Assigning Access Hooks

Download this manual as a PDF file

This section will help you select the Access Hooks that best fit the needs of your business. Because Access Hooks are as granular as possible, some Access Hooks have dependencies on other Access Hooks. For example, the Asset:View Access Hook grants the user access to view a specific asset. However, the user's granted Access Keys user must also include the Registry>Assets>Manager Access Hook to access the Asset Manager page, and the Registry> Access Hook to access the Registry tab.

This section describes the levels of access control, from providing access to the top-level navigation tabs to performing actions on specific pages.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Access Hooks for Top-Level Navigation

To make it easier to determine and select the appropriate Access Hooks, each Access Hook is categorized by functional area of the product. For example, the Asset Hook Asset:View is in the Asset Management category

Access Hooks use a consistent naming convention to indicate their function, including an entity and action, for example "Asset:View". The Access Hooks page includes a description of each Access Hook.

If you want to allow users to view each top-level tab in SL1, you must create Access Keys that include the Access Hooks described in this section. If users do not have any Access Hooks that allow the user to view one or more top-level tabs, aligned with their granted Access Keys, those users will not see any navigation tabs when they log in to SL1.

If you want to align an Access Hook for an action with an Access Key and that Access Hooks requires a user to use the top-level navigation tabs to perform an action, such as allowing them access to a page under a tab, you must also align the corresponding Access Hook described in this section.

In certain situations, you might not want to grant users access to the top-level navigation tabs. If users have access to a page under a tab, but not the corresponding tab, they can still access the page using a direct link. If you want to restrict user access to the standard top-level navigation tabs, but still want to allow users to access pages under the tab, you may want to consider custom navigation tabs or another method of providing users with links to those pages. For information on custom navigation tabs, see Customizing User Experience.

The following table describes the Access Hooks that allow a user to view top-level navigation tabs. Some of these Access Hooks also grant users other permissions; these permissions are described in the "Additional Access" column.

Tab Access Hook Category Access Hook Name Additional Access
Dashboards Dashboards Dash:View Allows user to view their own dashboards. Does not allow user to create or edit their own dashboards.
Views Views

Views: View

Allows the user to view the Views tab and to view the Views that are embedded in Dashboards.

NOTE: To allow users to view the Views embedded in Dashboards but not allow the user to view the Views tab, assign the Acces Hook Views:View Embedded.

Events Events Events/Event:View Allows user to view the list of events for their organizations on the Event Console screen.
Tickets Ticketing Ticketing/Ticket:View Allows user to view the list of tickets in their assigned ticket queues for their organizations on the Ticket Console page.
Reports Reports Reports> None
Registry EM7 System Administration Registry> None
System EM7 System Administration System> None
Preferences User Account Management

Preferences>

None

For tabs that have a left Navbar or menu bar, such as Registry and System, the top-level navigation hook will allow the user to select only the tab. On these tabs, links in the left Navbar or menu bar will appear only if the a user has additional Access Hooks specifically for the links in the left Navbar or menu bar.

Navigation Access Hooks

Access Hooks that allow users to navigate to pages within the user interface follow a similar naming convention. The Access Hook name represents the sequence of mouse clicks required to navigate to the page. For example:

Registry>Accounts>User Accounts

In this example, the Access Hook grants access to the User Accounts page. To navigate to this page a user would click on the Registry tab, then the "Accounts" and "User Accounts" links in the left Navbar or menu bar.

When you assign an Access Key containing a navigation Access Hook, the user is allowed to navigate to and view the page only. To perform action in the page, such as adding, removing, viewing, and editing entities, the user must be assigned additional Access Hooks.

The "System>Manage>Access Hooks" and "System>Manage>Access Keys" Access Hooks behave differently from other navigation Access Hooks. The left Navbar or menu bar links to the Access Hooks and Access Keys pages are displayed only to accounts of type Administrator. Even if you assign "System>Manage>Access Hooks" and "System>Manage>Access Keys" to a user, the user will not see the Access Hooks and Access Keys links. However, the user will be able to navigate to the Access Hooks and Access Keys pages by going directly to the URL of those pages.

All Access Hooks that control navigation to specific pages are dependent on Access Hooks described in the Access Hooks for top-level navigation section. If you want to allow a user to navigate to a page that is controlled by a navigation key, you must grant that user the top-level navigation Access Hook and the navigation Access Hook.

Action Access Hooks

Access Hooks that allow users to perform an action on or view specific information about an element use a consistent naming convention. The Access Hook name includes the following information separated by colons:

  • The general entity type or area of SL1, e.g. "Ticket" or "Org".
  • If applicable, the specific part of the entity or area of SL1, e.g. "Watchers" for ticketing, or "Notes" for organization.
  • If there are multiple actions that can be performed, the specific action that can be taken, e.g. "Add/Rem" or "Edit". If the action information is not included in an Access Hook name, the Access Hook allows a user to take any available action on the entity or area of the product.

The following are examples of action Access Hooks:

  • Cred:SNMP:Add/Rem. "Cred" indicates that the general entity type is a credential, "SNMP" indicates the Access Hook applies only to SNMP credentials, and "Add/Rem" indicates the Access Hook allows a user to add or remove an SNMP credential.
  • Dev:Tools. "Dev" indicates that the general entity type is a device and "Tools" indicates the Access Hook applies only to the Device Toolbox. Because there is no action included in the Access Hook name, when you grant a user this Access Hook, the user will be able to perform every action available on the Device Toolbox page.
  • Discovery:Run. "Discovery" indicates that the Access Hook applies to the Discovery Manager section, and "Run" indicates the Access Hook allows a user to schedule or execute a discovery session.

In general, separate Access Hooks are provided for adding/removing entities and editing entities.

Action Access Hook Dependencies

The following dependencies apply to Access Hooks that allow users to perform actions:

  • If a user has an Access Hook that allows them to perform an action, you must also grant them access to the page on which the action is performed. For example, a user who has the "Org:Edit" Access Hook should also have the "Registry>Accounts>Organizations" Access Hook to navigate to and edit an organization. If you are not restricting user access to top-level navigation tabs, you must also grant the user the "Registry>" Access Hook.

  • If a user has an Access Hook that allows them to view a tab in a panel separate from the main screen (for example, the Device Details panel, Device Summary panel, or the Ticket panel), the user should also have the Access Hook that allows them to view the default tab in the panel. For example, suppose you grant a user with the "Dev:View IFs" Access Hook, which allows a user to view the Interfaces tab in the Device Administration panel. You should also grant the user the "Dev:View Details" Access Hook so the user can access to the Device Properties page, which is the default page in the Device Administration panel.
  • If a user has an "Access All", or "View Any" Access Hook, the user will still need the corresponding "View" Access Hook. For example, a user with the "Ticket:Access All" Access Hook must have the "Ticket:View" Access Hook to view tickets.

Blacklisting or Whitelisting Access Hooks

You can override existing user permissions and Access Keys in SL1 by blacklisting or whitelisting Access Hooks for all users, administrators, or regular users:

  • Blacklisting disables one or more access hooks. You can disables an access hook for all users, users-level users, administrator-level users, or a combination of user types.
  • Whitelisting enables one or more access hooks. You can enable an access hook for all users, users-level users, administrator-level users, or a combination of user types.

Blacklisting Access Hooks using the following method does not disable links to blacklisted pages, but a user on the black list cannot load blacklisted pages.

Enabling the Access Hook Blacklist or Whitelist

To enable the Access Hook blacklist or whitelist:

  1. Go to the console of the Administration Portal, All-In-One Appliance, or Database Server that provides web access for your system or use SSH to access the command line.
  2. Use vi (or a text editor of your choice) to create the file /etc/.custom_alignment.conf.
  3. Configure the permissions for /etc/.custom_alignment.conf to allow nginx to read the file:

chmod a+r /etc/.custom_alignment.conf

  1. Add one or more of the following sections to the file; add only the sections that will include at least one blacklist or whitelist rule:

  • [ALL]. Blacklist or whitelist Access Hooks for all users
  • [USER]. Blacklist or whitelist Access Hooks for all regular users
  • [ADMIN]. Blacklist or whitelist Access Hooks for all administrator users

  1. Add the hooks that you want to add to your black list or white list:
  • To blacklist an Access Hook, add the following line to the appropriate section, substituting the Access Hook ID where indicated:

<access_hook_ID>=deny

where access_hook_ID is the alphabetic ID that describes the Access Hook. For example, the following code prevents users from viewing passwords in plaintext:

CRED_VIEW_PASSWORDS=deny

  • To whitelist an Access Hook:

<access_hook_ID>=allow

  1. Go to the Cache Management page (System > Tools > Cache) and delete all cache entries.

Example of the Access Hook Blacklist

Requirement: Make the Database Tool page (System > Tools > DB Tool) inaccessible to all users.

The Database Tool page is available only in versions of SL1 prior to 12.2.1 and displays only for users that have sufficient permissions to access the page.

Process: Update /etc/.custom_alignment.conf with the following:

[ALL]

SYS_TOOLS_DB=deny