User Tools

Site Tools


products:cockpit:1.0:userguide:settings:authorizationprofiles

Application Authorization Profiles

Purpose

  • Define which features a user can see and use
  • Application authorization profiles allow to define the level of access to the various application menus:
  • Those profiles can be assigned to teams or users to define what they can see and how they can interact with the application.

Combined with teams and device authorization profiles, application authorization profiles are a great way to manage user permissions

Application authorization Profiles UI

  • The application authorization profile settings shows tables of the existing application authorization profiles within the tenant.
  • both tabs allow the following actions:
    • Create/Edit an application authorization profile
    • Delete/bulk delete application authorization profiles


Manage Authorization profiles

  • To create or edit an application authorization profile's, press Create or select Edit in the table action menu to open the application authorization profile editor
  • Set the application authorization profile's parameters
    • Name
    • Description
    • Permissions: To select/remove an authorization object, simply click on its name
  • You can delete a single application authorization profile or a group of them by either using the table action menu or the bulk delete button

Device Authorization Profiles

Purpose

  • Manage what devices a user can see and what he can do with them
  • Device authorization profiles allows to define visibility and permissions for a group of devices
  • This profile can be associated to a user or a team to define what device a user can see and which actions a user can do on the devices
  • The granularity of the authorizations is the group: The permissions set to a group applies to all its associated devices
  • Permissions can also be set on tags (Production, etc…) so you can apply different permissions within a group.

Combined with teams and application authorization profiles, device authorization profiles are a great way to manage user permissions

Device authorization Profiles UI

  • The device authorization profile settings shows tables of the existing device authorization profiles within the tenant.
  • both tabs allow the following actions:
    • Create/Edit an device authorization profile
    • Delete/bulk delete device authorization profiles


Manage device authorization profiles

  • To create or edit a device authorization profile, press Create or select Edit in the table action menu to open the device authorization profile editor
  • Set the device authorization profile parameters
    • Name
    • Description
    • Global permissions for viewing, editing and deleting
    • Permissions per group and tags
  • You can delete a single device authorization profile or a group of them by either using the table action menu or the bulk delete button
  • Permissions can be applied on a group and on tags
    • Group: All devices belonging to the group will have the same permissions
    • Tags: All devices assigned to a tag will have the same permissions

Permissions

  • Device permissions apply on the following configuration items:
    • Organizations
    • Groups
    • Systems
    • Connectors
    • Monitoring users
    • Devices

Global permissions

  • Global permissions will apply to all existing and future configuration items
    • View all: Users will be able to see everything
    • Edit all: Users will be able to edit any item, including:
      • Changing CI definition
      • Assigning users
      • Assigning profiles
    • Delete all: Users will be able to delete anything.

Groups and tags permissions

  • Allows to define custom permissions per group or tag
  • All underlying configuration items attached to a group or tag will be associated to the configured permission
Permission Description
View Must be set for all the devices belonging to the group to be visible
Edit Allows to modify devices properties
Delete Allows to delete a device
  • Tag permissions will prevail over group permissions
  • Combined with global permission you can allow user to see everything, but only to edit a subset of items associated with a given group or tag

The privileges granted to an item will always be transfered to its childs, even if they are set with less privileges.

Example:

  • If an organization is set to be VIEW + EDIT, then all its underlying components will have VIEW + EDIT, even if some are set to VIEW only in the profile.
/home/clients/8c48b436badcd3a0bdaaba8c59a54bf1/wiki-web/data/pages/products/cockpit/1.0/userguide/settings/authorizationprofiles.txt · Last modified: 2024/05/01 18:52 (external edit)