Delegate 'Admin tools' menus
Prerequisite: You must be familiar with the Syntax used in Tutorials and have already created an extension.
- learning:
- Grant admin menus to users other than Administrator
- level:
- Advanced
- domains:
- XML, Access rights
- min version:
- 2.5.0
Since the 2.5 version of iTop, you can grant admin menus to users other than Administrator.
Limitations
The following menus cannot be given to anyone else than an Administrator:
-
Schedule Backup
-
Log Management (unless you have Log Management 2.0.1+)
-
ITop Hub
Some classes such all those related to object history have no
organization, as a result, providing access to Run
Query
to user with Allowed Organizations
generate a security hole, as they can see the history of objects
that they are not allowed to see.
Menu visibility
With the 1.5 version of the XML, it is now possible to control the access to any menu based on a class and an action right (read,write,delete,…). Only people having that action on this class will be able to see this menu.
See the XML Reference for details on XML tags to customize a menu.
The following admin menus are by default controlled by an action on a class.
-
Users: write on User
-
Profile : write on Profile
-
Notifications : write on Trigger
-
Audit: write on AuditCategory
-
Run Query: write on ResourceRunQueriesMenu
-
Query phrasebook: write on Query
-
Export: write on ResourceAdminMenu
-
Data Model: write on ResourceRunQueriesMenu
-
Universal Search: write on ResourceAdminMenu
-
Synchronization Data Sources: write on SynchroDataSource
All the classes above can have their access managed within
Profiles (through Groups).
Out of the box, there are 6 new Groups which are predefined and can be used by
existing or new profiles. The LogManagement group is
brought by the extension iTop Log Management
Group id | Menus included by default | Classes included in the Group |
---|---|---|
User | User Accounts, Profiles | User, URP_UserOrg, URP_UserProfile, URP_Profiles |
Audit | Audit, Run Query | AuditCategory, AuditRule, ResourceRunQueriesMenu |
Notification | Notification, Run Query | Trigger, Action, lnkTriggerAction, ResourceRunQueriesMenu |
Query | Query Phrasebook, Run Query | Query, QueryOQL, ResourceRunQueriesMenu |
SynchroData | Synchronization Data Sources | SynchroDataSource |
LogManagement | Log Center | ResourceLogMenu |
AdminTools | all menus above | all classes above |
-
edit users having the Administrator profile,
-
give Administrator profile to a user.
Step by step example
Let say that you want to make the 'Export Menu' accessible to users having the profile 'Config Manager'
-
There is no obvious Class to control this menu, we will create a new Abstract class, lets name it: 'RessourceExportMenu'
-
We will customize the 'Export Menu' entry to tied it on that newly created class (replace 'ResourceAdminMenu' by 'RessourceExportMenu')
-
We will customize the 'Config Manager' profile to include 'modify' on the class 'RessourceExportMenu', through a new Group
Create the Abstract Class
You may use an existing class which would make sense to control the access to that menu, but in the case or 'Export' we don't find any satisfying class, so we will create a new one.
The new class must:
-
extends AbstractResource
-
have the category grant_by_profile
<class id="RessourceExportMenu" _delta="define"> <parent>AbstractResource</parent> <properties> <comment>/* Export Menu access control. */</comment> <abstract>true</abstract> <category>grant_by_profile</category> </properties> <presentation/> <methods/> </class>
Overwrite menu definition
- datamodels/2.x/itop-welcome-itil/datamodel.itop-welcome-itil.xml
-
<menu id="ExportMenu" xsi:type="WebPageMenuNode" _delta="must_exist"> <enable_class _delta="redefine">RessourceExportMenu</enable_class> <enable_action _delta="redefine">UR_ACTION_MODIFY</enable_action> </menu>
Complete Group & Profile definition
- datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
-
<user_rights> <groups> <group id="Export" _delta="define"> <classes> <class id="RessourceExportMenu"/> </classes> </group> </groups> <profiles> <profile id="3" _delta="must_exist"> <!-- id=3 correspond to the Configuration Manager profile --> <groups> <group id="Export" _delta="define"> <actions> <action id="action:write">allow</action> </actions> </group> </groups> </profile> </profiles> </user_rights>
Check in datamodel.itop-profiles-itil.xml for id of existing Profiles.
Profiles which could be created
Those Profiles do not exist, but you can create them, in order to delegate “Admin tools” menus to users:
<user_rights> <profiles> <profile id="43" _delta="define"> <name>User Manager</name> <description>create/modify/delete users...</description> <groups> <group id="User"> <actions> <action id="action:write">allow</action> <action id="action:delete">allow</action> <action id="action:read">allow</action> <action id="action:read bulk">allow</action> <action id="action:write bulk">allow</action> </actions> </group> </groups> </profile> <profile id="44" _delta="define"> <name>Notification Manager</name> <description>Has the rights to create and modify the triggers and actions</description> <groups> <group id="Notification"> <actions> <action id="action:write">allow</action> <action id="action:delete">allow</action> <action id="action:read">allow</action> <action id="action:read bulk">allow</action> <action id="action:write bulk">allow</action> </actions> </group> </groups> </profile> <profile id="45" _delta="define"> <name>Audit Manager</name> <description>Has the rights to create and modify the audit</description> <groups> <group id="Audit"> <actions> <action id="action:write">allow</action> <action id="action:delete">allow</action> <action id="action:read">allow</action> <action id="action:read bulk">allow</action> <action id="action:write bulk">allow</action> </actions> </group> </groups> </profile> <profile id="46" _delta="define"> <name>Query Manager</name> <description>Has the rights to create and modify the Query Phrasebook</description> <groups> <group id="Query"> <actions> <action id="action:write">allow</action> <action id="action:delete">allow</action> <action id="action:read">allow</action> <action id="action:read bulk">allow</action> <action id="action:write bulk">allow</action> </actions> </group> </groups> </profile> <profile id="47" _delta="define"> <name>SynchroData Manager</name> <description>Has the rights to create and modify the Synchro data source</description> <groups> <group id="SynchroData"> <actions> <action id="action:write">allow</action> <action id="action:delete">allow</action> <action id="action:read">allow</action> <action id="action:read bulk">allow</action> <action id="action:write bulk">allow</action> </actions> </group> </groups> </profile> <profile id="48" _delta="define"> <name>Admin Tools Manager</name> <description>Has the rights to Admin</description> <groups> <group id="AdminTools"> <actions> <action id="action:write">allow</action> <action id="action:delete">allow</action> <action id="action:read">allow</action> </actions> </group> </groups> </profile> </profiles> </user_rights>
Technical details
Explained in details what was modified/added in 2.5 around Menu access:
'Admin tools' menus in XML
The admin menus were previously totally written in plain PHP,
secured by a isAdministrator()
check. It has been
translated in XML, so it can now be overwritten.
The Menu XML reference has been enriched to specify, class, action and even stimulus which are required to get access to a menu.
When the tag enable_admin_only
is set to 1, any
<enable_class> tag provided is ignored: only users with
Administrator profile can see this menu.
If you want to give access to a enable_admin_only
menu, you must either set the tag enable_admin_only
to
0 or remove the tag completely with _delta=“delete”
and add at least the enable_class
and
enable_action
tags.
The design was made to maintain extensions compatibility with previous versions of iTop.
NewObjectMenuNode
, SearchMenuNode
and
OQLMenuNode
have a automatic class which control its
accessWebPageMenuNode
need to be secured against direct
access (a user may guess the url of a webPage and try to access
it even if he do not see the menu). To do so, each web page is
checking against
ApplicationMenu::CheckMenuIdEnabled(“MenuId”);
with
MenuId
beeing the id used in the xml definition of the
menu. This ensure that in order to be able to execute a webpage the
user must have access to the corresponding menu.
New Abstract Classes
Some admin menus haven't any logical class to tie to, so we have created new classes dedicated just to control this access. You can expend this list if needed.
Class name | Usage |
AbstractResource | new classes for access right should inherit from
AbstractResource |
ResourceRunQueriesMenu | used to check the user access rights against the menu Run Query |
ResourceAdminMenu | used by default for all menus that do not have a proper class |
bizmodel vs grant_by_profile classes
The group *
has all classes having
bizmodel
category. Some profile has read access for
the group *
.
The class with category grant_by_profile
is not
accessible by default to users other than
Administrators.
-
The application classes which are used to control the “admin tools” menus, have the category
grant_by_profile
. -
The new Abstract Classes have also the category
grant_by_profile
.
Changes in the Grant Matrix
The grant matrix displays classes having the category
grant_by_profile
or bizmodel
.
Before iTop 2.5, only classes with category bizmodel
where displayed.
Example: See the new entries in the grant matrix for a user with
User Manager
profile are:
New Groups
Here are the 6 new Groups which are predefined and can be used by existing or new profiles:
- datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
-
<user_rights> <group id="Notification" _delta="define"> <classes> <!-- This class list is also present in AdminTools group --> <class id="Trigger"/> <class id="lnkTriggerAction"/> <class id="Action"/> <class id="ResourceRunQueriesMenu"/> </classes> </group> <group id="User"> <classes> <!-- This class list is also present in AdminTools group --> <class id="User"/> <class id="URP_UserOrg"/> <class id="URP_UserProfile"/> <class id="URP_Profiles"/> </classes> </group> <group id="Audit"> <classes> <!-- This class list is also present in AdminTools group --> <class id="AuditCategory"/> <class id="AuditRule"/> <class id="ResourceRunQueriesMenu"/> </classes> </group> <group id="Query"> <classes> <!-- This class list is also present in AdminTools group --> <class id="Query"/> <class id="QueryOQL"/> <class id="ResourceRunQueriesMenu"/> </classes> </group> <group id="SynchroData"> <classes> <!-- This class list is also present in AdminTools group --> <class id="SynchroDataSource"/> <class id="SynchroAttribute"/> <class id="SynchroReplica"/> <!-- New in 3.0 --> </classes> </group> </user_rights> </itop_design>