...
Open-AudIT ships with inbuilt roles for admin, org_admin , and user and reporter.
Generally, a user who is an administrator of the Open-AudIT application itself should have admin and possible org_admin roles.
...
The admin role allows access to collections such as baselines, configuration, database, groups, ldap servers, logs, queries and roles. Global items that affect the entire application.
The org_admin role usually allows create, read, update and delete actions for any collection that contains the org_id column. Virtually all data except some of the collections mentioned above will contain an org_id column.The reporter role allows the creation of baselines, licenses and queries.
The user role generally allows read only access to all items with an org_id column.
...
All orgs except the default org have a parent. Think of an Org Chart. If a user has permission on an Org, they also have permission on any descendants of that Org.
As at 3.3.2 we have also allowed a user with permission on a child org to see the items from parent orgs for certain collections. Those are: dashboards, discovery_scan_options, fields, files, groups, queries, reports, roles, rules, scripts, summaries, widgets.
Don't forget you have granular control over what users can see and do using Roles in Enterprise.
Their OrgIDs and any descendants | Their OrgIDs only | Their OrgIDs, descendants and ascendants |
---|---|---|
applications baselines baselines_policies buildings clouds clusters collectors connections credentials devices discoveries discovery_log floors integrations ldap_servers licenses locations logs networks orgs rack_devices racks rooms rows search tasks users | configuration database errors help nmis san test util | dashboards discovery_scan_options fields files groups queries reports roles rules scripts summaries widgets |
Active Directory and OpenLDAP
...
When configured correctly, LDAP use can completely remove the need to create users in Open-AudIT. Simply configure Open-AudIT to use LDAP for both authentication and authorization. If the user does not exist in Open-AudIT but does exist in LDAP and their credentials are correct and they are a member of the required groups Open-AudIT will create the user account automatically.
...
Example Org Chart with Access
Below you can see an example Org Chart. If a user has permission on the "Finance A" Org, they also have permission on the descendant Orgs of Dept A, B & C. This is regardless of the collection requested.
If the collection requested allows ascendants, then the user will also have access to Company #1 and Default Org items. This is for (as above) queries, groups, et al.
Note - A user may have access to a query from Default Org, but that is the query itself not the result. The result will only show devices that the user has access to - IE devices from Finance A and Dept A, B & C.