'

• 'Schedules' > 'Show scheduled tasks'

• 'Other settings' > 'Per-Tag connectors'

Ownership 

Ownership may have an influence on the accessibility to the various objects, because it have higher priority in comparison to access policies. That means even if the access policies is set to ‘No object policies’ user can still see the objects of which they are the owner. For more information please check Object Ownership

Object accessibility

It can be divided into two groups.

Objects to which only direct access per ownership or per set access policy is needed. Such an objects can behave only like visible or invisible to the users.

Here belong:

• Backups

• Devices *

• Sensitive data stripping

• Tags

* (information about zone can be hidden and field is in read only mode when user does not have access to such zone)

Objects that are accessed by a combination of direct access + access to child objects. Such objects may behave as visible, invisible, or visible only in read-only mode or with limited "write" actions in the case that access to all child objects is not granted.

Here belong:

• Backup filters

• Backup flows

• MCP presets

• Network scan presets

• NMS sync presets

• Per tag connectors

• Zones

Usage example

We want user 'Bob' to only have access to the WiFi APs in Unimus.
For example, when Bob does a Config search for 'password', he would see results only in configs of the APs.

First we create user 'Bob' with 'Read-only' access role in User management > Users

Next we create the 'APs' device tag in "Tags" screen.

After the tag is created, we create new policy with base access: ‘No objects with tag exceptions’ in “User management > Object access policies” screen.

When the policy exists, we need to add the ‘AP’ tag into the exceptions per “Edit” by moving tag from ‘Available tags’ to ‘Tag exceptions’.

Newly created access policy can be now assigned to existing user per “Manage permissions” button in Users section

Now we need to tag the right devices with the 'APs' tag.
 In "Tags" screen, we select the tag, and press 'Tag devices'.
 We add the tag to the appropriate devices.

After this, our 'Bob' user will only see the devices that are tagged with the 'APs' tag when using Config search, or any other Unimus feature.

Here are some more examples to better understand how ownership and access policies can affect the visibility and accessibility of objects.

1. User is owner of a zone which is tagged by Tag1. Account of user is set with ‘All objects with tag exceptions’ policies in scope of which Tag1 is included.
   • Result: User can see zone in read-only mode because he does not have access to all devices under such zone. User is still able to add new devices into such zone.
2. User has access to all devices of type ‘HP 1920 switches’, and only some devices of type ‘HP 1950 switches’ (possible to achieve per Access policies or device ownership) and wants to create a new Backup filter for both device types.
   • Result: User can create backup filter for ‘HP 1920 switches’ but ‘HP 1950 switches’ are not even available in the list of Device types because user does not have access to all the devices of this particular device type.
3. User has access to all devices of type ‘HP 1920 switches’, and only some devices of type ‘HP 1950 switches’ (possible to achieve per Access policies or device ownership) and edits existing Backup filter created for both device types.
   • Result: User can see a filter in ‘Read only’ mode. User is able to open edit window but all options are disabled and device type ‘HP 1950 switches’ is not even visible to user.
4. User wants to create new Per tag connector. User account is set with ‘No objects with tag exceptions’ policies in scope of which only Tag2 is included.
   • Result: User is able to create a new Per Tag connector only to Tag2 because he has access to the tag and also to all the device which are tagged by this tag. After creation user can see in table only this one particular Per-Tag connector because he does not have access to other tags.