What kind of user rights would I need to set on a new class which only admins should even be able to read?
I could of course explicitly deny access to all the "known" user profiles, but I want it to be denied by default to anyone except for instance administrators and one privileged profile.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
By default if you don't include the class in any security groups, only admins will be able to see/edit it as the admin profile doesn't check them. You can verify it by opening the Administrator profile and going on the "grant matrix" tab.
Hope this helps,
Guillaume
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The group * has all classes having bizmodel category. Some profile has read access for the group *.
The class with category grant_by_profile is not accessible by default to users other than Administrators.
The application classes which are used to control the “admin tools” menus, have the category grant_by_profile. The new Abstract Classes have also the category grant_by_profile.
👍
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note that there are some classes that aren't any of those two groups, and we have some bugs referenced in our ticket system as some parts of iTop can't filter them.
So yes choose one of those 2 groups is a really really good idea
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What kind of user rights would I need to set on a new class which only admins should even be able to read?
I could of course explicitly deny access to all the "known" user profiles, but I want it to be denied by default to anyone except for instance administrators and one privileged profile.
Is this actually possible, without explicitly denying?
Hello Jeffrey,
By default if you don't include the class in any security groups, only admins will be able to see/edit it as the admin profile doesn't check them. You can verify it by opening the Administrator profile and going on the "grant matrix" tab.
Hope this helps,
Guillaume
Actually I did verify it, and "Change Approver" seems to have "read" rights.
I also tried creating a separate user_rights > group for AuthenticationMethod, but it didn't help either.
Last edit: Jeffrey Bostoen 2021-03-11
My bad, the answer is here:
The group * has all classes having bizmodel category. Some profile has read access for the group *.
The class with category grant_by_profile is not accessible by default to users other than Administrators.
The application classes which are used to control the “admin tools” menus, have the category grant_by_profile. The new Abstract Classes have also the category grant_by_profile.
Hello Jeffrey,
Indeed you're perfectly right !
Note that there are some classes that aren't any of those two groups, and we have some bugs referenced in our ticket system as some parts of iTop can't filter them.
So yes choose one of those 2 groups is a really really good idea