Prerequisite: You must be familiar with the Syntax used in Tutorials and have already created an extension.

Since the 2.5 version of iTop, you can grant admin menus to users other than Administrator.

The following menus cannot be given to anyone else than an Administrator:

• Schedule Backup
• Configuration
• ITSM Designer
• ITop Hub

Some classes such all those related to object history have no organization, as a result, providing access to Run Query to user with Allowed Organizations generate a security hole, as they can see the history of objects that they are not allowed to see.

With the 1.5 version of the XML, it is now possible to control the access to any menu based on a class and an action right (read,write,delete,…). Only people having that action on this class will be able to see this menu.

See the XML Reference for details on XML tags to customize a menu.

The following admin menus are by default controlled by an action on a class.

• Users: write on User
• Profile : write on Profile
• Notifications : write on Trigger
• Audit: write on AuditCategory
• Run Query: write on ResourceRunQueriesMenu
• Query phrasebook: write on Query
• Export: write on ResourceAdminMenu
• Data Model: write on ResourceRunQueriesMenu
• Universal Search: write on ResourceAdminMenu
• Synchronization Data Sources: write on SynchroDataSource

All the classes above can have their access managed within Profiles (through Groups).
Out of the box, there are 6 new Groups which are predefined and can be used by existing or new profiles:

Let say that you want to make the 'Export Menu' accessible to users having the profile 'Config Manager'

1. There is no obvious Class to control this menu, we will create a new Abstract class, lets name it: 'RessourceExportMenu'
2. We will customize the 'Export Menu' entry to tied it on that newly created class (replace 'ResourceAdminMenu' by 'RessourceExportMenu')
3. We will customize the 'Config Manager' profile to include 'modify' on the class 'RessourceExportMenu', through a new Group

You may use an existing class which would make sense to control the access to that menu, but in the case or 'Export' we don't find any satisfying class, so we will create a new one.

The new class must:

• extends AbstractResource
• have the category grant_by_profile

    <class id="RessourceExportMenu" _delta="define">
      <parent>AbstractResource</parent>
      <properties>
        <comment>/* Export Menu access control. */</comment>
        <abstract>true</abstract>
        <category>grant_by_profile</category>
      </properties>
      <presentation/>
      <methods/>
    </class>

datamodels/2.x/itop-welcome-itil/datamodel.itop-welcome-itil.xml

    <menu id="ExportMenu" xsi:type="WebPageMenuNode" _delta="must_exist">
      <enable_class _delta="redefine">RessourceExportMenu</enable_class>
      <enable_action _delta="redefine">UR_ACTION_MODIFY</enable_action>
    </menu>

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml

  <user_rights>
    <groups>
      <group id="Export" _delta="define">
        <classes>
          <class id="RessourceExportMenu"/>
        </classes>
      </group>
    </groups>
    <profiles>
      <profile id="3" _delta="must_exist">
        <!-- id=3 correspond to the Configuration Manager profile -->
        <groups>
          <group id="Export" _delta="define">
            <actions>
              <action id="action:write">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
  </user_rights>

Check in datamodel.itop-profiles-itil.xml for id of existing Profiles.

Those Profiles do not exist, but you can create them, in order to delegate “Admin tools” menus to users:

<user_rights>
    <profiles>
      <profile id="43" _delta="define">
        <name>User Manager</name>
        <description>create/modify/delete users...</description>
        <groups>
          <group id="User">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="44" _delta="define">
        <name>Notification Manager</name>
        <description>Has the rights to create and modify the triggers and actions</description>
        <groups>
          <group id="Notification">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="45" _delta="define">
        <name>Audit Manager</name>
        <description>Has the rights to create and modify the audit</description>
        <groups>
          <group id="Audit">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="46" _delta="define">
        <name>Query Manager</name>
        <description>Has the rights to create and modify the Query Phrasebook</description>
        <groups>
          <group id="Query">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="47" _delta="define">
        <name>SynchroData Manager</name>
        <description>Has the rights to create and modify the Synchro data source</description>
        <groups>
          <group id="SynchroData">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="48" _delta="define">
        <name>Admin Tools Manager</name>
        <description>Has the rights to Admin</description>
        <groups>
          <group id="AdminTools">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
</user_rights>

Explained in details what was modified/added in 2.5 around Menu access:

The admin menus were previously totally written in plain PHP, secured by a isAdministrator() check. It has been translated in XML, so it can now be overwritten.

The Menu XML reference has been enriched to specify, class, action and even stimulus which are required to get access to a menu.

When the tag enable_admin_only is set to 1, any <enable_class> tag provided is ignored: only users with Administrator profile can see this menu.
If you want to give access to a enable_admin_only menu, you must either set the tag enable_admin_only to 0 or remove the tag completely with _delta=“delete” and add at least the enable_class and enable_action tags.

The design was made to maintain extensions compatibility with previous versions of iTop.

WebPageMenuNode need to be secured against direct access (a user may guess the url of a webPage and try to access it even if he do not see the menu). To do so, each web page is checking against ApplicationMenu::CheckMenuIdEnabled(“MenuId”); with MenuIdbeeing the id used in the xml definition of the menu. This ensure that in order to be able to execute a webpage the user must have access to the corresponding menu.

Some admin menus haven't any logical class to tie to, so we have created new classes dedicated just to control this access. You can expend this list if needed.

The group * has all classes having bizmodel category. Some profile has read access for the group *.

The class with category grant_by_profile is not accessible by default to users other than Administrators.

• The application classes which are used to control the “admin tools” menus, have the category grant_by_profile.
• The new Abstract Classes have also the category grant_by_profile.

The grant matrix displays classes having the category grant_by_profile or bizmodel.
Before iTop 2.5, only classes with category bizmodel where displayed.

Example: See the new entries in the grant matrix for a user with User Manager profile are:

Here are the 6 new Groups which are predefined and can be used by existing or new profiles:

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml

   <user_rights>
      <group id="Notification" _delta="define">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Trigger"/>
          <class id="lnkTriggerAction"/>
          <class id="Action"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="User">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="User"/>
          <class id="URP_UserOrg"/>
          <class id="URP_UserProfile"/>
          <class id="URP_Profiles"/>
        </classes>
      </group>
      <group id="Audit">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="AuditCategory"/>
          <class id="AuditRule"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="Query">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Query"/>
          <class id="QueryOQL"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="SynchroData">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="SynchroDataSource"/>
          <class id="SynchroAttribute"/>
          <class id="SynchroReplica"/> <!-- New in 3.0 -->
        </classes>
      </group>
  </user_rights>
</itop_design>