1 Reply Latest reply on May 20, 2014 11:25 PM by Carey Walker

    Unrestricted Access for All CIs

    Srinivas Merugu
      Share This:



      We have a ADDM application for discovering and pushing CIs into CMDB. I noticed that all the CIs coming from ADDM are having Unrestricted Access value in the CMDBRowLevelSecurity.


      • Is it a default value coming from ADDM? I think so.
      • Does it define the access of CI? Yes - correct me if I am wrong
      • What in case of multi-tenancy environment? Does it allow only users having Unrestricted Access to access the CIs?
      • How can I update it from the CMDB jobs to change the CMDBRowLevelSecurity to specific company?




        • 1. Re: Unrestricted Access for All CIs
          Carey Walker

          I think it's a default value on the CMDB side - i.e. anytime you create a CI, this 'group' permission gets set by default.


          In the multi-tenancy model (where the Unrestricted Access is intended to apply - you only need this access control model in the M/T environment) this means is that if you set the access control for a user to Unrestricted Access, this is then checked against the CMDBRowLevelSecurity to see if Unrestricted Access is set and hence you can see/access the CI. Without the UnrestrictedAccess setting enabled for a user, they will only be able to access the CIs that have their company group id(s) in the CMDBRowLevelSecurity field.


          If you want to set the CIs to be accessible for a given company user, leave the UnrestrictedAccess there, and add the group id(s) for the company or companies concerned. There is a function in the normalisation engine that may help here (for normalising permissions), but I haven't used it so can't offer much guidance. Take a look at the NE User Guide for details. Also there is a Default Permissions form that when configured, results in all CIs being created with selected company/group values being defaulted into CMDBRowLevelSecurity or CMDBWriteSecurity at CI creation. i.e. it extends the default behaviour of setting Unrestricted Access to also set other selected group codes.


          The CMDB documentation discusses this DefaultPermissions concept.