用户账户与权限

iTop提供了用户管理模块,管理员可以使用一个(或多个)预定义简档(角色)向分派用户提供该模块。简档(角色)的组合为每个用户确定允许在iTop中执行简档(角色)(查看,创建,修改或删除哪些对象)。

在iTop的当前版本中,简档(角色)为预定义;没有用户界面可以修改它们或创建新的简档(角色)。

查看简档(角色)

使用“管理工具简档(角色)”菜单访问简档(角色)并查看其相应的定义,如下所示:

1.png

当您单击给定的简档时,将显示此简档的详细信息。

2.png

选项卡“用户”列出了拥有此简档的所有用户。

对于每个对象类别,选项卡“ Grant矩阵型”显示该简档允许的所有操作活动。

默认简档(角色)

简档描述
管理员在所有组件上都有权利(绕过任何控制)
变更经理可能会受到某些更改影响的人。
变更执行者执行更改的人。
变更管理员负责变更总体执行的人员。
配置经理托管配置项的文档负责人。
文档作者任何可以为文档做贡献的人。
门户用户具有权利可以访问用户门户。拥有此简档的人员将不允许访问标准应用;它们将自动重定向到用户门户。
超级门户用户2.0.1。中的新功能。拥有此简档的用户将拥有权利,以查看门户中客户的所有工单。必须与其他简档(角色)(例如门户用户)结合使用。
问题经理分析和解决当前问题的人。
REST服务用户户账号2.5.0中的新增功能,可以访问REST Web服务。如果将配置设置secure_rest_services设置为true(这是默认设置),则仅具有此简档的用户帐户被允许使用REST Web服务。
服务台坐席创建事件报告的负责人。
服务经理负责服务的人员已交付给[内部]客户。
支持人员分析和解决当前事件的人员。

查看用户帐户

“管理工具”模块下的菜单“用户帐户”使您可以查看为iTop实例定义的所有登录名。

3.png

单击用户时,您会获得以下详细信息:

Details of a User Account

用户账号必须链接到存储在CMDB中的人员(请参阅CMDB模块文档)。在创建登录名之前,请确保用户被记录为CMDB中的人员。

如果没有为登录名定义联系人,则该登录名将受到若干限制(列表不详尽):

1、无法接收发送邮件通知。示例:已经为客户x创建了工单。

2、不能为某事负责。示例:分配给工单的处理人员。

3、无法访问客户门户。

选项卡“简档(角色)”列出了链接到该用户的所有简档(角色)。选项卡“ Grants矩阵型”显示此用户允许的权利。它是对应于关联的简档(角色)的所有权利的合并。用户允许查看的用户的“允许的组织”选项卡显示列表。

创建一个用户

要创建新的用户,您只需在功能下拉列表中或从给定的用户详细信息中单击“新建”。然后出现以下向导:

Creating a new User Account

管理员可以在所需的身份验证类型上定义不同类型的用户帐户依赖:

iTop用户帐户在iTop内部。他们的密码存储(加密)在iTop的数据库中。这种类型的账号对于管理用户,脚本以及集成和其他应用程序很有用。

LDAP用户帐户的身份验证由外部LDAP或Active Directory服务器完成。

外部用户帐户的身份验证由Web服务器直接管理,例如,在使用Apache .htaccess文件时或在使用外部单点登录解决方案(例如JASIG-CAS)时。

本章中介绍了iTop中有关身份验证的所有详细信息用户身份验证选项.

如果决定创建iTop用户,则必须输入密码,然后再次输入密码进行确认。如果两个密码不匹配,则会在密码字段的右侧出现一个感叹号。

Creating a new iTop User

如果你有密码政策,密码需要跟随他们

用户记录定义:

此用户的常用语言将用于显示iTop用户界面。

联系人链接到该用户账号。对于联系人用户,此联系人也用于确定联系人的默认组织。

该账号的简档(角色)列表。每个iTop用户账号必须至少具有一个账号。

Editing an account's profiles

“添加简档(角色)…”按钮显示搜索窗口,用于选择要从分派到用户的简档(角色)。

Adding profiles to an account

稍后可以使用用户的“修改”功能更改分配给用户的简档(角色)。

导入大量登录

要在几个步骤中创建许多登录名,可以使用CSV导入工具。

检查格式化为批量导入关系.

你可以检查这个例子 用于CLI导入,但预期的CSV导入格式相同。

限制访问一组组织

管理员可以使用“允许的组织”选项卡为每个用户定义允许访问的组织列表。如果未选择组织,则允许用户查看所有它们。

对于组织为分层(某些组织具有父组织)的情况,权利是从父继承到子组织的。换句话说,如果父具有权利来访问父组织,则该父也具有权利来访问该组织的所有子组织。

如果对象的字段确切地命名为org_id,它是组织类的属性外键或属性外键上的外部属性字段,则它被视为属于组织。
没有任何org_id字段的对象始终对所有用户可见。

具有org_id字段为空(= 0)的对象对于具有允许的组织的用户永远不可见。

附件对象具有org_id字段,该字段由它链接到的对象的组织提供。如果该对象没有org_id字段,则为空,那么对于具有允许组织的用户而言,它是不可见的。

该用户完全隐藏了给定用户所禁止的属于组织的所有对象。对于此用户,应用的行为就像不存在这样的用户。

如果与用户对应的联系人在禁止用于Herrhim的组织中,则(对于此用户)看起来好像联系人不存在。由于所有访问用户的用户都必须链接到联系人,因此,这样的联系人将阻止该用户访问iTop用户!

稍后可以使用用户的“修改”功能更改选定的组织。

更改用户密码

如果需要,管理员可以通过简单地对用户使用“修改”功能来变更输入用户密码。这对于重置用户的密码很有用。

用户可以通过单击“登出”菜单并选择“变更密码…”来变更自己的密码。

密码以加密方式(单向)存储在iTo​​p数据库中,因此无法从数据库的内容中重建密码。

我忘记了我的密码

拥有iTop用户类型的账号的用户可以自己重置密码:管理员无需执行任何操作。

本章中的更多信息我忘记了我的密码.

停用账号

从iTop 2.3.0开始,已在用户帐户上添加了新字段“状况”。 “状况”具有两个可能的值:“已启用”或“已禁用”。设置为“已禁用”时,账号被禁用,并且状况无法再连接到iTop。默认情况下,该字段的用户为已启用。

将此委托给非管理员

可以将用户的管理委派给没有管理员简档的用户:委托``管理工具''菜单

原文:https://www.itophub.io/wiki/page?id=2_6_0%3Aadmin%3Amanaging_user_accounts


Managing User Accounts

iTop provides a user management module allowing administrators to assign users with one (or more) predefined profiles. The combination of profiles determines for each user the actions she/he is allowed to performed in iTop (viewing, creating/modifying or deleting which objects).

In the current version of iTop, the profiles are predefined; there is no user interface to modify them or to create new profiles.

Viewing Profiles

Use the “Admin Tools / Profiles” menu to access the profiles and see their corresponding definitions as shown below:

List of all profiles

When you click on a given profile, the details of this profile are displayed.

Details of a Profile

  • The tab “Users”, lists all users having this profile.

  • The tab “Grant matrix” displays, for each class of objects, all the actions allowed for this profile.

Default profiles

ProfileDescription
AdministratorHas the rights on everything (bypassing any control)
Change ApproverPerson who could be impacted by some changes.
Change ImplementorPerson executing the changes.
Change SupervisorPerson responsible for the overall change execution.
Configuration ManagerPerson in charge of the documentation of the managed CIs.
Document authorAny person who could contribute to documentation.
Portal userHas the rights to access to the user portal. People having this profile will not be allowed to access the standard application; they will be automatically redirected to the user portal.
Portal power userNew in 2.0.1. Users having this profile will have the rights to see all the tickets for a customer in the portal. Must be used in conjunction with other profiles (e.g. Portal User).
Problem ManagerPerson analyzing and solving the current problems.
REST Services Usernew in 2.5.0 User account with access to the REST Web Services. If the configuration setting secure_rest_services is set to true (which is the default), then only the user accounts having this profile are allowed to use the REST web services.
Service Desk AgentPerson in charge of creating incident reports.
Service ManagerPerson responsible for the service delivered to the [internal] customer.
Support AgentPerson analyzing and solving the current incidents.

Viewing User Accounts

The menu “User Accounts” under “Admin Tools” module, enables you to see all logins defined for your iTop instance.

List of all user accounts

When clicking on a user you get the following details:

Details of a User Account

A user account must be linked to a Person stored in the CMDB (See the CMDB Module documentation). Prior to creating a login, make sure that the user is documented as a Person in the CMDB.

If no contact is defined for a login, then that login will suffer several limitations (list not exhaustive):

  • Cannot receive email notifications. Example: a ticket has been created for customer x.

  • Cannot be responsible for something. Example: the agent a ticket is assigned to.

  • No access to the customer portal.

The tab “Profiles” list all profiles that are linked to this user. The tab “Grants matrix” display rights allowed for this user. It is the merge of all rights corresponding to associated profiles. The tab “Allowed Organizations” display list of organization this user is allowed to see.

Creating a user

To create a new user you just have to click on “New” in action drop down list, from either user list or a given user detail. The following wizard then appears:

Creating a new User Account

Administrators can define different types of user accounts, depending on the desired type of authentication:

  • iTop user accounts are internal to iTop. Their passwords are stored (encrypted) within the database of iTop. This type of account is useful for administrative users, for scripts and integration with other applications.

  • LDAP user accounts have their authentication done by an external LDAP or Active Directory server.

  • External user accounts have their authentication managed directly by the web server, for example when using an Apache .htaccess file or when using an external single-sign-on solution, like for example JASIG-CAS.

All the details about authentication in iTop are described in the chapter User authentication options.

If you decide to create an iTop user, you have to type-in the password and to retype it a second time for confirmation. An exclamation sign appears at the right of the password field if both passwords do not match.

Creating a new iTop User

A user record defines:

  • The favorite language of this user, that will be used for displaying the iTop user interface.

  • The contact linked to this user account. This contact is also used - for portal users - to determine the default organization of the portal.

  • The list of profiles for this account. Each iTop user account must have at least one profile.

Editing an account's profiles

The “Add Profiles…” button displays the search window for selecting the profiles you want to assign to the user.

Adding profiles to an account

The profiles assigned to the user can be changed later on using the “Modify” action for a user.

Import logins massively

To create many logins in a few steps, you can use the CSV import tools.

Check the format to bulk import relationships.

You can check this example which is used for CLI import, but expected CSV import format is identical.

Restricting access to a set of Organizations

Administrators can define for each user the list of organizations she/he is allowed to access using the “Allowed Organizations” tab. If no organization is selected, the user is allowed to see all of them.

In case of a hierarchy of organizations (when some organizations have a parent organization), the rights are inherited from the parent to the child organizations. In other words, if a user has the rights to access the parent organization, then this user has also the rights to access all the child organizations of this organization.

An object is considered as belonging to an organization, if it has a field named exactly org_idwhich is an AttributeExternalKey or an  AttributeExternalField on an AttributeExternalKey on class Organization.
Object without a value in org_id or without any org_id field are always visible to all users.

All the objects belonging to an organization which is forbidden to a given user are completely hidden from this user. For this user, the application behaves as if such object did not exist.

If the contact corresponding to a user is in a forbidden organization for her/him, it looks (for this user) as if the contact does not exist. Since all users accessing the portal must be linked to a contact, such a configuration will prevent this user from accessing the iTop portal!

The selected organizations can be changed later on using the “Modify” action for a user.

Changing a user password

The administrator can change a user password if required by simply using the “Modify” action for a user. This can be useful to reset the password of a user.

Users can change their own password by clicking on the “Log-Off” menu and selecting “Change password…”.

The passwords are stored encrypted (one way) in the iTop database, and therefore cannot be reconstructed from the content of the database.

I forgot my password

Users having an iTop user type of account can reset their password on their own: there will be no need for the administrator to do anything.

More information in the chapter I forgot my password.

Deactivating an account

Starting with iTop 2.3.0, a new field “Status” has been added on the User Accounts. The “Status” has two possible values: “Enabled” or “Disabled”. When set to “Disabled” the account is deactivated and the user can no longer connect to iTop. By default the value for the field is Enabled.

Delegate this to non Administrator

It is possible to delegate management of users to users without Administrator profile: Delegate 'Admin tools' menus

标签:
由 superadmin 在 2020/08/25, 16:26 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司