cannot administer maintenance schedule created by user in different LDAP group

book

Article ID: 144341

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

We have 2 ldap groups both of which can see the same devices in USM as their ACL's are linked to the same origins however if a user from one ldap group creates a maintenance schedule then users from the other group cannot administer this schedule.

Cause

Maintenance schedules are linked to accounts and thus users linked to a different account cannot administer them

Environment

Release : 9.2.0

Component : UIM - UMP_USM

Resolution

It is possible to have users from separate LDAP groups administer the same maintenance schedule.

The key is the account that is linked to the ldap group

for example :

Both accounts have access to same origins
ACL's are identical

ACL = ldap1-1
ldap group = ldap1
account = ldap1
ACL = ldap2-2
ldap group = ldap2
account = ldap2

in the above users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as they are linked to separate accounts even though they can both see all machines

if we change it to

ACL = ldap1-1
ldap group = ldap1
account = ldap1
ACL = ldap2-1
ldap group = ldap2
account = ldap1

Now users from either ldap group will be able to administer the maintenance schedule as they are linked to the same account.

If we add a third ACL where ldap group ldap2 is linked to account ldap2

ACL = ldap1-1
ldap group = ldap1
account = ldap1
ACL = ldap2-1
ldap group = ldap2
account = ldap1
ACL = ldap2-2
ldap group = ldap2
account = ldap2

Then users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as the 3rd ACL is linked to an account that does not have access and the most restrictive access is applied.

This is as per the current design and to change this will require an idea to be created and for product management to agree that this is the direction they wish to take.