Use the following menu options to navigate the SL1 user interface:
- To view a pop-out list of menu options, click the menu icon ().
- To view a page containing all the menu options, click the Advanced menu icon ().
This
Access Hooks for Top-Level Navigation
To make it easier to determine and select the appropriate Access Hooks, each Access Hook is categorized by functional area of the product. For example, the Asset Hook Asset:View is in the Asset Management category
Access Hooks use a consistent naming convention to indicate their function, including an entity and action, for example "Asset:View". The Access Hooks page includes a description of each Access Hook.
If you want to allow users to view each top-level tab in SL1, you must create Access Keys that include the Access Hooks described in this section. If users do not have any Access Hooks that allow the user to view one or more top-level tabs, aligned with their granted Access Keys, those users will not see any navigation tabs when they log in to SL1:
If you want to align an Access Hook for an action with an Access Key and that Access Hooks requires a user to use the top-level navigation tabs to perform an action, such as allowing them access to a page under a tab, you must also align the corresponding Access Hook described in this section.
In certain situations, you might not want to grant users access to the top-level navigation tabs. If users have access to a page under a tab, but not the corresponding tab, they can still access the page using a direct link. If you want to restrict user access to the standard top-level navigation tabs, but still want to allow users to access pages under the tab, you may want to consider custom navigation tabs or another method of providing users with links to those pages. For information on custom navigation tabs, see
The following table describes the Access Hooks that allow a user to view top-level navigation tabs. Some of these Access Hooks also grant users other permissions; these permissions are described in the "Additional Access" column.
Tab | Access Hook Category | Access Hook Name | Additional Access |
Dashboards | Dashboards | Dash:View | Allows user to view their own dashboards. Does not allow user to create or edit their own dashboards. |
Views | Views |
Views: View |
Allows the user to view the Views tab and to view the Views that are embedded in Dashboards. NOTE: To allow users to view the Views embedded in Dashboards but not allow the user to view the Views tab, assign the Acces Hook Views:View Embedded. |
Events | Events | Events/Event:View | Allows user to view the list of events for their organizations on the Event Console screen. |
Tickets | Ticketing | Ticketing/Ticket:View | Allows user to view the list of tickets in their assigned ticket queues for their organizations on the Ticket Console page. |
Reports | Reports | Reports> | None |
Registry | EM7 System Administration | Registry> | None |
System | EM7 System Administration | System> | None |
Preferences | User Account Management |
Preferences> |
None |
For tabs that have a left Navbar or menu bar, such as
and , the top-level navigation hook will allow the user to select only the tab. On these tabs, links in the left Navbar or menu bar will appear only if the a user has additional Access Hooks specifically for the links in the left Navbar or menu bar.Navigation Access Hooks
Access Hooks that allow users to navigate to pages within the user interface follow a similar naming convention. The Access Hook name represents the sequence of mouse clicks required to navigate to the page. For example:
Registry>Accounts>User Accounts
In this example, the Access Hook grants access to the User Accounts page. To navigate to this page a user would click on the tab, then the "Accounts" and "User Accounts" links in the left Navbar or menu bar.
When you assign an Access Key containing a navigation Access Hook, the user is allowed to navigate to and view the page only. To perform action in the page, such as adding, removing, viewing, and editing entities, the user must be assigned additional Access Hooks.
The "System>Manage>Access Hooks" and "System>Manage>Access Keys" Access Hooks behave differently from other navigation Access Hooks. The left Navbar or menu bar links to the Access Hooks and Access Keys pages are displayed only to accounts of type Administrator. Even if you assign "System>Manage>Access Hooks" and "System>Manage>Access Keys" to a user, the user will not see the Access Hooks and Access Keys links. However, the user will be able to navigate to the Access Hooks and Access Keys pages by going directly to the URL of those pages.
All Access Hooks that control navigation to specific pages are dependent on Access Hooks described in the Access Hooks for top-level navigation section. If you want to allow a user to navigate to a page that is controlled by a navigation key, you must grant that user the top-level navigation Access Hook and the navigation Access Hook.
Action Access Hooks
Access Hooks that allow users to perform an action on or view specific information about an element use a consistent naming convention. The Access Hook name includes the following information separated by colons:
- The general entity type or area of SL1, e.g. "Ticket" or "Org".
- If applicable, the specific part of the entity or area of SL1, e.g. "Watchers" for ticketing, or "Notes" for organization.
- If there are multiple actions that can be performed, the specific action that can be taken, e.g. "Add/Rem" or "Edit". If the action information is not included in an Access Hook name, the Access Hook allows a user to take any available action on the entity or area of the product.
The following are examples of action Access Hooks:
- Cred:SNMP:Add/Rem. "Cred" indicates that the general entity type is a credential, "SNMP" indicates the Access Hook applies only to SNMP credentials, and "Add/Rem" indicates the Access Hook allows a user to add or remove an SNMP credential.
- Dev:Tools. "Dev" indicates that the general entity type is a device and "Tools" indicates the Access Hook applies only to the Device Toolbox. Because there is no action included in the Access Hook name, when you grant a user this Access Hook, the user will be able to perform every action available on the Device Toolbox page.
- Discovery:Run. "Discovery" indicates that the Access Hook applies to the Discovery Manager section, and "Run" indicates the Access Hook allows a user to schedule or execute a discovery session.
In general, separate Access Hooks are provided for adding/removing entities and editing entities.
Action Access Hook Dependencies
The following dependencies apply to Access Hooks that allow users to perform actions:
- If a user has an Access Hook that allows them to perform an action, you must also grant them access to the page on which the action is performed. For example, a user who has the "Org:Edit" Access Hook should also have the "Registry>Accounts>Organizations" Access Hook to navigate to and edit an organization. If you are not restricting user access to top-level navigation tabs, you must also grant the user the "Registry>" Access Hook.
- If a user has an Access Hook that allows them to view a tab in a panel separate from the main screen (for example, the Device Details panel, Device Summary panel, or the Ticket panel), the user should also have the Access Hook that allows them to view the default tab in the panel. For example, suppose you grant a user with the "Dev:View IFs" Access Hook, which allows a user to view the Interfaces tab in the Device Administration panel. You should also grant the user the "Dev:View Details" Access Hook so the user can access to the Device Properties page, which is the default page in the Device Administration panel.
- If a user has an "Access All", or "View Any" Access Hook, the user will still need the corresponding "View" Access Hook. For example, a user with the "Ticket:Access All" Access Hook must have the "Ticket:View" Access Hook to view tickets.
Blacklisting or Whitelisting Access Hooks
You can override existing user permissions and Access Keys in SL1 by blacklisting or whitelisting Access Hooks for all users, administrators, or regular users:
- Blacklisting disables one or more access hooks. You can disables an access hook for all users, users-level users, administrator-level users, or a combination of user types.
- Whitelisting enables one or more access hooks. You can enable an access hook for all users, users-level users, administrator-level users, or a combination of user types.
Blacklisting Access Hooks using the following method does not disable links to blacklisted pages, but a user on the black list cannot load blacklisted pages.
Enabling the Access Hook Blacklist or Whitelist
To enable the Access Hook blacklist or whitelist:
- Go to the console of the Administration Portal, All-In-One Appliance, or Database Server that provides web access for your system or use SSH to access the command line.
- Use vi (or a text editor of your choice) to create the file /etc/.custom_alignment.conf.
- Configure the permissions for /etc/.custom_alignment.conf to allow nginx to read the file:
chmod a+r /etc/.custom_alignment.conf
- Add one or more of the following sections to the file; add only the sections that will include at least one blacklist or whitelist rule:
- [ALL]. Blacklist or whitelist Access Hooks for all users
- [USER]. Blacklist or whitelist Access Hooks for all regular users
- [ADMIN]. Blacklist or whitelist Access Hooks for all administrator users
- Add the hooks that you want to add to your black list or white list:
- To blacklist an Access Hook, add the following line to the appropriate section, substituting the Access Hook ID where indicated:
<access_hook_ID>=deny
where access_hook_ID is the alphabetic ID that describes the Access Hook. For example, the following code prevents users from viewing passwords in plaintext:
CRED_VIEW_PASSWORDS=deny
- To whitelist an Access Hook:
<access_hook_ID>=allow
- Go to the Cache Management page (System > Tools > Cache) and delete all cache entries.
Example of the Access Hook Blacklist
Requirement: Make the Database Tool page (System > Tools > DB Tool) inaccessible to all users.
Process: Update /etc/.custom_alignment.conf with the following:
[ALL]
SYS_TOOLS_DB=deny