管理用户帐号

iTop提供了一个用户管理模块,允许管理员为用户分配一个(或多个)预定义的配置文件。配置文件的组合为每个用户确定允许她/他在iTop中执行的操作(查看,创建/修改或删除哪些对象)。

在当前版本的iTop中,配置文件是预定义的;没有用户界面可以修改它们或创建新的配置文件。

查看配置

使用“Admin Tools / Profiles”菜单访问配置文件,并查看其相应的定义,如下所示:

List of all profiles

单击给定的配置文件时,将显示此配置文件的详细信息。

Details of a Profile

  • “User”标签中,列出了具有此配置文件的所有用户。

  • 对于每个类别的对象,“Grant matrix”选项卡显示此配置文件允许的所有操作。

默认配置文件

配置描述
Administrator拥有一切权利(绕过任何控制权)
Change Approver可能会受到某些变更影响的人。
Change Implementor执行变更的人。
Change Supervisor负责整体(全部)变更执行的人员。
Configuration Manager负责管理配置项文档的人。
Document author任何可以为文档做贡献的人。
Portal user

有权访问用户门户。具有此配置的人员将不允许访问标准应用程序;它们将被自动重定向到用户门户。

Portal power user

2.0.1版本中的新功能。具有此配置文件的用户将有权在门户中查看客户的所有票证。必须与其他配置文件(例​​如,Portal User)结合使用。

Problem Manager分析和解决当前问题的人。
REST Services User2.5.0版本中的新功能。授权用户可以访问REST Web服务。如果配置设置 secure_rest_services设置为true (这是默认设置),则仅具有此配置文件的用户帐户被允许使用REST Web服务。
Service Desk Agent创建事件报告的负责人。
Service Manager服务交付给用户(内部)的负责人。
Support Agent分析和解决当前事件的人。

用户账号视图

在“Admin Tools”模块下的“User Accounts”菜单使您可以查看为iTop实例定义的所有登录名。

List of all user accounts

单击用户时,您将获得以下详细信息:

Details of a User Account

用户帐户必须同在CMDB中存储的一个人(Person)连接起来。(请参阅CMDB模块文档)。在创建登录名之前,请确保该用户以Person被记录在CMDB 中。

如果没有为登录定义联系人,则该登录将受到一些限制(列表不详尽):

  • 无法接收电子邮件通知。示例:已为客户x创建的单据。

  • 不能为某事负责。示例:单据分配给的代理。

  • 无法访问客户门户。

“Profiles”标签列出了与此用户链接的所有个人资料。选项卡“Grants matrix”显示了该用户允许的权限。它是与关联的配置文件相对应的所有权限的合并。“Allowed Organizations”选项卡显示允许该用户查看的组织列表。

创建一个用户

要创建新用户,您只需在用户列表或给定的用户详细信息中的操作下拉列表中单击“New”。然后出现以下向导:

Creating a new User Account

管理员可以根据所需的身份验证类型定义不同类型的用户帐户:

  • iTop user帐户在iTop内部。他们的密码存储(加密)在iTop数据库中。这种类型的帐户对于管理用户,脚本以及与其他应用程序的集成很有用。

  • LDAP user 帐户的身份验证由外部LDAP或Active Directory服务器完成。

  • External user 帐户的身份验证直接由Web服务器管理。例如,当使用Apache .htaccess文件或使用外部单一登录解决方案(例如JASIG-CAS)时。

iTop中有关身份验证的所有详细信息在“ 用户身份验证选项 ”一章中进行了描述。

如果您决定创建一个iTop user,则必须输入密码,然后再次输入该密码以进行确认。如果两个密码都不匹配,则会在密码字段的右侧出现一个感叹号。

Creating a new iTop User

用户记录定义:

  • 该用户喜欢的语言,将用于显示iTop用户界面。

  • 该联系人已链接到该用户帐户。对于门户网站用户,此联系人还用于确定门户网站的默认组织。

  • 此帐户的配置文件列表。每个iTop用户帐户必须至少具有一个配置文件。

Editing an account's profiles

“Add Profiles…”按钮显示搜索窗口,用于选择要分配给用户的配置文件。

Adding profiles to an account

稍后可以使用针对用户的“Modify”操作来更改分配给用户的配置文件。

批量导入登录账号

要在几个步骤中创建许多登录名,可以使用CSV导入工具。

检看批量导入关系格式

您可以检看此示例该示例用于CLI导入,但是预期的CSV导入格式相同。

限制访问一组组织

管理员可以使用“Allowed Organizations”选项卡为每个用户定义允许其访问的组织的列表。如果未选择任何组织,则允许用户查看所有组织。

在组织层次结构的情况下(某些组织具有上级组织时),权限从上级继承到下级组织。换句话说,如果用户有权访问上级组织,则该用户也有权访问该组织的所有子级组织。

如果对象具有一个确切地名为org_id的字段,则该对象属于组织,该字段 是位于类Organization类上的属性外键或属性外字段。
在org_id中没有值或没有任何org_id字段的对象始终对所有用户可见。

属于给定用户所禁止的组织的所有对象都对该用户完全隐藏。对于此用户,应用行为就像该对象不存在一样。

如果与该用户相对应的联系人在其本人的禁止组织中,则(对于该用户)看起来好像该联系人不存在。由于所有访问门户的用户都必须链接到联系人,因此这种配置将阻止该用户访问iTop门户!

稍后可以使用用户的“Modify”操作来更改选定的组织。

修改用户密码

如果需要,管理员可以通过简单地使用“Modify”操作为用户来更改用户密码。这对于重置用户密码很有用。

用户可以通过单击“Log-Off”菜单并选择“Change password…”来更改自己的密码。

密码存储在 iTop 数据库中(一种方式),因此无法从数据库内容重建。

我忘记了我的密码

iTop user帐户类型的用户可以自行重置密码:管理员无需执行任何操作。

我忘记了我的密码章节中有更详细的介绍。

停用帐户

iTop 2.3.0开始,在用户帐户上添加了一个新字段,“Status”。“Status”有两个可能的值:“Enabled”(启用)或“Disabled”(禁用)。设置为“Disabled”时,该帐户被禁用,用户无法再连接到iTop。默认情况下,该字段的值为Enabled。

2_6_0/admin/managing_user_accounts.txt · Last modified: 2019/01/09 16:40 (external edit)

将其委派给非管理员

可以将用户管理委托给没有管理员配置文件的用户:Delegate 'Admin tools' menus

原贴链接:https://www.itophub.io/wiki/page?id=2_7_0%3Aadmin%3Amanaging_user_accounts


Managing User Accounts

iTop provides a user management module allowing administrators to assign users with one (or more) predefined profiles. The combination of profiles determines for each user the actions she/he is allowed to performed in iTop (viewing, creating/modifying or deleting which objects).

In the current version of iTop, the profiles are predefined; there is no user interface to modify them or to create new profiles.

Viewing Profiles

Use the “Admin Tools / Profiles” menu to access the profiles and see their corresponding definitions as shown below:

List of all profiles

When you click on a given profile, the details of this profile are displayed.

Details of a Profile

  • The tab “Users”, lists all users having this profile.

  • The tab “Grant matrix” displays, for each class of objects, all the actions allowed for this profile.

Default profiles

ProfileDescription
AdministratorHas the rights on everything (bypassing any control)
Change ApproverPerson who could be impacted by some changes.
Change ImplementorPerson executing the changes.
Change SupervisorPerson responsible for the overall change execution.
Configuration ManagerPerson in charge of the documentation of the managed CIs.
Document authorAny person who could contribute to documentation.
Portal userHas the rights to access to the user portal. People having this profile will not be allowed to access the standard application; they will be automatically redirected to the user portal.
Portal power userNew in 2.0.1. Users having this profile will have the rights to see all the tickets for a customer in the portal. Must be used in conjunction with other profiles (e.g. Portal User).
Problem ManagerPerson analyzing and solving the current problems.
REST Services Usernew in 2.5.0 User account with access to the REST Web Services. If the configuration setting secure_rest_services is set to true (which is the default), then only the user accounts having this profile are allowed to use the REST web services.
Service Desk AgentPerson in charge of creating incident reports.
Service ManagerPerson responsible for the service delivered to the [internal] customer.
Support AgentPerson analyzing and solving the current incidents.

Viewing User Accounts

The menu “User Accounts” under “Admin Tools” module, enables you to see all logins defined for your iTop instance.

List of all user accounts

When clicking on a user you get the following details:

Details of a User Account

A user account must be linked to a Person stored in the CMDB (See the CMDB Module documentation). Prior to creating a login, make sure that the user is documented as a Person in the CMDB.

If no contact is defined for a login, then that login will suffer several limitations (list not exhaustive):

  • Cannot receive email notifications. Example: a ticket has been created for customer x.

  • Cannot be responsible for something. Example: the agent a ticket is assigned to.

  • No access to the customer portal.

The tab “Profiles” list all profiles that are linked to this user. The tab “Grants matrix” display rights allowed for this user. It is the merge of all rights corresponding to associated profiles. The tab “Allowed Organizations” display list of organization this user is allowed to see.

Creating a user

To create a new user you just have to click on “New” in action drop down list, from either user list or a given user detail. The following wizard then appears:

Creating a new User Account

Administrators can define different types of user accounts, depending on the desired type of authentication:

  • iTop user accounts are internal to iTop. Their passwords are stored (encrypted) within the database of iTop. This type of account is useful for administrative users, for scripts and integration with other applications.

  • LDAP user accounts have their authentication done by an external LDAP or Active Directory server.

  • External user accounts have their authentication managed directly by the web server, for example when using an Apache .htaccess file or when using an external single-sign-on solution, like for example JASIG-CAS.

All the details about authentication in iTop are described in the chapter User authentication options.

If you decide to create an iTop user, you have to type-in the password and to retype it a second time for confirmation. An exclamation sign appears at the right of the password field if both passwords do not match.

Creating a new iTop User

If you have password policies, the password will need to follow them

A user record defines:

  • The favorite language of this user, that will be used for displaying the iTop user interface.

  • The contact linked to this user account. This contact is also used - for portal users - to determine the default organization of the portal.

  • The list of profiles for this account. Each iTop user account must have at least one profile.

Editing an account's profiles

The “Add Profiles…” button displays the search window for selecting the profiles you want to assign to the user.

Adding profiles to an account

The profiles assigned to the user can be changed later on using the “Modify” action for a user.

Import logins massively

To create many logins in a few steps, you can use the CSV import tools.

Check the format to bulk import relationships.

You can check this example which is used for CLI import, but expected CSV import format is identical.

Restricting access to a set of Organizations

Administrators can define for each user the list of organizations she/he is allowed to access using the “Allowed Organizations” tab. If no organization is selected, the user is allowed to see all of them.

In case of a hierarchy of organizations (when some organizations have a parent organization), the rights are inherited from the parent to the child organizations. In other words, if a user has the rights to access the parent organization, then this user has also the rights to access all the child organizations of this organization.

An object is considered as belonging to an organization, if it has a field named exactly org_idwhich is an AttributeExternalKey or an  AttributeExternalField on an AttributeExternalKey on class Organization.
Object without any org_id field are always visible to all users.

Object with an org_id field which would be empty (=0) are never visible to users with allowed organizations.

An Attachment object has an org_id field, fed with the organization of the object it is linked to. If that object has no org_id field, then it is empty, then it is not visible to users with allowed organizations.

All the objects belonging to an organization which is forbidden to a given user are completely hidden from this user. For this user, the application behaves as if such object did not exist.

If the contact corresponding to a user is in a forbidden organization for her/him, it looks (for this user) as if the contact does not exist. Since all users accessing the portal must be linked to a contact, such a configuration will prevent this user from accessing the iTop portal!

The selected organizations can be changed later on using the “Modify” action for a user.

Changing a user password

The administrator can change a user password if required by simply using the “Modify” action for a user. This can be useful to reset the password of a user.

Users can change their own password by clicking on the “Log-Off” menu and selecting “Change password…”.

The passwords are stored encrypted (one way) in the iTop database, and therefore cannot be reconstructed from the content of the database.

I forgot my password

Users having an iTop user type of account can reset their password on their own: there will be no need for the administrator to do anything.

More information in the chapter I forgot my password.

Deactivating an account

Starting with iTop 2.3.0, a new field “Status” has been added on the User Accounts. The “Status” has two possible values: “Enabled” or “Disabled”. When set to “Disabled” the account is deactivated and the user can no longer connect to iTop. By default the value for the field is Enabled.

Delegate this to non Administrator

It is possible to delegate management of users to users without Administrator profile: Delegate 'Admin tools' menus

标签:
由 superadmin 在 2020/08/27, 15:56 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司