Managing User Accounts

iTop provides a user management module allowing administrators to assign users with one (or more) predefined profiles. The combination of profiles determines for each user the actions she/he is allowed to performed in iTop (viewing, creating/modifying or deleting which objects).

In the current version of iTop, the profiles are predefined; there is no user interface to modify them or to create new profiles.

Viewing Profiles

Use the “Admin Tools / Profiles” menu to access the profiles and see their corresponding definitions as shown below:

List of all profiles

When you click on a given profile, the details of this profile are displayed.

Details of a Profile

  • The tab “Users”, lists all users having this profile.
  • The tab “Grant matrix” displays, for each class of objects, all the actions allowed for this profile.

iTop core profiles

Id Profile Description
1 Administrator Has the rights on everything (bypassing any control)
2 Portal user Has the rights to access to the user portal. People having this profile will not be allowed to access the standard application; they will be automatically redirected to the user portal.
3 Configuration Manager Person in charge of the documentation of the managed CIs.
4 Service Desk Agent Person in charge of creating incident reports.
5 Support Agent Person analyzing and solving the current incidents.
6 Problem Manager Person analyzing and solving the current problems.
7 Change Implementor Person executing the changes.
8 Change Supervisor Person responsible for the overall change execution.
9 Change Approver Person who could be impacted by some changes.
10 Service Manager Person responsible for the service delivered to the [internal] customer.
11 Document author Any person who could contribute to documentation.
12 Portal power user New in 2.0.1. Users having this profile will have the rights to see all the tickets for a customer in the portal. Must be used in conjunction with other profiles (e.g. Portal User).
1024 REST Services User new in 2.5.0 User account with access to the REST Web Services. If the configuration setting secure_rest_services is set to true (which is the default), then only the user accounts having this profile are allowed to use the REST web services.

Extensions profiles

Id Profile Associated priviledges Extension
20 Hostmaster Person handling the IP space and looking after the IP changes IPAM for iTop
21 IP Helpdesk agent Person processing the IP requests IP Request Management
22 IP Portal user Has the rights to access the IP portal and are denied on the Console
40 Business partner user Has the rights to access to the business partner portal and are denied on the Console Portal for Business Partner
43 User Manager Has the rights to create/modify/delete users… Admin tools delegation (1/2)
44 Notification Manager Has the rights to create and modify triggers and actions
45 Audit Manager Has the rights to create and modify Audit (categories and rules)
46 Query Manager Has the rights to create and modify the Query Phrasebook
47 SynchroData Manager Has the rights to create and modify Synchro data sources
48 Admin Tools Manager Has the rights to do all the above listed actions
49 Time Tracker Has the right to track his own time Time Tracking
50 Time Tracking Manager Has the rights can track time for other and access to the time tracked by anybody
51 Archiving Agent Has the rights to define Archiving rules Data archiver simple
52 Anonymization Agent Has the rights to anonymize persons Personal data anonymizer
60 Release Agent Person developing new features or resolving bugs on software or product combodo-release-mgmt
61 Product Owner Person responsible of a product (tests and enhancements done on it)
107 Communication Manager Has the rights to manage Communications Communications to the Customers
117 SuperUser Has all rights but those limited to Administrator combodo-users-quota-slave
120 Query History Has all rights but query the history (CMDBChange) Admin tools delegation (2/2)
121 Mail Inbox Manager Has all rights to create/modify Mail Inboxes and OAuth clients
122 Mail Messages Manager Has all rights to see, modify and delete Mail Messages and read MailInboxes
130 Ansible Manager Person in charge of Ansible documentation in iTop and eligible to execute Ansible dedicated WE services Data model for Ansible
800 Alarms Manager Persons allowed to acknowledge alarms without creating a ticket. Alarm Console
1025 Project Manager Person dealing with projects / risks / issues / WBS Project Management Extended
5323 CMDB Guest Person with read only rights (no bulk read allowed) on CMDB and IP objects (only) IPAM for iTop
5324 Hostmaster - DNS Person handling the DNS space DNS Zone Management
5325 DHCP Manager Person handling the DHCP space DHCP Management
5326 IP Portal Automation user Is elligible to have its IP requests automatically processed. Must be used in conjunction with “IP Portal user” profile. IP Request Management

Viewing User Accounts

The menu “User Accounts” under “Admin Tools” module, enables you to see all logins defined for your iTop instance.

List of all user accounts

When clicking on a user you get the following details:

Details of a User Account

A user account must be linked to a Person stored in the CMDB (See the CMDB Module documentation). Prior to creating a login, make sure that the user is documented as a Person in the CMDB.

If no contact is defined for a login, then that login will suffer several limitations (list not exhaustive):

  • Cannot receive email notifications. Example: a ticket has been created for customer x.
  • Cannot be responsible for something. Example: the agent a ticket is assigned to.
  • No access to the customer portal.

The tab “Profiles” list all profiles that are linked to this user. The tab “Grants matrix” display rights allowed for this user. It is the merge of all rights corresponding to associated profiles. The tab “Allowed Organizations” display list of organization this user is allowed to see.

Creating a user

To create a new user you just have to click on “New” in action drop down list, from either user list or a given user detail. The following wizard then appears:

Creating a new User Account

Administrators can define different types of user accounts, depending on the desired type of authentication:

  • iTop user accounts are internal to iTop. Their passwords are stored (encrypted) within the database of iTop. This type of account is useful for administrative users, for scripts and integration with other applications.
  • LDAP user accounts have their authentication done by an external LDAP or Active Directory server.
  • External user accounts have their authentication managed directly by the web server, for example when using an Apache .htaccess file or when using an external single-sign-on solution, like for example JASIG-CAS.

All the details about authentication in iTop are described in the chapter User authentication options.

If you decide to create an iTop user, you have to type-in the password and to retype it a second time for confirmation. An exclamation sign appears at the right of the password field if both passwords do not match.

Creating a new iTop User

If you have password policies, the password will need to follow them

A user record defines:

  • The favorite language of this user, that will be used for displaying the iTop user interface.
  • The contact linked to this user account. This contact is also used - for portal users - to determine the default organization of the portal.
  • The list of profiles for this account. Each iTop user account must have at least one profile.

The “Add Profiles…” button displays the search window for selecting the profiles you want to assign to the user.

Adding profiles to an account

The profiles assigned to the user can be changed later on using the “Modify” action for a user.

Import logins massively

To create many logins in a few steps, you can use the CSV import tools.

Check the format to bulk import relationships.

You can check this example which is used for CLI import, but expected CSV import format is identical.

Restricting access to a set of Organizations

Administrators can define for each user the list of organizations she/he is allowed to access using the “Allowed Organizations” tab. If no organization is selected, the user is allowed to see all of them.

In case of a hierarchy of organizations (when some organizations have a parent organization), the rights are inherited from the parent to the child organizations. In other words, if a user has the rights to access the parent organization, then this user has also the rights to access all the child organizations of this organization.

An object is considered as belonging to an organization, if it has a field named exactly org_id which is an AttributeExternalKey or an AttributeExternalField on an AttributeExternalKey on class Organization.
Object without any org_id field are always visible to all users.
Object with an org_id field which would be empty (=0) are never visible to users with allowed organizations.
An Attachment object has an org_id field, fed with the organization of the object it is linked to. If that object has no org_id field, then it is empty, then it is not visible to users with allowed organizations.

All the objects belonging to an organization which is forbidden to a given user are completely hidden from this user. For this user, the application behaves as if such object did not exist.

If the contact corresponding to a user is in a forbidden organization for her/him, it looks (for this user) as if the contact does not exist. Since all users accessing the portal must be linked to a contact, such a configuration will prevent this user from accessing the iTop portal!

The selected organizations can be changed later on using the “Modify” action for a user.

Changing a user password

The administrator can change a user password if required by simply using the “Modify” action for a user. This can be useful to reset the password of a user.

Users can change their own password by clicking on the “Log-Off” menu and selecting “Change password…”.

The passwords are stored encrypted (one way) in the iTop database, and therefore cannot be reconstructed from the content of the database.

I forgot my password

Users having an iTop user type of account can reset their password on their own: there will be no need for the administrator to do anything.

More information in the chapter I forgot my password.

Deactivating an account

Starting with iTop 2.3.0, a new field “Status” has been added on the User Accounts. The “Status” has two possible values: “Enabled” or “Disabled”. When set to “Disabled” the account is deactivated and the user can no longer connect to iTop. By default the value for the field is Enabled.

Delegate this to non Administrator

It is possible to delegate management of users to users without Administrator profile: Delegate 'Admin tools' menus

latest/admin/managing_user_accounts.txt · Last modified: 2023/07/21 10:19 (external edit)
Back to top
Contact us