This ZenPack is developed and supported by Zenoss Inc. Commercial ZenPacks are available to Zenoss commercial customers only. Contact Zenoss to request more information regarding this or any other ZenPacks. Click here to view all available Zenoss Commercial ZenPacks.
This ZenPack is included with commercial versions of Zenoss and enterprise support for this ZenPack is provided to Zenoss customers with an active subscription.
The ZenPacks.zenoss.ZenDeviceACL ZenPack adds fine-grained device access controls (ACLs) to Zenoss platform.
You can use ACLs to limit user access to data, such as limiting access to certain departments within a large organization, or limiting a customer of a service provider to see only his own data.
A user with limited access to objects also has a more limited view of features within the system. Most global views, such as the network map, event console, and all types of class management, are not available. The Device List is available, as are the device organizers Systems, Groups, and Locations. A limited set of reports can also be accessed.
Actions in Zenoss platform are assigned permissions. For example, to access the device edit screen you must have the “Change Device” permission. Permissions are not assigned directly to a user, but granted to roles, which are then assigned to a user. A common example is the ZenUser role. Its primary permission is “View,” which grants read-only access to all objects.
ZenManagers have additional permissions, such as “Change Device,” which grants users with this role access to the device edit screen. When you assign a role to a user (using the Roles field on the Edit tab), it is assigned globally. When creating a restricted user you may not want to give that user a global role.
For more information about Zenoss platform roles, refer to Zenoss Service Dynamics Resource Management Administration.
Device ACLs provide limited control to various objects in the system. Administered objects are the same as device organizers (groups, systems, locations, and devices). If access is granted to any device organizer, it extends to all devices in that organizer.
To assign access to objects for a restricted user, you must be assigned the Manager or ZenManager role. Zenoss platform grants access to objects by using the “Administered Objects” selection for a user or user group. To limit access, you must not assign a “global” role to the user or group.
Users and user groups work exactly as they would normally. For more information about managing users and groups, Zenoss Service Dynamics Resource Management Administration.
For each user or group there is selection called "Administered Objects." The Action menu has an "Add" item for each type of administered object. Adding an object will bring up a dialog box with live search on the given type of object.
After adding an object, you can assign it to a role. Roles can be different for each object. For example, a user or group might have the ZenUser role assigned to a particular device but the ZenManager role assigned to a location organizer. If multiple roles are granted to a device though direct assignment and organizer assignment, the resulting permissions will be additive. For the previously cited example, if the device is within the organizer the user will inherit the ZenManager role on the device.
By default, the dashboard is configured with three portlets:
These have content that are restricted to objects for a given user.
The device list is automatically filtered to devices of a restricted user, scoped to accessible devices. There are no menu items available.
Device organizers control groups of devices for a restricted user. Each device added to the group will be accessible to the user. Permissions are inherited through multiple tiers of a device organizer.
Reports are limited to device reports and performance reports.
A user in restricted mode does not have access to the global event console. The available events for the user can be seen under his organizers.
Following the previous example: