Specifying objects
When creating or modifying authorization profiles, in addition to restricting access to specific features, you can also restrict access to specific PATROL Agents, Computer System Configuration Items (CSCI), devices, and other objects. You specify this granular level of access through the selection of objects on the Objects tab of the Profile Details page.
This topic describes the following information about specifying objects:
Overview of the Objects tab
The Objects tab is where you specify the object restrictions for the authorization profile, as shown in the following image and described the table that follows.
| Item | Description | |
|---|---|---|
| 1 | Associated Objects | Action menu that enables you to provide unrestricted access to selected object types When you specify unrestricted access to an object type, you cannot also specify restricted access. |
| 2 | Categories |
|
| 3 | Types | Type of object available in the selected category Selecting a type filters the list of available objects. |
| 4 | Source | Host name of the Presentation Server or Infrastructure object. |
| 5 | Objects | List of selected objects To select objects, select the Objects action menu |
Object filtering
For each category, the Objects tab always displays the available types of objects for each category. The data sources determine the objects that exist for a selected type. When you select a category, type, and source, you can then specify individual objects available to the user groups in the authorization profile. The following table lists the types, sources, and objects available for each category.
| Categories | Types | Source | Accessible objects |
|---|---|---|---|
| TrueSight Presentation | |||
| Applications | Host name or IP address of the Presentation Server | ||
| Devices | |||
| Event Groups | |||
| Groups | BMC recommends that as solution administrator when you specify a group type object in an authorization profile, ensure that you include group objects belonging to the same tenant in the authorization profile. For example, there are two objects device-A1 and device-A2 under tenant-A. As a solution administrator, if you want to create a group GA to include device-A1 and device-A2, ensure that the group GA belongs to tenant-A. | ||
| Monitoring Policy Configuration Types | Any combination of the following configuration types:
| ||
| PATROL Agent ACLs | PATROL Agents specified in a PATROL Agent ACL | ||
| PATROL Solutions | Solutions that can be configured by creating Infrastructure Management policies | ||
| Services | |||
| Shared Dashboards | From version 11.3.03, permissions to all the dashboards shared by individual users is governed by the tenant administrators. By default, All Objects Access permission to these dashboards is provided in the authorization profiles. As a tenant administrator, you can restrict access to shared dashboards by editing the relevant authorization profiles. | ||
| TrueSight Infrastructure | |||
| CIs | Host name or IP address of Infrastructure Management servers | ||
| Component Folders | |||
| Event Folders | |||
| Monitor Groups | |||
| Views | |||
How object hierarchy affects monitoring permissions
Providing access to an object enables access to objects that are subordinate to it, as detailed in the following table:
| Object type | Subordinate objects |
|---|---|
| Applications | Devices and groups in the application |
| Devices | Monitor instances under the device |
| Event Groups | Child event groups, and events in the event group and child event groups |
Groups | Sub-groups, devices, and monitor instances in the group |
| Services | Devices and CIs in the service |
The following example illustrates how the event group hierarchy affects the monitoring permissions of the users in the authorization profile:
Event group hierarchy:
By_Location
America
North America
South America
Asia
India
Metro
Delhi
Mumbai
Non Metro
Pune
Chandigarh
ChinaIf America is the selected object, then users have access to America and its child event groups: North America and South America. If the selected object is China, which has no child event groups, then users have access to it. When child event groups will be added under China, users will have access to them as well.
Note
You cannot specify monitor-level permission in authorization profiles. To provide access to a specific monitor instance under a device, you must create a group, add those monitor instances to the group, and add the group to the authorization profile.
To illustrate how the object hierarchy affects the monitoring permissions of the users in the authorization profile, observe how the objects listed under Selected objects map to the objects listed in Monitoring permissions, which lists the objects that users could access in the TrueSight console.
Selected objects
| Devices |
|---|
D1 D2 D3 |
| Groups |
Group G1, which contains: Device D1 Device D4 Group G2, which contains: Device D5 Device D6 Monitoring instance M1 (from Device D8) Monitoring instance M2 (from Device D9) |
| Applications |
Application A1, which contains: Group G1 Device D5 Application A2, which contains: Group G3 Device D10 Device D7 |
Monitoring permissions
| Console page | Accessible objects |
|---|---|
| Applications | Application A1 |
Device D1 (direct permission) | |
Device D1 (direct permission) | |
Group G1 |
Comments
Log in or register to comment.