3 Replies Latest reply on Dec 16, 2009 6:51 AM by Bill Robinson

    Limit rbac role

      Am attempting to setup a specialized role that allows read access to all files/directories on target server and full access to subset of files and directories.  Here's what's been done...


      Following authorizations applied to all Servers:

      SpecialRole     Server.read
      SpecialRole     Server.browse


      Define a component template with specific file(s) and directory(s).

      Run Discovery using component template

      Following authorization applied to all Components:

      SpecialRole     Component.*

      ACL's push for SpecialRole.  Upon testing SpecialRole, able to browse all files/directories (readonly).  But, do not have full access to subset of files/directories.  Able to see and browse in Components workspace and view read only (grayed out) in Servers workspace.


      What needs to be done to enable full access to these files?


        • 1. Re: Limit rbac role
          Bill Robinson

          The permissions are granted at the object level - the component or the server.  You can't grant permissions on some parts of a server/component.  so to do this you will need 2 components.

          • 2. Re: Limit rbac role

            Do you mean create two instances of the same component on a single server?

            • 3. Re: Limit rbac role
              Bill Robinson

              Possibly.  I think what you are saying is that in 1 component you have a directory like /foo added as a part. under /foo you have a sub directory bar (so /foo/bar).  You want to grant your users read access to /foo, but for /foo/bar you want to give them write access.


              You can't grant read and read/write in the same component to different parts.  So you need two components.  One template can have the part '/foo' and the other would have '/foo/bar'.  On the first template's components you grant Read only, on the 2nd you grant read/write.


              The only question here will be the ACLs on the underlying server, I'm not clear if you will have to grant write on the server too, or you can do this all through the components...

              1 of 1 people found this helpful