Device access control lists
Collection Zone supports fine-grained security controls, which can be used to give limited access to certain departments within a large organization or limit a customer to see only his own data. A user with limited access to objects also has a more limited view of features within the system. As an example, most global views, such as the network map, event console, and all types of class management, are not available. The device list is available, as are the device organizers: systems, groups, and locations. A limited set of reports can also be accessed.
Permissions and roles
Actions in the system are assigned permissions. For instance to access the device edit screen you must have the “Change Device” permission. Permissions are not assigned directly to a user; instead, permissions are granted to roles, which are then assigned to a user. A common example is the ZenUser role. Its primary permission is “View,” which grants read-only access to all objects. ZenManagers have additional permissions such as “Change Device,” which grants them access to the device edit screen. When you assign a role to a user using the Roles field (on the Edit page), it is global.
Device ACLs provide limited control to various objects within the system. Administered objects are the same as the device organizers: Groups, Systems, and Locations and Devices. If access is granted to any device organizer, it flows down to all devices within that organizer. To assign access to objects for a restricted user, you must have the ZenManager role. The system grants access to objects is granted using the user's or user group's administered objects. To limit access, you must not assign a “global” role to the user or group.
Assigning administered object access
For each user or group there is an Administered Objects selection, which lets you add items for each type of administered object. After adding an object you can assign it a role. Roles can be different for each object, so a user or group might have ZenUser on a particular device but ZenManager on a location organizer. If multiple roles are granted to a device though direct assignment and organizer assignment the resulting permissions will be additive. In the example above, if the device was within the organizer the user would inherit the ZenManager role on the device.
Portlet access control
In Collection Zone, portlet access can be controlled. This is important for device ACLs.
Viewing events for restricted mode users
A user in restricted mode does not have access to the global event console. The available events for the user can be seen under his organizers.
Example: Restricted user with ZenOperator role
The ZenUser role from the previous section allows read-only access to devices. By adding the ZenOperator role to specific devices, device classes, or groups of devices, a user will be able to acknowledge and close events, move events to history, and add log messages to events.
To add the ZenOperator role to specific devices, device classes, or groups of devices:
- Select the user name whose role must be changed on certain devices.
- In the left-hand pane, click Administered Objects.
- Click the Action icon and choose the device, device class, or other device organizer to which you want to grant the ZenOperator role.
- Select the ZenOperator role from the drop-down menu for the newly selected device, device class, or device organizer.
The user now has the ZenUser role for all devices in this instance, with the exception of the devices selected above which function under the ZenOperator role.
Detailed restricted screen functionality
By default, the dashboard is configured with three portlets:
- Object Watch List
- Device Issues
- Production State
These have content that will be restricted to objects for a given user.
The device list is automatically filtered to devices of a restricted user scoped to accessible devices. No menu items are available.
Device organizers control groups of devices for a restricted user. Every device added to the group will be accessible to the user. Permissions will be inherited down multiple tiers of a device organizer.
Reports are limited to device reports and performance reports.