cannot administer maintenance schedule created by user in different LDAP group
book
Article ID: 144341
calendar_today
Updated On:
Products
NIMSOFT PROBESDX Infrastructure Management
Issue/Introduction
We have 2 ldap groups both of which can see the same devices in USM as their ACL's are linked to the same origins however if a user from one ldap group creates a maintenance schedule then users from the other group cannot administer this schedule.
Cause
Maintenance schedules are linked to accounts and thus users linked to a different account cannot administer them
Environment
Release : 9.2.0
Component : UIM - UMP_USM
Resolution
It is possible to have users from separate LDAP groups administer the same maintenance schedule.
The key is the account that is linked to the ldap group
for example :
Both accounts have access to same origins
ACL's are identical
ACL = ldap1-1
ldap group = ldap1
account = ldap1
ACL = ldap2-2
ldap group = ldap2
account = ldap2
in the above users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as they are linked to separate accounts even though they can both see all machines
if we change it to
ACL = ldap1-1
ldap group = ldap1
account = ldap1
ACL = ldap2-1
ldap group = ldap2
account = ldap1
Now users from either ldap group will be able to administer the maintenance schedule as they are linked to the same account.
If we add a third ACL where ldap group ldap2 is linked to account ldap2
ACL = ldap1-1
ldap group = ldap1
account = ldap1
ACL = ldap2-1
ldap group = ldap2
account = ldap1
ACL = ldap2-2
ldap group = ldap2
account = ldap2
Then users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as the 3rd ACL is linked to an account that does not have access and the most restrictive access is applied.
This is as per the current design and to change this will require an idea to be created and for product management to agree that this is the direction they wish to take.