cannot administer maintenance schedule created by user in different LDAP group
Article ID: 144341
Updated On:
Products
NIMSOFT PROBES
DX Infrastructure Management
Issue/Introduction
We have 2 ldap groups both of which can see the same devices in USM as their ACL's are linked to the same origins however if a user from one ldap group creates a maintenance schedule then users from the other group cannot administer this schedule.
Cause
Maintenance schedules are linked to accounts and thus users linked to a different account cannot administer them
Environment
Release : 9.2.0
Component : UIM - UMP_USM
Resolution
It is possible to have users from separate LDAP groups administer the same maintenance schedule.
The key is the account that is linked to the ldap group
for example :
in the above users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as they are linked to separate accounts even though they can both see all machines
if we change it to
If we add a third ACL where ldap group ldap2 is linked to account ldap2
Then users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as the 3rd ACL is linked to an account that does not have access and the most restrictive access is applied.
This is as per the current design and to change this will require an idea to be created and for product management to agree that this is the direction they wish to take.
The key is the account that is linked to the ldap group
for example :
- Both accounts have access to same origins
- ACL's are identical
- ACL = ldap1-1
- ldap group = ldap1
- account = ldap1
- ACL = ldap2-2
- ldap group = ldap2
- account = ldap2
in the above users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as they are linked to separate accounts even though they can both see all machines
if we change it to
- ACL = ldap1-1
- ldap group = ldap1
- account = ldap1
- ACL = ldap2-1
- ldap group = ldap2
- account = ldap1
If we add a third ACL where ldap group ldap2 is linked to account ldap2
- ACL = ldap1-1
- ldap group = ldap1
- account = ldap1
- ACL = ldap2-1
- ldap group = ldap2
- account = ldap1
- ACL = ldap2-2
- ldap group = ldap2
- account = ldap2
Then users in ldap2 will not be able to administer maintenance schedules created by users in ldap1 as the 3rd ACL is linked to an account that does not have access and the most restrictive access is applied.
This is as per the current design and to change this will require an idea to be created and for product management to agree that this is the direction they wish to take.
Feedback
Yes
No
Powered by
