If you wish, you can limit the users who can work with
particular configuration items (CIs). You can activate this security
function by defining access collections, which contain
groups of CIs, and assigning groups of users to work with those access
collections. For example, you might want administrators to work with
CIs in their local area, or to work with certain types of CIs. If
you do not use this function, each user that logs in to Control Desk is
able to work with any CI in the applications to which that user's
security groups give access. If you want to control users' access
to configuration items, follow these steps.
Before you begin
Before beginning these steps, perform the procedure described
in
Configuring security.
You can synchronize your
access collections and the security groups whose members can work
with them, with the TADDM component.
In this case, the same restrictions are enforced in the TADDM user
interface. If you want to enable this synchronization, follow the
steps in Synchronizing access collections before you create your access
collections. Collections are synchronized when they are created or
modified; if you create your collections before enabling synchronization,
they are synchronized only if you modify them.
About this task
When you put configuration items into an access collection,
only the specified users are able to:
- View information about those CIs
- Choose those CIs from a list to perform any action
- Run reconciliation reports using those CIs
- Process a change request involving those CIs
To create access collections and assign security groups
to work with them, follow these steps:
Procedure
- Choose the groups of configuration items to which you want
to control access. You can define groups in any of the ways available
in the Collections application. Click to open the Collections application. If you already
defined collections for other purposes, you can use them as access
collections if you wish. An access collection can
contain items other than configuration items, but only the configuration
items are affected.
- Choose the groups of users who should have access to each
collection. If these groups do not exist in your directory server,
define them there. You can reuse the security groups that are used
to control application access, or you can create new groups that overlap
the existing groups.
- In the directory server, assign users to the newly created
groups.
- Information about the new groups and their members are
copied to the Maximo database by
the VMM cron task. All control of access to configuration items is
performed within Control Desk using
this information.
- Assign security groups to work with the access collections.
Follow these steps for each security group that has access to one
or more collections:
- Click to open the
Security Groups application.
- Choose the group whose permissions you want to define.
- Click the Data Restrictions tab and then
the Collection Restrictions subtab.
- Use the New Row button to add collections
to which this security group has access.
- After adding all the collections, click Save.
What to do next
After you complete these steps, log in to
Control Desk with
user IDs that should have access to some, but not all, access collections.
Verify that each user ID can work with CIs from the appropriate collections
and not CIs from collections to which it should not have access.