I've been working on this as well as we are implementing the tool over many datacenters and are worried about the needle-haystack problem as well. In addition we're trying to implement permissions for network admins, server admins etc. I found that the following will work for limiting the objects in most views. Put something like this in your local.php (this is what we have, the $lgcn thing is because we have AD integration. It basically means if a user is member of the group RCK_Admins_SITE1 than their tag should be SITE1.). It works for Rackspace and objects. For some strange reason though, it does not work for search (we are at 17.1 still) where the filtering is not used. global $auto_tags, $sic; if (in_array(array('tag'=>'$lgcn_RCK_Admins_SITE1'),$auto_tags)) { $sic['cfe'] = '({SITE1})'; } etc You can figure out the rest I assume. I've also modified the main page to only show the menu graphics that the user is allowed to do (see bottom of my email). The following is part of our config that allows read only users, $lgcn_RCK_Read_Only, to see everything but do nothing $lgcn_RCK_Admins_SITE1 users are allowed to only see SITE1 objects (and do nothing with them) allow {$userid_1} allow {$lgcn_RCK_Admins} deny {$page_config} allow {$page_search} allow {$page_depot} and {$tab_default} allow {$lgcn_RCK_Read_Only} and {$tab_default} allow {$lgcn_RCK_Admins_SITE1} and ({$page_index} or {$page_row} or {$page_rackspace}) and {$tab_default} allow {$lgcn_RCK_Admins_SITE1} and {SITE1} and {$tab_default} Hope this helps, Jeroen // Main menu. function renderIndex () { $col = 4; ?> <table border=0 cellpadding=0 cellspacing=0 width='100%'> <tr> <td> <div style='text-align: center; margin: 10px; '> <table width='100%' cellspacing=0 cellpadding=30 class=mainmenu border=0> <tr> <?php if (permitted('rackspace')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'rackspace'))."'>Rackspace<br>\n"; printImageHREF ('rackspace'); print "</a></h1>\n"; print " </td>\n"; $col--; } if (permitted('depot')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'depot'))."'>Objects<br>\n"; printImageHREF ('objects'); print "</a></h1>\n"; print " </td>\n"; $col--; } if (permitted('ipv4space')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'ipv4space'))."'>IPv4 space<br>\n"; printImageHREF ('ipv4space'); print "</a></h1>\n"; print " </td>\n"; $col--; } if (permitted('files')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'files'))."'>Files<br>\n"; printImageHREF ('files'); print "</a></h1>\n"; print " </td>\n"; $col--; } if ($col>0) { print " <td colspan='{$col}'> </td>\n"; } ?> </tr> <tr> <?php $col = 4; if (permitted('config')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'config'))."'>Configuration<br>\n"; printImageHREF ('config'); print "</a></h1>\n"; print " </td>\n"; $col--; } if (permitted('reports')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'reports'))."'>Reports<br>\n"; printImageHREF ('reports'); print "</a></h1>\n"; print " </td>\n"; $col--; } if (permitted('ipv4slb')) { print " <td>\n"; print " <h1><a href='".makeHref(array('page'=>'ipv4slb'))."'>IPv4 SLB<br>\n"; printImageHREF ('ipv4slb'); print "</a></h1>\n"; print " </td>\n"; $col--; } print " <td colspan='{$col}'> </td>\n"; ?> </tr> </table> </div> </td> </tr> </table> <?php } ________________________________ From: racktables-users-bounce@xxxxxxxxxxxxx [mailto:racktables-users-bounce@xxxxxxxxxxxxx] On Behalf Of Don Greer Sent: Monday, September 28, 2009 23:01 To: racktables-users@xxxxxxxxxxxxx Subject: [racktables-users] Permissions Assistance Folks, I am attempting to implement RackTables in a production shared colo/DC environment. One of my goals is to allow customers to look at and modify their own equipment (Objects) and network information. After some serious struggling, I think I have the basics of the RackCode based permissions system down. Here's what I've come up with: # User Specific Permissions allow {$userid_1} allow {Administrators} # Customer Access Permissions # Global Permissions for Customers deny {$tab_tags} deny {$page_ipv4space} and {$tab_manage} deny {$page_rack} and ( {$tab_tags} or {$tab_design} or {$tab_edit} ) deny not {customer admin} and not {$tab_default} allow {$tab_default} and ( {$page_index} or {$page_rackspace} or {$page_ipv4space} or {$page_ipaddress} ) # Customer Specific Permissions allow {Cust1 Users} and {Cust1 Assets} allow {Cust2 Users} and {Cust2 Assets} For this, I have the following tags: Administrative Groups Administrators (4) customer admin (4) customer viewer (2) Assets Cust1 Assets (18) Cust2 Assets (9) Customers Cust1 Users (2) Cust2 Users (4) The users are as follows: Cust1Viewer (customer viewer, Cust1 Users) Cust1Admin (customer admin, Cust1 Users) ... This works as intended in some places, but I've found several places that present problems: 1. While I can allow users to get into $page_ipv4space and $page_ipv4, I cannot allow them into $page_ipaddress because the ownership of a network does not propagate to individual addresses. Allowing access to ANY $page_ipaddress page will allow them to manually change the "ip=" value and edit other customer's addresses (Not a Good Thing (tm)). 2. There is no method by which to force the filters on individual pages (or pull-downs) such that users ONLY see their Objects, racks, etc. associated with a specific tag. This IS handled in a round-about way on $page_rackspace, where racks owned by people other than the user are blacked out, but as we grow the datacenter, that too will become a bit of a needle-in-the-haystack problem. Utilizing the page filters in a forceful way (e.g. administratively turning on a filter for "Cust1 Assets" on pages being access by "Cust1 Users") would work much better and present a cleaner interface for the end user. Ideally this would also be applied to the pull-downs for Objects, interfaces, etc. 3. There's no way (I think) to force a tag on objects created by a user or allow inheritance of permissions in some way. For instance, I'd like to force any Object created by "Cust1 Users" to have the tag "Cust1 Assets" forced on. This would allow the user to create his objects for the equipment he is wanting installed in his cabinet prior to shipping, alleviating my staff from having to do all this manually. The customer can then ship the equipment to us and we already know where it goes, how it's cabled, etc. There are several other things that have cropped up, but these are the major issues that are going to prevent me from fully implementing this package in this environment. Can somebody tell me if there are solutions for any of these problems? The documentation on RackCode is a bit thin :^) so I'm not sure if I'm simply missing some features or if these things literally don't exist. I may try scratching my own itch here, but I gotta tell you it'll take me forever because I haven't written any serious code in over a decade. TIA Don