ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to limit a Spectrum User or User Group to a specific Universe Topology

book

Article ID: 227492

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

This knowledge document discusses how to limit a Spectrum User or User Group to a specific Universe Topology.

Environment

Release : Any

Component : Spectrum Modeling

Resolution

To limit a Spectrum User or User Group to a specific Universe Topology  will require the use of Spectrum User Security. At the very least, a Security String will need to be assigned to the specific Universe Topology model  and a custom Security Community for the User or Group model for the Security String assigned to the Universe Topology model. The following is a step by step guide to create a basic configuration to accomplish this task.

GOAL: The goal of this exercise is to limit a User or User Group so they only have OneClick access to the RegionA LAN seen below.

Step 1: Assign a unique Security String to the RegionA LAN. This can be done in General Information subview in the Information tab of the RegionA LAN. For the purpose of this exercise, we will assign it a Security String of "REGIONA". The "REGIONA" Security String will automatically be applied to all of the models within the RegionA LAN.

In addition, a Security String other than REGIONA should be assigned to all other models in the database. If not, this user will still be able to see alarms for these models in the My Spectrum folder in the Navigation panel.

When using Security Strings in Spectrum, a model without a Security String assigned is open to all users.

Step 2: Create a new "REGIONA" Security Community for the User or User Group model to associate to the "REGIONA" Security String on the RegionA LAN. It is recommended to use User Groups to make the administration of Users easier. Either create a new User Group or select an existing User Group in the Users tab. Select the User Group and click on the Access tab in the Contents panel. Remove any existing Security Communities and create a new one called "REGIONA".

Step 3: Assign an out of the box Roll or create a new custom Role for the REGIONA Security Community. Select the REGIONA Security Community in the Contents panel. Click on the Roles tab in the Component Detail panel.

If you are going to use an out of the box roll, click on the Add/Remove button and choose the out of the box Roll or Rolls that fit the Privileges you want these users to have.

If you want to create a custom Roll, click on the New button, enter a name for your custom Roll and select the Privileges for your specific needs.

For the purpose of this exercise , I have chosen the OperatorRO and OperatorRW Rolls as seen below.

So far, with the above work done, when User1 logs into OneClick, they will see the following:

 

You will notice User1 is able to see and access the RegionB LAN. The reason is because the RegionB LAN does not have a Security String assigned to it. You will need to assign the RegionB LAN a Security String that User1 does not have an Access Community. After assigning a Security String of "REGIONB" to the RegionB LAN, User1 is not able to "see" it anymore in the Explorer tab in the Navigation panel.

However, they will still be able to "see" the RegionB LAN in the Topology tab of the Contents panel but they will not have access to any of the information about the RegionB LAN nor will they be able to navigate into the RegionB LAN.

 

Step 4: The last step is to configure User1 to be taken directly into the RegionA LAN container when they log into OneClick and prevented from navigating up into the Universe.

To configure User1 to be taken directly into the RegionA LAN container when they log into OneClick:

1. Log into OneClick as an ADMIN user

2. Click on the Users tab in the Navigation panel

3. Right mouse click on the Region A Users Group and select Set Preferences from the menu

4. Expand the Explorer Tab folder and select Initial View

5. Find and select the RegionA LAN

6. Check the Locked check box in for the Initial View

7. Click on the Apply button

8. Click the OK button

Now when User1 logs into OneClick, they are taken directly into the RegionA LAN

To prevent User1 from being able to navigate up into the Universe, you will need to add a Security String to the Universe model that the User1 model does not have a Security Community assigned. For this exercise, I have assigned ADMIN as the Security String to the Universe model. The User1 user model does not have ADMIN for a Security Community so they will not be able to navigate up into the Universe from inside the RegionA LAN.

User1 will be able to "see" the Universe in the Explorer tab in the Navigation panel but when they click on it, they will not have access to any of the Universe information.

The alarms they see in the Alarms tab will only be for those models they have access to under the RegionA LAN and any models that do not have a Security String configured.

You can also limit user access to a specific Global Collection by following the directions in the "How to limit a Spectrum User to a specific Global Collection" knowledge document.

Additional Information

Please reference the "User Administration in OneClick" and the "Model Security in OneClick" sections of the documentation for more information.

Attachments