User Rights

ITSM Designer - Combodo's customers only

The user rights in iTop are managed using a combinations of “Profiles” and “Allowed Organization”. Each user account in iTop is associated with (at least one) Profile(s) and (optionally) a list of Organizations that the user is allowed to access. In iTop , the Profiles and the Allowed Organizations are independent, meaning that a given user has the same Profile(s) (i.e. the same role) for all Organizations she/he is allowed to access.

While the list of “Allowed Organizations” is defined directly in iTop as part of the configuration of the user account, the capabilities of the Profiles are an integral part of the Data Model, and thus managed via the ITSM Designer, in the “User Rights” page.

A Profile is defined by a list of Class Groups (for example the class Document and all its derived classes can be referred to as the “Documents” Class Group) and for each Class Group a series of actions granted (read, write , delete…).

The same Class Group can be used for the definition of several Profiles, with potentially different actions granted: one profile may grant only the rights to Read the Documents, while another Profile may grant the rights to Write and Delete the Documents.

The following default type of grants are available on any class:

  • Read: grants a read-only access to objects of the specified class.
  • Bulk-Read: gives the ability to export a list of objects.
  • Write: grants the rights to create and modify an object of the given class.
  • Bulk-Write: grants the right to modify a list of objects in one go. Also allows to perform CSV import on such objects.
  • Delete: grants the right to delete one object of the given class.
  • Bulk-Delete: grants the rights to delete multiple objects of the given class in one go.

On top of the default grants listed above, it is possible - for the classes having a lifecycle - to allow or deny the triggering of each Event (e.g. ev_assign, ev_close…).

By default when nothing is specified (i.e. when an action is not explicitly allowed), the action considered as is forbidden. Therefore when adding new events in the lifecycle, the profiles must be adjusted to grants access to the new events. The only exception is 'Administrator' profile which bypasses the user rights.
The user rights on the link classes (i.e. classes used to maintain the information about n:n relations) are automatically computed from the user rights of the “related” classes. A user who has enough rights to modify the object on one side of a relation is also automatically granted the rights to create, modify and delete the links. In other words, the links are considered as a field of the related classes.

Toolbar

Icon Label Action
Add Group Add Group Create a new group of classes, to be associated with one (or more) profile(s)
Remove Group Remove Group Remove the currently selected group
Add Profile Add Profile Create a new profile
Remove Profile Remove Profile Remove the currently selected profile

Managing Class Groups

Managing Groups

The “Class Groups” tab is split in 3 panes:

  • The left pane lists the existing class groups. Click on a group to select it,
  • The center pane shows the hierarchy of classes, as a tree of check-boxes. Use the check boxes to manage the members of the class group,
  • The right pane shows the profiles which are using the selected class group. This information is not editable in this pane.

Creating a new class group

To create a new group, click on the Add Group button in the toolbar. The following dialog is displayed:

Add Group

Once the group is created, use the check-boxes in the tree-view of the center pane to add classes into the group.

Managing Groups

Group creation Tips

Selecting a class in the tree automatically selects all its descendants

Be aware that splitting a branch between different groups, can have side effect.

  • If you give access to a child class but not to its parents classes, then users won't be able to see relationship defined at the parent level
  • If you give access to the parent class and not all sub-classes, users will be able to see all fields of the parent classes for all sub-classes, even those they are not allowed to see
Users having the Power user profile can even put in Group, classes which are not proposed in the tree structure, they must enter the class name coma separated in the white input zone at the bottom

Deleting an existing class group

To delete the selected group, click on the Remove group button in the toolbar. The following confirmation dialog is displayed:

Remove Group

Managing Profiles

Managing Profiles

The “Profiles” tab is split in 3 panes:

  • The left pane lists the existing profiles. Click on a profile to select it,
  • The center pane provides a preview of the actual user rights provided by the selected profile,
  • The right pane contains the editable properties of the selected profile.
In the central pane, move the mouse over a “Yes” or “No” to get a tooltip with the explanation of the source of this value.
The special profile “Administrator” cannot be edited and is therefore not listed here.

Adding and removing groups

To add a group into the profile, click on the Add Group button at the bottom of the lists of groups. A dialog, prompting for the group to add, is then displayed:

Pick the group to add

The special group All Classes (*) is available to grant access rights (for example Read) on any class. The content of this group cannot be edited and the group itself cannot be deleted.

To remove a group from the profile, click on the Remove button on the same line as the name of the group. This brings up the following confirmation dialog:

Remove group confirmation

Editing the rights on a group

To edit the rights associated with a given group, click on the Edit button on the same line as the name of the group. The following dialog is displayed:

The events listed in the dialog box depends on the classes constituting the group. When none of the classes has a lifecycle, there are no events and only the six basic operations (read, write, delete and their bulk counterparts) are available.

Edit Grants

For each type of grant select if the operation will be “Allow(ed)”, “Undefined” (i.e. not allowed by this profile) or definitely“Denied”.

Be aware that “Deny” has precedence over all other “grants”. If a profile denies the rights to a particular action, all users having this profile will be denied the rights to perform this action, even if they have another profile which explicitly allows them to perform the same action.

Creating a new profile

To create a new profile, click on the Add Profile button in the toolbar. The following dialog is displayed:

Add Profile

The name and description of the profile will appear in iTop exactly as typed here. In the current version of iTop this information cannot be localized.

Deleting an existing profile

To delete the selected profile, click on the Remove profile button in the toolbar. The following confirmation dialog is displayed:

Remove Profile

latest/products/designer/userrights.txt · Last modified: 2024/09/10 10:25 by 127.0.0.1
Back to top
Contact us