[racktables-users] Re: Complex permissions question, help requested
- From: "Sears, Paul" <psears@xxxxxxxxxxxxxxx>
- To: "racktables-users@xxxxxxxxxxxxx" <racktables-users@xxxxxxxxxxxxx>, Alexey Andriyanov <alan@xxxxxxxxxx>
- Date: Fri, 10 Aug 2012 14:54:19 +0000
We are using local authentication as we have a manageable number of accounts
that need access.
-----Original Message-----
From: racktables-users-bounce@xxxxxxxxxxxxx
[mailto:racktables-users-bounce@xxxxxxxxxxxxx] On Behalf Of Julson, Jim
Sent: Friday, August 10, 2012 7:53 AM
To: racktables-users@xxxxxxxxxxxxx; Alexey Andriyanov
Subject: [racktables-users] Re: Complex permissions question, help requested
Do you mind if I ask whether or not you are using all Local authentication or
are you using LDAP by chance?
-----Original Message-----
From: racktables-users-bounce@xxxxxxxxxxxxx
[mailto:racktables-users-bounce@xxxxxxxxxxxxx] On Behalf Of Sears, Paul
Sent: Friday, August 10, 2012 8:48 AM
To: Alexey Andriyanov; racktables-users@xxxxxxxxxxxxx
Subject: [racktables-users] Re: Complex permissions question, help requested
Alexey,
Thanks. I have a better understanding now and this is what I came up with.
The only issue is that I can't seem to figure out how to allow a vendor to
display their entire row or rows (page=row&id=x) as it doesn't seem that there
is a way to apply a tag to a row.
# Admin access
allow {$userid_1}
allow {IOurAdmins}
# Vendor Access Permissions
# Restrict specific pages and tabs
deny {$page_config}
deny {$tab_tags}
deny {$tab_rackcode} or {$tab_system}
deny {$page_rackspace} and {$tab_edit}
deny {$page_rack} and ( {$tab_edit} or {$tab_newrack} or {$tab_tagroller} )
allow {RemoteSupportUsers} and {$tab_default} and ( {$page_index} or
{$page_rackspace} ) allow {RemoteSupportUsers} and {$tab_default} and
{$page_reports} or {$tab_vendor1}
# Vendor1
allow {Vendor1 users} and {$tab_default} and {$page_depot} allow {Vendor1
users} and {Vendor1 managed assets} deny {Vendor1 users}
# Vendor2 Support
allow {Vendor2 users} and {$tab_default} and {$page_depot} allow {Vendor2
users} and {Vendor2 managed assets} deny {Vendor2 users}
# Readonly user can see everything
allow {$username_readonly} and {$tab_default} deny {$username_readonly}
________________________________________
From: Alexey Andriyanov [alan@xxxxxxxxxx]
Sent: Thursday, August 09, 2012 2:13 PM
To: racktables-users@xxxxxxxxxxxxx
Cc: Sears, Paul
Subject: Re: [racktables-users] Complex permissions question, help requested
09.08.2012 22:37, Sears, Paul пишет:
>
> allow {$userid_1} or {Admins}
> deny {$page_config}
> allow {RemoteSupport} and {asset} and {$tab_default} and {$page_index}
> and {$page_rackspace} and {$page_depot} and {$page_rack}
this rule never matches - you should separate different $page_ tags by OR, not
AND. Also, you don't have the 'asset' tag.
>
> deny {$tab_rackcode} or {$tab_system} or ({$page_rackspace} and
> {$tab_edit} ) or ({$page_rack} and {$tab_edit}) or {$tab_newrack} or
> {$tab_tagroller}
>
> allow {$username_vendor1} and {vendor1} and {vendor1 asset}
Do you have a tag named 'vendor1 asset' ? If no, this rule won't ever match.
> deny {$username_vendor1}
>
> allow {$username_vendor2} and {vendor2} and {vendor2 asset} deny
> {$username_vendor2}
>
> allow {$username_readonly} and {$tab_default} deny
> {$username_readonly}
--
Best regards,
Alexey
The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you think
that you have received this e-mail message in error, please notify the sender
immediately by replying to this message and then delete it from your system.
Other related posts:
