[racktables-users] Complex permissions question, help requested
- From: "Sears, Paul" <psears@xxxxxxxxxxxxxxx>
- To: "racktables-users@xxxxxxxxxxxxx" <racktables-users@xxxxxxxxxxxxx>
- Date: Thu, 9 Aug 2012 18:37:33 +0000
I am stuck with a fairly complex permissions issue. What we are trying to do:
1. Allow our internal Admins to manage all assets at all locations.
2. Allow a vendor in one DC location to view and co-manage assets in *only that
location*. Allow a second vendor to view and co-manage assets in *a second
location*. (have to use userid for these as the accounts are in "email address
format" and rackcode doesn't like "@"
3. Allow vendors to see Index page, backspace and the depot.
4. Deny access to creating new racks or editing rack properties, som of the
report tabs and the config page.
5. Internal readonly user that can view everything.
Tag tree:
-RemoteSupport
-Vendor1
-Vendor2
Assets are either tags with Vendor1 or Vendor2 or untagged.
The problem is that vendors can view and modify *any* assets when I do:
allow {$username_vendor1} and {vendor1}
But when I do
allow {$username_vendor1} and {vendor1} and {vendor1 asset}
the vendor can't access anything
I am stuck, any ideas?
Here is the Rackcode:
allow {$userid_1} or {Admins}
deny {$page_config}
allow {RemoteSupport} and {asset} and {$tab_default} and {$page_index} and
{$page_rackspace} and {$page_depot} and {$page_rack}
deny {$tab_rackcode} or {$tab_system} or ({$page_rackspace} and {$tab_edit} )
or ({$page_rack} and {$tab_edit}) or {$tab_newrack} or {$tab_tagroller}
allow {$username_vendor1} and {vendor1} and {vendor1 asset}
deny {$username_vendor1}
allow {$username_vendor2} and {vendor2} and {vendor2 asset}
deny {$username_vendor2}
allow {$username_readonly} and {$tab_default}
deny {$username_readonly}
Other related posts:
