Issue/Introduction:
We have 2 ldap groups both of which can see the same devices in USM as their ACL's are linked to the same origins however if a user from one ldap group creates a maintenance schedule then users from the other group cannot administer this schedule.
Cause:
Maintenance schedules are linked to accounts and thus users linked to a different account cannot administer them
Environment:
Release : 9.2.0
Component : UIM - UMP_USM
Resolution:
It is possible to have users from separate LDAP groups administer the same maintenance schedule.
The key is the account that is linked to the ldap group
for example :
- Both accounts have access to same origins
- ACL's are identical
- ACL = ldap1-1
- ldap group = ldap1
- account = ldap1
- ACL = ldap2-2
- ldap group = ldap2
- account = ldap2
in the above users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as they are linked to separate accounts even though they can both see all machinesif we change it to
- ACL = ldap1-1
- ldap group = ldap1
- account = ldap1
- ACL = ldap2-1
- ldap group = ldap2
- account = ldap1
Now users from either ldap group will be able to administer the maintenance schedule as they are linked to the same account.If we add a third ACL where ldap group ldap2 is linked to account ldap2
- ACL = ldap1-1
- ldap group = ldap1
- account = ldap1
- ACL = ldap2-1
- ldap group = ldap2
- account = ldap1
- ACL = ldap2-2
- ldap group = ldap2
- account = ldap2
Then users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as the 3rd ACL is linked to an account that does not have access and the most restrictive access is applied.This is as per the current design and to change this will require an idea to be created and for product management to agree that this is the direction they wish to take.