Tengo una problematica es que estoy personalizando el perfil de agente de soporte y le he podido delegar que no tenga acceso al menu de administracion de configuracion; sin embargo al hacer esto causa que afecte de manera a los demas excepto al administrador, no se como indicarle que ese perfil es al unico que tiene que ocultarce ese menu y no creo que las acciones del grupo le afecten todo esto lo hicen con base en la documentacion de itop:
Delegacion de administracion de menu:https://www.itophub.io/wiki/page?id=3_1_0:customization:delegate_rights
Codigo de la extension:
<?xml version="1.0" encoding="UTF-8"?><itop_designxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"version="1.6"><classes><classid="ConfigAccessControl"_delta="define"><parent>AbstractResource</parent><properties><comment>/*AccesscontrolforConfigManagementmenu.*/</comment><abstract>true</abstract><category>grant_by_profile</category></properties><presentation/><methods/></class></classes><menus><menuid="ConfigManagement"xsi:type="MenuGroup"_delta="redefine"><enable_class_delta="define">ConfigAccessControl</enable_class><enable_action_delta="define">UR_ACTION_MODIFY</enable_action></menu></menus><user_rights><groups><groupid="ConfigManagementGroup"_delta="define"><classes><classid="ConfigAccessControl"/></classes></group></groups><profiles><!-- IDS que van a modificarse los accesos para esto usamos el must_exist--><profileid="5"_delta="must_exist"><groups><groupid="ConfigManagementGroup"_delta="define"><actions><actionid="action:write">allow</action></actions></group><groupid="Service"_delta="define"><actions><actionid="action:read">deny</action></actions></group></groups></profile></profiles></user_rights></itop_design>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ya lo pude resolver la razon es que se debia dejar el write en vez de read debido a que esto es la accion impidiria modificaciones y en cuanto global puedes seleccionar los perfiles pertinentes y darles accesso siguendo la misma logica solo es que les de el permiso de modificacion(write) a tus menus.
Igual recomiendo ver las necesidades de los perfiles segun lo que en verdad requieran.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi, heres the English for that>,The user encountered an issue while customizing the support agent profile. They successfully restricted access to the configuration administration menu for this profile, but this change unintentionally affects other users, except for the administrator. The user is unsure how to hide this menu solely for the support agent profile without impacting other profiles.
The actions should not affect the entire group. This implementation was based on the iTop documentation for the delegation of menu administration: Delegation of Menu Administration.
**
The user says that they resolved the issue by changing the action to "write" instead of "read," as this action prevents modifications. Additionally, for global access, relevant profiles can be selected and granted access following the same logic—just give the modification (write) permission to the menus. They also recommend reviewing the needs of the profiles according to their actual requirements.**
Proposed Solution:
Define a New User Profile:
Create a new user profile specifically for the support agents that need restricted access. Assign Access Rights Based on Profile:
Use the ConfigAccessControl class and define access rights based on the specific profile instead of the entire group.
Here's an updated version of your XML configuration:
xml:
<?xml version="1.0" encoding="UTF-8"?><itop_designxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"version="1.6"><classes><classid="ConfigAccessControl"_delta="define"><parent>AbstractResource</parent><properties><comment>/*AccesscontrolforConfigManagementmenu.*/</comment><abstract>true</abstract><category>grant_by_profile</category></properties><presentation/><methods/></class></classes><menus><menuid="ConfigManagement"xsi:type="MenuGroup"_delta="redefine"><enable_class_delta="define">ConfigAccessControl</enable_class><enable_action_delta="define">UR_ACTION_MODIFY</enable_action></menu></menus><user_rights><groups><groupid="ConfigManagementGroup"_delta="define"><classes><classid="ConfigAccessControl"/></classes></group></groups><profiles><!-- Create a new profile for support agents --><profileid="SupportAgentProfile"_delta="define"><groups><groupid="ConfigManagementGroup"><actions><actionid="action:write">deny</action></actions></group></groups></profile><!-- Modify the existing profile (Profile ID 5) --><profileid="5"_delta="must_exist"><groups><!-- Ensure the profile does not inherit ConfigManagementGroup actions --><groupid="Service"_delta="define"><actions><actionid="action:read">deny</action></actions></group></groups></profile></profiles></user_rights></itop_design>
New Profile Creation:
A new profile SupportAgentProfile is created to specifically handle the access restrictions for support agents. Access Rights Assignment:
The ConfigAccessControl class is used to manage access based on profiles.
The ConfigManagementGroup is linked to the SupportAgentProfile with restricted access (denied write actions).
The existing profile (Profile ID 5) is modified to ensure it does not inherit restrictive actions by explicitly denying read actions for the Service group. Steps to Implement:
Add the above XML configuration to your iTop configuration file.
Create the new profile SupportAgentProfile in the iTop admin interface if not already present.
Assign the support agents to the SupportAgentProfile.
Ensure other profiles (except the administrator and support agents) do not have the ConfigManagementGroup assigned, to avoid unintentional restrictions.
Please let me know if this fixs the issue.
Regards.
Last edit: Pablo 2024-08-04
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Buenas tardes
Tengo una problematica es que estoy personalizando el perfil de agente de soporte y le he podido delegar que no tenga acceso al menu de administracion de configuracion; sin embargo al hacer esto causa que afecte de manera a los demas excepto al administrador, no se como indicarle que ese perfil es al unico que tiene que ocultarce ese menu y no creo que las acciones del grupo le afecten todo esto lo hicen con base en la documentacion de itop:
Delegacion de administracion de menu:https://www.itophub.io/wiki/page?id=3_1_0:customization:delegate_rights
Codigo de la extension:
Ya lo pude resolver la razon es que se debia dejar el write en vez de read debido a que esto es la accion impidiria modificaciones y en cuanto global puedes seleccionar los perfiles pertinentes y darles accesso siguendo la misma logica solo es que les de el permiso de modificacion(write) a tus menus.
Igual recomiendo ver las necesidades de los perfiles segun lo que en verdad requieran.
Please note that the main language of the forums is English, so everyone understands right away :)
Hi, heres the English for that>,The user encountered an issue while customizing the support agent profile. They successfully restricted access to the configuration administration menu for this profile, but this change unintentionally affects other users, except for the administrator. The user is unsure how to hide this menu solely for the support agent profile without impacting other profiles.
The actions should not affect the entire group. This implementation was based on the iTop documentation for the delegation of menu administration: Delegation of Menu Administration.
**
The user says that they resolved the issue by changing the action to "write" instead of "read," as this action prevents modifications. Additionally, for global access, relevant profiles can be selected and granted access following the same logic—just give the modification (write) permission to the menus. They also recommend reviewing the needs of the profiles according to their actual requirements.**
Proposed Solution:
Define a New User Profile:
Create a new user profile specifically for the support agents that need restricted access.
Assign Access Rights Based on Profile:
Use the ConfigAccessControl class and define access rights based on the specific profile instead of the entire group.
Here's an updated version of your XML configuration:
xml:
here is the source code file
Explanation:
New Profile Creation:
A new profile SupportAgentProfile is created to specifically handle the access restrictions for support agents.
Access Rights Assignment:
The ConfigAccessControl class is used to manage access based on profiles.
The ConfigManagementGroup is linked to the SupportAgentProfile with restricted access (denied write actions).
The existing profile (Profile ID 5) is modified to ensure it does not inherit restrictive actions by explicitly denying read actions for the Service group.
Steps to Implement:
Add the above XML configuration to your iTop configuration file.
Create the new profile SupportAgentProfile in the iTop admin interface if not already present.
Assign the support agents to the SupportAgentProfile.
Ensure other profiles (except the administrator and support agents) do not have the ConfigManagementGroup assigned, to avoid unintentional restrictions.
Please let me know if this fixs the issue.
Regards.
Last edit: Pablo 2024-08-04