After creating a new ACL for account users USM groups do not populate
Article ID: 34060
Updated On:
Products
DX Unified Infrastructure Management (Nimsoft / UIM)
Issue/Introduction
In NMS 7.5 there was a new permission created called:Restrict View To User Assets
<Restrict View To User Assets>
desc = Restrict systems, data, and alarms to those allocated to the user
type = UMP
access = read
</Restrict View To User Assets>
This functionality was added at the request of some MSP customers to support multi-tenancy in a more controlled way.
The ACL noted in this case is supposed to do exactly what was noted (restrict) - if you enable it, you can't see machines unless they "belong to you" as a user.? So you won't see any machines/data/etc in Dynamic Groups and elsewhere except for those machines that specifically have been allocated to that user.
To allocate a machine to a user, you have to set its Origin with the user's UMP user ID in the origin, in this format:
AccountOrigin::UserID
- where AccountOrigin is a valid Origin for that user's account, and UserID is the user's NMS login name (user id).
So if you have an account called Acme Corp Inc. with a user named jsmith, and the origin they have access to is AcmeCorp. You would use the Origin override capability on a robot or hub to set the origin to
AcmeCorp::jsmith
And then the user jsmith could see the machines with this origin.
If you remove the "Restrict View" ACL, then the users in that account should all be able to see the machines with the Account Origin, as well as any machines allocated to any user.? But with this ACL in place, users will only see the machines allocated to them.
keywords: empty USM ACL populate groups devices robots 7.5 8.x
<Restrict View To User Assets>
desc = Restrict systems, data, and alarms to those allocated to the user
type = UMP
access = read
</Restrict View To User Assets>
This functionality was added at the request of some MSP customers to support multi-tenancy in a more controlled way.
The ACL noted in this case is supposed to do exactly what was noted (restrict) - if you enable it, you can't see machines unless they "belong to you" as a user.? So you won't see any machines/data/etc in Dynamic Groups and elsewhere except for those machines that specifically have been allocated to that user.
To allocate a machine to a user, you have to set its Origin with the user's UMP user ID in the origin, in this format:
AccountOrigin::UserID
- where AccountOrigin is a valid Origin for that user's account, and UserID is the user's NMS login name (user id).
So if you have an account called Acme Corp Inc. with a user named jsmith, and the origin they have access to is AcmeCorp. You would use the Origin override capability on a robot or hub to set the origin to
AcmeCorp::jsmith
And then the user jsmith could see the machines with this origin.
If you remove the "Restrict View" ACL, then the users in that account should all be able to see the machines with the Account Origin, as well as any machines allocated to any user.? But with this ACL in place, users will only see the machines allocated to them.
keywords: empty USM ACL populate groups devices robots 7.5 8.x
Environment
Release:
Component: CAUIM
Component: CAUIM
Resolution
Please Update This Required Field
Feedback
Yes
No
Powered by
