Administer > Authorize Access to CIs

Authorize Access to CIs

Browser CI Access Control enables you to assign granular access to the CIs in views or CI types in UCMDB, according to a user's assigned role. A role that has global View or Edit permission can see all CIs and relationships in UCMDB. A role that has View or Edit permission for a particular view can see only the CIs and relationships in that view. In addition, permission can be granted to view or edit particular CI types.

Note  

  • You must assign at least one permission for a view or CIT in order to see CIs in the UCMDB Browser module.
  • You must have View permission on a particular CI in order to refocus on it, even if that CI is visible in a widget because of Browser CI Access Control settings.

To authorize access to CIs:

  1. In UCMDB, go to Security > Roles Manager.
  2. Select the role to which you want to assign access.
  3. Click the Browser CI Access Control tab and add available actions as required.
  4. Select an available view or CI type for which you want to assign permissions.
  5. When you are finished, click Save .

For additional details about permissions, see "User Permissions for the UCMDB Browser module" in the Administer section of the UCMDB Help.

Note  

  • If a CI does not have Edit permission assigned through a view or CI type, the Edit button will not be displayed in the Properties widget and it will not be possible to change any property's attributes in the UCMDB Browser module.
  • A user will be able to see the composite CIs of permitted CIs, even he has not been granted specific permission for those composite CIs.
  • If a user has permissions on CIs of two CI types and those CIs are not composite CIs, in order to have permission on their relationship (for example, to view them in the Environment widget), the necessary triplet should be added to the calculated link. This is named Authorized Relationship Addition (UCMDB Browser), and it can be found in CI Type Manager > Calculated Relationships.

Use Cases

Enable a user to view or edit all CIs

  • Read only: Assign the global permission View All to all CIs for a role.
  • Read/Write: Assign the global permission Edit All to all CIs for a role.

Enable a user to view or edit only specific CIs

  • Read only:

    • Assign View permission to specific views.

    • Assign View All CIs permission to a particular CI type.

    Note By default, in the UCMDB Browser module, the Party and Location CI types are automatically assigned View All CIs permission.

  • Read/Write:

    Do one of the following:

    • To edit all CIs that you can view, assign Edit All CIs permission on all views.
    • To edit CIs in a specific view, assign Edit All CIs permission on only that view.
    • To edit only specific CI types in relevant views, assign Edit By CIT permission to the views and Edit In View permission to a particular CI type.

      Note You can assign permissions to a group of views by selecting a node in the list of Available Views, or apply the permissions to all views by selecting the Root node.

    • To edit all CIs of a specific CI type, assign Edit All CIs permission to that CI type.

Enable a user to view all CIs and edit only specific CIs

  • Assign the global permission View All to all CIs for a role.

Do one of the following:

  • To edit all CIs of a specific CI type, assign Edit All CIs permission to that CI type.
  • To edit only specific CIs:

    • To edit all CIs that you can view, assign Edit All CIs permission on all views.
    • To edit CIs in a specific view, assign Edit All CIs permission on only that view.
    • To edit only specific CI types in relevant views, assign Edit By CIT permission to the views and Edit In View permission to a particular CI type.

      Note You can assign permissions to a group of views by selecting a node in the list of Available Views, or apply the permissions to all views by selecting the Root node.

    • To edit all CIs of a specific CI type, assign Edit All CIs permission to that CI type.