Q1: Can a user see all SLAs defined in iDash? My understanding is if the user has access to define an SLA on certain types of jobs as per EEM (as-job) policy, then they should not see any of the SLAs that are not defined with those jobs.

Q2: We use EEM authentication with iDash. If a user is tied to one particular as-job resource, they should see only those jobs in the job list while creating SLAs. This is true when the user first logs in and then after some time, the user is able to see all the jobs.

Q3: If a user is not able to create tags, can they see another user's tags?

A1:  If a user has permission to create a SLA (per the idash-sla policy) and has access to certain jobs (per the as-job policy), then they are able to create SLAs based on the jobs they have access to. If an SLA references a job that a user does not have access to, then they will not see the SLA.

A2:  Double check the EEM as-job policy and make sure the default as-job policy is not enabled. If the proper as-job policy is set in place and the default as-job policy has been disabled, users should only be able to the SLAs associated with the jobs they have privileges on.

A3:  The idash-tag policy allows users to see all tags and create all tags. If a user is not supposed to be able to see a tag (or create a tag), you need to create an Explicit Deny idash-tag policy. In the Resources, you will specify the name(s) of the tags they shouldn't be able to see. See EEM User Permissions on iDash Tags for details.