Using iTop 2.7 is there a way to implement the following RBAC model:
We have different support teams responsible for specific technology used to support specific customers. EX:
Server Team 1 -> Supports Server CI for Customer 1
Server Team 2 -> Supports Server CI for Customer 2
Network Team 1 -> Supports Network Device CI for Customer 1
Network Team 2 -> Supports Network Device CI for Customer 2
I'm looking for a solution that would allow Server Team 1 to modify & delete only the Server CI used for Customer 1 and grant them read only to all the other server CI managed by Server Team 2. Same thing for Server Team 2, they must be the only one having modify and delete on their supporting server, but they should be able to have read only access to all the other server.
Same idea with the Network Team, Storage Team, and so on.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello Pat,
Out of the box, this is not possible.
When a user has write access on a given class, then he automatically has this right on ALL the objects of that class that he can see.
It might be possible to write your own add-on to manage iTop rights in a different way, but we have never done it, it is not documented and we are not sure that it will be supported in all future iTop versions (for now, this part has never changed, so you can be lucky...)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Using iTop 2.7 is there a way to implement the following RBAC model:
We have different support teams responsible for specific technology used to support specific customers. EX:
Server Team 1 -> Supports Server CI for Customer 1
Server Team 2 -> Supports Server CI for Customer 2
Network Team 1 -> Supports Network Device CI for Customer 1
Network Team 2 -> Supports Network Device CI for Customer 2
I'm looking for a solution that would allow Server Team 1 to modify & delete only the Server CI used for Customer 1 and grant them read only to all the other server CI managed by Server Team 2. Same thing for Server Team 2, they must be the only one having modify and delete on their supporting server, but they should be able to have read only access to all the other server.
Same idea with the Network Team, Storage Team, and so on.
Hello Pat,
Out of the box, this is not possible.
When a user has write access on a given class, then he automatically has this right on ALL the objects of that class that he can see.
It might be possible to write your own add-on to manage iTop rights in a different way, but we have never done it, it is not documented and we are not sure that it will be supported in all future iTop versions (for now, this part has never changed, so you can be lucky...)