Page tree
Skip to end of metadata
Go to start of metadata

You can apply role-based access control (RBAC) to capacity views and controls within them in order to restrict viewing of data to a certain user or to a group of users.

To apply role-based access to views in the TrueSight console

  1. In the TrueSight Capacity Optimization console, select Administration > USERS > Access groups.
  2. To specify the user who needs to get access to a view, add a new access group or modify an access group by clicking Add access group or Edit access group icon respectively.
  3. In the Add access group or Edit access group page, in the External names field, specify at least one of the following external names:

    External nameDescriptionAssociated role
    Capacity_ViewTo grant view-only access to a view.TSPS_Capacity_View
    Capacity_AdministrationTo grant view and edit access to a view. All administrative tasks for a view are allowed, such as access, add, modify, delete a view. User gets access to the Administration > Capacity Views page in the TrueSight console.TSPS_Capacity_Administration
  4. Click Save and to go back to the Access groups page, click Administration > USERS > Access groups.
  5. Click the access group name under the Name column to view the visible entities and accounts.
  6. To grant access to a view, in the Visible entities section, complete the following steps:
    1. Select Edit > Edit views and view groups.
    2. Select the view from the Available list of views and view groups and add it to the Selected list.
    3. Click Save.
  7. To grant access to specific domain so that the user can see data from the domain in the view, in the Visible entities section, complete the following steps:

    1. Select Edit > Edit domains.

    2. Select the domains that you want to grant access to.

    3. Click Save.

      Note

      If you grant access to a view but not to the associated domains, then the user can see the view, but cannot see data from the associated domains in the view.

    The user now has access to the view based on the external name that you associated with the access group of the user.

To apply role-based access to views in the TrueSight Capacity Optimization console

In particular, you can apply RBAC to the following portlets and controls in order to classify viewing of data:

  • DomainFilterPortlet: RBAC was applicable to portlets of type *FilterPortlet in version 9.0 of the product as well. After you apply RBAC to Views, Filter portlets (like the Domain Filter portlet) list only those domains to which the user has proper access rights. You cannot disable RBAC for such portlets.
  • AnalysisPortlet and TFMPortlet (Time Forecasting Model portlets): All portlets displayed in the Works folder under the console Workspace are sensitive to RBAC in the sense that the filtering options provided are applying RBAC.
  • TablePortlet: Tables and the data displayed in them are sensitive to RBAC, provided the data mart has a specific structure.

Note

It is not possible to apply RBAC to any data mart regardless of structure, given that you can build a data mart that aggregates data in a way that makes RBAC irrelevant (for example, Average of all systems).

Using RBAC in custom views

When using a TablePortlet in a custom View, you can apply RBAC control in the following ways:

Pre-processing before data extraction

This is done by adding ACL_FILTER macro to the SQL Data mart.

DefinitionThe ACL_FILTER macro displays only those entities belonging to domains that the user can access.
Syntax
${ ACL_FILTER(TYPE,ALIAS_COLUMN_NAME)}
Parameters
  • TYPE can be any of the following:
    • SYS: If entities extracted by SQL are systems
    • WKLD: If entities extracted by SQL are business drivers
    • APP: If entities extracted by SQL are domains
  • ALIAS_COLUMN_NAME (optional): Used to specify an alias for the column to be filtered if it is different from the default (ENTID for SYS; WKLD, APPID for APP)
Example
Select * from PV_SYSTEM t0 where 1=1 ${ACL_FILTER(SYS,t0.SYSID)}

Post-processing after data extraction

This process is automated and is based on the Entity ID column. If the SQL data mart contains a set of specific columns, filtering is automatically applied.

  • To filter systems, it requires a column named SYSID (System ID) or a couple of columns named ENTID (Entity ID) and STRUCTUREID containing the value ‘SYS’
  • To filter business drivers, it requires a column named WKLDID (Workload ID) or a couple of columns named ENTID and STRUCTUREID containing the value ‘WKLD’
  • To filter domains, it requires a column named APPID (Application ID) or a couple of columns named ENTID and STRUCTUREID containing the value ‘APP’

Example

  • Filtering applied on the SYSID column: Select sysid from PV_SYSTEM

  • Filtering not applied on the SYSID column: Select sysid as id from PV_SYSTEM

Disabling role-based access in views

After you upgrade to the latest version of TrueSight Capacity Optimization, all views (including custom views) have RBAC applied to them.

To disable RBAC for a particular view, perform the following task:

  1. Select Administration > VIEWS > Views.
  2. Click corresponding to the view for which you want to disable RBAC.
  3. Select Role-based Access Control Disabled under RBAC mode.
     

    Important

    Selecting this option does not disable RBAC for portlets of type FilterPortlet (that were already sensitive to RBAC in version 9.0 of the product), and their behavior remains unchanged in this version even if RBAC is disabled.

  4. Click Save.

2 Comments

  1.  

    1.