14 Replies Latest reply on Jun 19, 2013 4:02 PM by Jim W

    Deny access to Asset?

      Hi all


      Is there a way to deny a user to access e.g. 10 server within Asset Management. But this user should be able to see the rest of the Assets within Asset Management.


      In my scenario all Assets are within the same tenant/company. 90 should be visible and writable for the user, 10 should not even be visible.


      Do you know if and how this can be realized?




        • 1. Deny access to Asset?

          Anyone able to help?




          • 2. Deny access to Asset?
            Laurent Matheo

            I'll check on a VM (still no coffee this morning so I'm no use ) but did you check "row level security" system (read/write) for the CI?

            CMDBRowLevelSecurity—Only users who are members of a group listed in

            the CMDBRowLevelSecurity attribute have permission to view the instance.


            CMDBWriteSecurity—To modify the instance, users must be a member of a

            group listed in the CMDBWriteSecurity attribute, and also have row-level



            Check "BMC Remedy IT Service Management Suite 7.6.00 Guide to Multi-Tenancy" perhaps it'll help.

            • 3. Deny access to Asset?

              Hi Laurent


              Many thanks for your reply - and I hope you got in the meantime your coffee :-)


              Yes, I tried to modify the content of the fields CMDBRowLevelSecurity and CMDBWriteSecurity. But when you remove some values and you save the record, "Unrestricted Access" is added automtically again.


              In Asset Management the access permission seems to be only limited by the Company field. So everyone who is member of a company (with the corresponding application licenses/permissions) has view permission for all CIs/Assets of a company. With the Asset Admin role/managed by role you can additionaly give write permissions. But I found no way to limit the view permissions within a company.


              Any idea?




              • 4. Deny access to Asset?
                Jon Hall

                I need to look into this in a bit of depth with the R&D team so that we can understand where the Unrestricted Access permission is coming from, and why.    I'll update shortly.

                • 5. Deny access to Asset?



                  Any solutions for this ?? I also need to implement the same type of access restrictions..




                  • 6. Deny access to Asset?

                    Hi Helmut,


                    There is a section in the BMC ATRIUM CMDB Admin Guide which explains how to acheive this functionality.


                    Go to section "Specifying permissions to instances in BMC Atrium CMDB"


                    Its page 28 in the BMC Atrium CMDB 7.6.03 Admin Guide.



                    Giby Varghese

                    • 7. Deny access to Asset?

                      Hi Giby,


                      Will this work for Asset Management as well ??




                      • 8. Deny access to Asset?

                        Hi Anshul,


                        This would build row level security for the CMDB Instances, at the form level Asset management forms are a join of the CMDB core forms iteslf. So it should work fine in Asset Management too.




                        • 9. Deny access to Asset?

                          Hi Giby


                          At least for me the CMDB row level security did not work - if I changed the values in the read/write security fields, the system automatically added "General" again - so for me it seems that the CMDB security system is bypassed and only the Asset Management permissions are valid.



                          • 10. Deny access to Asset?



                            I don't know if I can help. I work on Remedy 7.1.


                            It is correct that unrestricted access is filled in the CMDB Rowl Level Security field. It should work that way. But you don't have to give your users that permission. It is enough to give them Company restricted access. Then they have visible permission to all assets with their Company. If you don't want them to see some assets you have to change asset Company or maybe leave it empty. As I know Company value automatically add company permission to row level security.



                            • 11. Re: Deny access to Asset?



                              I tried using a Group ID in the RowLevelSecurity field, and it is working fine. But the issue i am facing is the instance is not editable, all fields are read-only.

                              I have given the same Group ID in the WriteLevelSecurity of the instance.

                              The user who is part of this group has Asset User permission. Am i missing on something??




                              • 12. Deny access to Asset?

                                Group ID in the WriteLevelSecurity should give editable permission to User who is this group member.

                                I don't know what you can do wrong.

                                In my Asset Management I do it that way:

                                1. Add Users to Support Group as a member and add them Floating (or Fixed) licence, Asset User permissions (Floating /or Fixed).

                                2. On Asset form, on the People tab I add user Support Group with "Managed by" or "Supported by" role with Access Permitted = "Yes" (this should add Group ID to WriteLevelSecurity field)


                                Then people who are members of this Support Group can edit assets records.

                                • 13. Deny access to Asset?

                                  As I can remember (don't want check now) there is some OOTB workflow, which is cleaning permissions to asset (guess on modify action). That is why I use AssetPeople record to add/remove writable permission to assets. I have built AIE process which adds and removes AssetPeople records and it runs OOTB updating permission workflow

                                  • 14. Re: Deny access to Asset?

                                    How about clearing Default Company in Asset Management Advanced Option and then use a custom Normalization feature to set the Company to the default instead. I tried this for BMC_IPENDPOINT in 8.1 so all IP CI's have a blank Company.and appears to work but I don't know what other bad things might happen.


                                    BTW - I also used a Normalization Row Level rule for IP CI's so that Asset Admins have access.