Which doc for CME 7.5 about deeper special access grants knowledge?

[Gef Buneri]

Hi all, I'm pursuing the goal to restrict view on object for specific users/access groups, but if I use "no access" on some objects (environment, i.e.) I can't access the app at all, so I was guessing if there's a way to let operative grants to sys, while not showing objects on CME client.



Regards.

***EDIT***
i.e. I can't figure out why if I have just read permissions on an object, for a user/access group, I can still delete/modify the object (folder or specific object). Can be 'cause to "FULL CONTROL" grants for "EVERYONE" access group, un same object? (but there's no one inside that access group).

Ok, EVERYONE grants have to be changed too to make other identities to be affected by individual grant changes; now I can avoid deletion/modification per identity, but still cannot figure out if there's a way to hide view on objects, per identity.

[Tambo]

no you need GA for that, it has better security roles and permissions

CME will still let you see the object and also delete it (not amend it but delete it for some reason) .

if you say no access to certain applications then it wouls stop that group of people opening CCPulse for instance.

there is a few threads on here for permissions.

[Gef Buneri]

Thanks Tambo. Administrator exists for 7.5 GVP?

[Tambo]

no mate 8.0 is the first

CME isn't great on security

[Gef Buneri]

doh! fine then, thanx!

[n3vek7]

The only thing GA will bring are the roles, no? (and maybe the permissions tab is more easy to use)

Why not create a new Access Groups and assign access to this new group instead of adding a "No Access" on a lot of objects. (I'm not a fan of the No Access...)
Which kind of objects you don't want the users to see?

[Gef Buneri]

Hi N3vek. At the end I did so... created new access groups to give/remove from them specific permissions.

It was a little triky, 'cause you must to modify permissions in all child object to avoid conflicts if different permissions are configured on the parent object, for the same access groups. I had to create separate objects in environment, for clients and templates. I.e. if a template have "no access" grants for that access group, CCPulse client launched using a login belonging to the restricted access group, will not start.

Today all is working fine, limiting the CME view only to objects the specific login have grants too see.

Thanks.


G.

[Gef Buneri]

If this could be of any help to anyone, you can use "tricks" to apply crossed grants between parent object and child object; i.e. if you do not want the user to be able to delete a parent objec, keep in mind the parent object can't be deleted if contains childs, so in the case of a "agent groups" folder, you can give read/change special access to parent (no propagation), and read/create to child; doing so, you cannot delete the child due to permissions, and cannot delete the parent due to "folder not empty" reason.

[Gef Buneri]

Wow, a very strange issue happened during tests with grants: An agent who use the TeleAp CtiKernel phone bar, having no read/execute grants on an application client called"default" using a template "configuration manager v. 7.1", can't login due to a "tserver unavailable" error. Giving back the read grant on the client, all works fine. The client have got no connection with other objects. The client used by the CtiKernel is not the "default" named client, is another one with no apparent connection/dependencies with the "default" client.

Any clue?