Jump to content

Application rights


J_Tamburrini
 Share

Recommended Posts

Afternoon All,

can someone advise where you would create or configure / copy and amend the application rights.

specifically we want the service desk to search and view CI's to find service tags and IEMI's ect...without the ability of creating new ones

we want to be able to copy or edit the following app right

I'm happy to copy this role but cant work out where the app rights are held or created.

 

Anyone had this issue ?

image.thumb.png.34baabe7cea9698e0f2b77764e2ac635.png

 

 

image.png

Link to comment
Share on other sites

Hi Thanks @ArmandoDM

Thats what i have done, i created a copy of that role. and created my new one e.g Asset TEST

but we want to strip the application rights down so they only have view only rather than the option to create a new assets as the original one suggests

Asset Management User

"This role is for an Asset Management User. It includes rights to define new and edit existing Assets as well as being able to add detailed Asset information."

hope that makes sense , i just couldn't see where the Application rights are stored , i assume they are preset and locked down deeper in the system tables somewhere?

Link to comment
Share on other sites

  • 2 months later...

Hi, I have the same issue as J_Tamburrini.

I want to have a role that allows viewing and updating assets but NOT creating assets.
I copied the role Asset Management User to a new Role. In the new role I removed the insert option for all h_cmdb* tables except h_cmdb_links.
As the Incident, Service Request and Change roles have the insert enabled on the h_cmdb* tables I removed the insert option there as well.

For some reason users assigned to this role(s) are able to create assets anyway. Any idea?

Kind Regards
Per

Link to comment
Share on other sites

@P. Nordqvist you don't enable/disable certain rights via DB rights. The DB rights only allow/forbid actions on specific tables in the database. I would leave them untouched unless the app throws an error complaining specifically about a DB right...

So, if you want to have a custom role to allow view and update but not create assets this needs to be done via application rights. Create a copy of "Asset Management Admin" default role. Edit the new role and navigate to "Application Rights" tab. Remove the "Create Configuration Items" right. Save changes and give it a try.

 

image.png

 

EDIT: I would suggest removing the "Delete Configuration Items" as well if you don't want users to delete assets....

Link to comment
Share on other sites

@Victor Thanks for your reply. Unfortunately it isn't that simple because it is the "Application Rights" View Asset Management that is assigned to the Role "Asset Management User" that also allows the user to create assets (not delete though).

In this case I see no other chance than changing the table rights which is obviously also not working. 

Link to comment
Share on other sites

@P. Nordqvist

1 hour ago, P. Nordqvist said:

In this case I see no other chance than changing the table rights which is obviously also not working.

I have to reiterate that amending table rights has absolutely no impact on what rights a user has or hasn't. You can amend them, change them any way you like it won't make any difference from what a user is allowed or not allowed to do. The only impact is that if a table right is missing or not correctly configured, whenever the user performs an action (at this point that user already has the right to perform the action) which requires a specific type of access to a table (read, update, delete, etc.) the application will throw an error and/or the action will not be performed. The fact that the action is not performed (due to table access rights) and the user having or not having the right to perform the action are two different things. Hope this makes sense.

 

This being said, you can achieve what you need by having the "View Asset Management" right and removing access to CMDB tables for new records (insert) only. But as I said above, this won't prevent the user of performing the "create asset" action but it will prevent the actual creation of the asset which, for all intent of purposes is what you need (and is not the most elegant solution, imo). Basically, the role would look like this (and it should be based on "Asset Management Admin" default role):

The "Application Rights" section:

image.png

The "Database Rights" section (only CMDB tables rights are changed - removing the Insert)

image.png

 

Link to comment
Share on other sites

52 minutes ago, P. Nordqvist said:

Now the user can try to add a new asset. The system pretends like no error appeared and just close the dialogue without creating the asset. Dirty but better than nothing.

Indeed, not the most elegant solution. The error,  however, whilst not visible in the UI will be recorded in the logs. Ideally, we would want a right/role that will actually prevent the user from performing the action itself, again, ideally, by not showing the "Add Asset" in the first place...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...