Defining instance permissions
Multitenancy enables you to control which records and configuration data are exposed to users based on the user's membership in a company, business unit, or other groups. To support multitenancy, Drift Management offers a flexible permissions model that lets you grant read permission to instances of drift data in the Drift Console.
Within BMC Helix CMDB, multitenancy means that one CMDB holds data about the IT environments of multiple companies, usually in the case of an IT service provider, and each company has access only its own data. Each company's data is represented in the CMDB as an account.
For each class in each account, you can specify default read and write permissions that apply to newly created instances. You can also specify default permissions that apply to all classes that do not have specific permissions defined. You can override these default permissions for a particular instance by specifying permissions for the instance.
To have read or write access to drift components, users must belong to the appropriate base groups such as Drift Master, Drift Admin, or Drift Viewer and belong to at least one of the groups identified by the Drift Master when the component is being created or modified.
Drift Management provides the ability to control who can view and modify the following Drift Management components:
- Drift Reports
- Snapshot or comparison jobs
- Authoring components: baselines, targets, qualification sets, include sets and exclude sets
The Drift Master defines instance access to the Drift Management components when the components are created by using the Accessible To field. This field is on all Drift Management wizards, authoring components, and job components.
To define instance permissions
In the Accessible To field, the Drift Master selects the groups that can have access to that data. More than one group can have permission to view instances in Drift Management components.
- As a Drift Master, open one of the Drift Management wizards, authoring components, or job components.
- Use the Accessible To field to select the groups who can have access permission.
- Continue defining the Drift Management components.
Examples of Drift Management instance permissions
Access to specific Drift Management components is defined when the Drift Master creates a new job, baseline, or target. This section provides examples of how Drift Management roles work in conjunction with instance permissions. The examples use the users and group memberships shown in the following table.
Example Drift Management permission groups
User | Belongs to these groups |
|---|---|
Frank Field | Drift Master, Cisco, Juniper |
Tom Target | Drift Master, AMD, Intel, IT |
Betty Baseline | Drift Master, Cisco |
Johnny Job | Drift Admin, Cisco |
Colin Column | Drift Admin, Juniper |
Jennifer Java | Drift Viewer, Cisco |
Cheryl Change-Request | Juniper, Intel, Cisco, IT, AMD |
Jessica | Drift Admin, AMD |
Example 1
When creating a baseline, Drift Master Frank Field grants the Cisco and Juniper groups data access to the baseline.
Question: From the list of users who can view and modify the baseline?
Answer: Frank and Betty. Tom has Drift Master permission but no permission to Cisco and Juniper. Betty has Drift Master and Cisco permission. Johnny Job has Cisco permission but belongs to the Drift Admin and not Drift Master group.
Example 2
When creating a target, Tom provides access to the AMD group.
Question: Who can view and modify the target?
Answer: Tom, Cheryl, and Jessica.
Example 3
Frank and Betty want to create a comparison job.
Question: When using the Comparison Job Wizard, will they see the target listed in the target library that Tom created?
Answer: No. Although Frank and Betty are Drift Masters, Frank and Betty do not belong to the same groups as Tom. They do not have AMD, Intel, or IT permissions.
Example 4
Frank and Betty create a job and select Cisco as the access group.
Question: Who can execute the job?
Answer: Frank, Betty, and Johnny
Question: Who can view the Drift Reports created by the job?
Answer: Frank, Betty, Johnny, and Jennifer
Example 5
Tom creates a job and selects AMD as the Accessible To group.
Question: Who can execute the job?
Answer: Only Tom and Jessica can execute the job.
Question: Who can view the Drift Reports created by the job?
Answer: Only Tom and Jessica can view the Drift Reports. Cheryl only has access to the Drift Dashboard.