Delegate 'Admin tools' menus

With the 2.5 version of iTop, you can grant admin menus to users other than Administrator.
If you don't customize Profiles and Menus, then nothing will change on your iTop.

Limitations

Those menus cannot be given to anyone else than an Administrator:

  • Schedule Backup
  • Configuration
  • ITSM Designer
  • ITop Hub

Some classes such all those related to object history have no organization, as a result, providing access to Run Query to user with Allowed Organizations generate a security hole, as they can see the history of objects that they are not allowed to see.

With the 1.5 version of the XML, it is now possible to control the access to any menu based on a class and an action right (read,write,delete,…). Only people having that action on this class will be able to see this menu.

Access to a menu can be tied to an action right on a class

See the XML Reference for details on XML tags to customize a menu.

Group menus are not displayed if they have no sub-menu allowed to the current user

The following admin menus are by default controlled by an action on a class.

  • Users: write on User
  • Profile : write on Profile
  • Notifications : write on Trigger
  • Audit: write on AuditCategory
  • Run Query: write on ResourceRunQueriesMenu
  • Query phrasebook: write on Query
  • Export: write on ResourceAdminMenu
  • Data Model: write on ResourceRunQueriesMenu
  • Universal Search: write on ResourceAdminMenu
  • Synchronization Data Sources: write on SynchroDataSource

All the classes above can have their access managed within Profiles (through Groups).
Out of the box, there are 6 new Groups which are predefined and can be used by existing or new profiles:

Group id Menus included by default Classes included in the Group
User User Accounts, Profiles User, URP_UserOrg, URP_UserProfile, URP_Profiles
Audit Audit, Run Query AuditCategory, AuditRule, ResourceRunQueriesMenu
Notification Notification, Run Query Trigger, Action, lnkTriggerAction, ResourceRunQueriesMenu
Query Query Phrasebook, Run Query Query, QueryOQL, ResourceRunQueriesMenu
SynchroData Synchronization Data Sources SynchroDataSource
AdminTools all menus above all classes above
To give access to one of this Group, just add the Group to a Profile or create one of the below suggested Profiles
What ever you configure, a non-Administrator user will never be allowed to:
  • edit users having the Administrator profile,
  • give Administrator profile to a user.

Step by step example

Let say that you want to make the 'Export Menu' accessible to users having the profile 'Config Manager'

  1. There is no obvious Class to control this menu, we will create a new Abstract class, lets name it: 'RessourceExportMenu'
  2. We will customize the 'Export Menu' entry to tied it on that newly created class (replace 'ResourceAdminMenu' by 'RessourceExportMenu')
  3. We will customize the 'Config Manager' profile to include 'modify' on the class 'RessourceExportMenu', through a new Group

Create the Abstract Class

You may use an existing class which would make sense to control the access to that menu, but in the case or 'Export' we don't find any satisfying class, so we will create a new one.

The new class must:

  • extends AbstractResource
  • have the category grant_by_profile
    <class id="RessourceExportMenu" _delta="define">
      <parent>AbstractResource</parent>
      <properties>
        <comment>/* Export Menu access control. */</comment>
        <abstract>true</abstract>
        <category>grant_by_profile</category>
      </properties>
      <presentation/>
      <methods/>
    </class>

Overwrite menu definition

datamodels/2.x/itop-welcome-itil/datamodel.itop-welcome-itil.xml
    <menu id="ExportMenu" xsi:type="WebPageMenuNode" _delta="must_exist">
      <enable_class _delta="redefine">RessourceExportMenu</enable_class>
      <enable_action _delta="redefine">UR_ACTION_MODIFY</enable_action>
    </menu>

Complete Group & Profile definition

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
  <user_rights>
    <groups>
      <group id="Export" _delta="define">
        <classes>
          <class id="RessourceExportMenu"/>
      </group>
    </groups>
    <profiles>
      <profile id="3" _delta="must_exist">
        <!-- id=3 correspond to the Configuration Manager profile -->
        <groups>
          <group id="Export" _delta="define">
            <actions>
              <action id="action:write">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
  </user_rights>

Check in datamodel.itop-profiles-itil.xml for id of existing Profiles.

Profiles which could be created

Those Profiles do not exist, but you can create them, in order to delegate “Admin tools” menus to users:

<user_rights>
    <profiles>
      <profile id="43" _delta="define">
        <name>User Manager</name>
        <description>create/modify/delete users...</description>
        <groups>
          <group id="User">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="44" _delta="define">
        <name>Notification Manager</name>
        <description>Has the rights to create and modify the triggers and actions</description>
        <groups>
          <group id="Notification">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="45" _delta="define">
        <name>Audit Manager</name>
        <description>Has the rights to create and modify the audit</description>
        <groups>
          <group id="Audit">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="46" _delta="define">
        <name>Query Manager</name>
        <description>Has the rights to create and modify the Query Phrasebook</description>
        <groups>
          <group id="Query">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="47" _delta="define">
        <name>SynchroData Manager</name>
        <description>Has the rights to create and modify the Synchro data source</description>
        <groups>
          <group id="SynchroData">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="48" _delta="define">
        <name>Admin Tools Manager</name>
        <description>Has the rights to Admin</description>
        <groups>
          <group id="AdminTools">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
</user_rights>

Technical details

Explained in details what was modified/added in 2.5 around Menu access:

'Admin tools' menus in XML

The admin menus were previously totally written in plain PHP, secured by a isAdministrator() check. It has been translated in XML, so it can now be overwritten.

The Menu XML reference has been enriched to specify, class, action and even stimulus which are required to get access to a menu.

When the tag enable_admin_only is set to 1, any <enable_class> tag provided is ignored: only users with Administrator profile can see this menu.
If you want to give access to a enable_admin_only menu, you must either set the tag enable_admin_only to 0 or remove the tag completely with _delta=“delete” and add at least the enable_class and enable_action tags.

The design was made to maintain extensions compatibility with previous versions of iTop.

NewObjectMenuNode, SearchMenuNode and OQLMenuNode have a automatic class which control its access

WebPageMenuNode need to be secured against direct access (a user may guess the url of a webPage and try to access it even if he do not see the menu). To do so, each web page is checking against ApplicationMenu::CheckMenuIdEnabled(“MenuId”); with MenuIdbeeing the id used in the xml definition of the menu. This ensure that in order to be able to execute a webpage the user must have access to the corresponding menu.

New Abstract Classes

Some admin menus haven't any logical class to tie to, so we have created new classes dedicated just to control this access. You can expend this list if needed.

Class name Usage
AbstractResource new classes for access right should inherit from AbstractResource
ResourceRunQueriesMenu used to check the user access rights against the menu Run Query
ResourceAdminMenu used by default for all menus that do not have a proper class

bizmodel vs grant_by_profile classes

The group * has all classes having bizmodel category. Some profile has read access for the group *.

The class with category grant_by_profile is not accessible by default to users other than Administrators.

  • The application classes which are used to control the “admin tools” menus, have the category grant_by_profile.
  • The new Abstract Classes have also the category grant_by_profile.

Changes in the Grant Matrix

The grant matrix displays classes having the category grant_by_profile or bizmodel.
Before iTop 2.5, only classes with category bizmodel where displayed.

Example: See the new entries in the grant matrix for a user with User Manager profile are:

New Groups

Here are the 6 new Groups which are predefined and can be used by existing or new profiles:

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
   <user_rights>
      <group id="Notification" _delta="define">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Trigger"/>
          <class id="lnkTriggerAction"/>
          <class id="Action"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="User">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="User"/>
          <class id="URP_UserOrg"/>
          <class id="URP_UserProfile"/>
          <class id="URP_Profiles"/>
        </classes>
      </group>
      <group id="Audit">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="AuditCategory"/>
          <class id="AuditRule"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="Query">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Query"/>
          <class id="QueryOQL"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="SynchroData">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="SynchroDataSource"/>
        </classes>
      </group>
  </user_rights>
</itop_design>
latest/customization/delegate_rights.txt · Last modified: 2019/01/09 16:40 (external edit)
Back to top
Contact us