I have a question, maybe I haven't implemented it correctly. Basic scenario is we're a service provider so we support many many different customers. We use this for tracking storage arrays, FC switches etc. As a larger organization for storage support we're broken into sub-catagories. Large Enterprise customers, Government customers and Healthcare Customers. We have over 50 storage admins spread among the 3 different groups. We store all the data in one CMDB since on-call rotation covers all 3 categories so they need read access to all the information.
The snag I'm running into is we only want a subset from each group to be able to modify their customers data but still globally have read access to all others.
What I did was I created 2 groups (to test the process). One group has read access to everything, the 2nd group has a filter for only 1 customer and write access. I make a user a member of both groups. What happens is the user has write access to all data not the one customer I gave them write access to.
Is this expected behavior? Any ideas on how I can accomplish this?
Thanks for the intervent, but we made this test and all work perfectly:
1) created a group with only read access on a class
2) created a group with write privileges only on filtered rows
3) created a single user for the 2 groups
If the user make the login with the first group he can only read information from the class
if the make the user login with the second group he can write and read only the filtered class.
We had also tried the column privileges but all is working as we expect.
Please control if we had made the test correctly and let we know,
CMDBuild Team
Previously Josh wrote:
I have a question, maybe I haven't implemented it correctly. Basic scenario is we're a service provider so we support many many different customers. We use this for tracking storage arrays, FC switches etc. As a larger organization for storage support we're broken into sub-catagories. Large Enterprise customers, Government customers and Healthcare Customers. We have over 50 storage admins spread among the 3 different groups. We store all the data in one CMDB since on-call rotation covers all 3 categories so they need read access to all the information.
The snag I'm running into is we only want a subset from each group to be able to modify their customers data but still globally have read access to all others.
What I did was I created 2 groups (to test the process). One group has read access to everything, the 2nd group has a filter for only 1 customer and write access. I make a user a member of both groups. What happens is the user has write access to all data not the one customer I gave them write access to.
Is this expected behavior? Any ideas on how I can accomplish this?
Thanks for the reply, I think the piece that is missing is the ability to switch groups. I don't see any way for the user to do this on his own.
A user can sum the permissions of all the groups to which he belongs, or can choose at login the group with whom he wants to work (and change it with a logout / login).
CMDBuild Team
Thanks, I was able to implement what I need via removing their default group. It's just that it's a rather clunky implementation of what I'm trying to achieve. It would be better if it would login the person via their true 'default group' as specified... then if they need to make modifications they can simply switch groups without logging out and back in again. Since their normal mode of operation is just read access 99% of the time adding the extra step to select the group during initial login is not a clean implementation.
A list of different "rows and columus privileges" for user or group will be a good idea, we don't have to logout and login again with another goups.
Would you consider to achieve it?
Previously Tecnoteca wrote:
A user can sum the permissions of all the groups to which he belongs, or can choose at login the group with whom he wants to work (and change it with a logout / login).
CMDBuild Team