委托'管理工具'菜单

决条件:您必须熟悉教程中使用的语法 并且已经创建了一个扩展.

学习:将管理员菜单授予管理员以外的用户

水平:高级

域:XMLL  Access rights

最低版本:2.5.0

从iTop 2.5版本开始,您可以将管理员菜单授予管理员以外的用户。

局限性

除管理员以外,不能将以下菜单提供给其他任何人:

  • Schedule Backup

  • Configuration

  • ITSM Designer

  • ITop Hub

因此,某些类(例如与对象历史相关的所有类)都没有组织,从而允许访问带有允许组织的查询到查询的运行,从而产生用户漏洞,因为它们可以看到不允许看到的对象的历史。

菜单可视化

使用XML的1.5版本,现在可以控制访问基于类和右功能的任何菜单(读,写,删除等)。只有在该课程上拥有功能的人才能看到此菜单。

可以通过类上的功能绑定对菜单的访问

看到XML引用 有关自定义菜单的XML标签的详细信息。

如果组菜单没有当前用户的子菜单,则不显示组菜单

默认情况下,以下管理菜单由类上的功能控制。

  • Users:在用户上写
  • Profile:在简档上写
  • Notifications:写在触发器上
  • Audit:在AuditCategory上写
  • Run Query:在ResourceRunQueriesMenu上写
  • Query phrasebook:在查询上写
  • Export:在ResourceAdminMenu上写
  • Data Model:在ResourceRunQueriesMenu上写
  • Universal Search:在ResourceAdminMenu上写
  • Synchronization Data Sources:在SynchroDataSource上写

上面的所有类都可以在简档(角色)中(通过组)对其访问进行管理。
开箱即用,有6个新功能团体 它们是预定义,可以由现有或新的简档(角色)使用:

群组编号默认包含菜单组中包含的类
User用户帐户,配置文件User, URP_UserOrg, URP_UserProfile, URP_Profiles
AuditUAudit, 运行查询AuditCategory, AuditRule, ResourceRunQueriesMenu
Notification通知,运行查询Trigger, Action, lnkTriggerAction, ResourceRunQueriesMenu
Query查询短语手册,运行查询Query, QueryOQL, ResourceRunQueriesMenu
SynchroData同步数据源SynchroDataSource
AdminTools以上所有菜单all classes above

要访问该组之一,只需将该组添加到简档或创建以下建议的其中一项简档(角色) 

无论您配置了什么,非管理员用户都将永远不允许:

  • 编辑拥有管理员简档的用户,
  • 将管理员简档赋予用户。

分步示例

假设您想让拥有简档'Config经理'的用户访问'导出Menu'

  1. 控制没有明显的Class这个菜单,我们将创建一个新的Abstract类,命名为:'RessourceExportMenu'
  2. 我们将自定义“导出菜单”条目以将其绑定到该新创建的类上(用“ RessourceExportMenu”替换“ ResourceAdminMenu”)
  3. 我们将通过一个新的组自定义“ Config经理”简档,以在“ RessourceExportMenu”类上包含“ modify”

创建抽象类

您可能会使用一个现有的类,这对于控制对该菜单的访问很有意义,但是在“导出”的情况下,我们找不到任何令人满意的类,因此我们将创建一个新的类。

新课程必须:

  • 展AbstractResource
  • 拥有类别grant_by_profile
   <class id="RessourceExportMenu" _delta="define">
      <parent>AbstractResource</parent>
      <properties>
        <comment>/* Export Menu access control. */</comment>
        <abstract>true</abstract>
        <category>grant_by_profile</category>
      </properties>
      <presentation/>
      <methods/>
    </class>

覆盖菜单定义

datamodels/2.x/itop-welcome-itil/datamodel.itop-welcome-itil.xml
 
    <menu id="ExportMenu" xsi:type="WebPageMenuNode" _delta="must_exist">
      <enable_class _delta="redefine">RessourceExportMenu</enable_class>
      <enable_action _delta="redefine">UR_ACTION_MODIFY</enable_action>
    </menu>

完整的组和简档定义

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
 
  <user_rights>
    <groups>
      <group id="Export" _delta="define">
        <classes>
          <class id="RessourceExportMenu"/>
      </group>
    </groups>
    <profiles>
      <profile id="3" _delta="must_exist">
        <!-- id=3 correspond to the Configuration Manager profile -->
        <groups>
          <group id="Export" _delta="define">
            <actions>
              <action id="action:write">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
  </user_rights>

datamodel.itop-简档(角色)-itil.xml中检入现有简档(角色)的ID。

可以创建的简档(角色)

这些简档(角色)不存在,但是您可以创建它们,以便将“管理工具”菜单委托给用户:

<user_rights>
    <profiles>
      <profile id="43" _delta="define">
        <name>User Manager</name>
        <description>create/modify/delete users...</description>
        <groups>
          <group id="User">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="44" _delta="define">
        <name>Notification Manager</name>
        <description>Has the rights to create and modify the triggers and actions</description>
        <groups>
          <group id="Notification">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="45" _delta="define">
        <name>Audit Manager</name>
        <description>Has the rights to create and modify the audit</description>
        <groups>
          <group id="Audit">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="46" _delta="define">
        <name>Query Manager</name>
        <description>Has the rights to create and modify the Query Phrasebook</description>
        <groups>
          <group id="Query">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="47" _delta="define">
        <name>SynchroData Manager</name>
        <description>Has the rights to create and modify the Synchro data source</description>
        <groups>
          <group id="SynchroData">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="48" _delta="define">
        <name>Admin Tools Manager</name>
        <description>Has the rights to Admin</description>
        <groups>
          <group id="AdminTools">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
</user_rights>

技术细节

详细说明了菜单访问中2.5所做的修改和补充:

XML中的“管理工具”菜单

管理员菜单以前完全用纯PHP编写,并通过isAdministrator()检查加以保护。它已被翻译成XML,因此现在可以被覆盖。

菜单XML引用已得到丰富,可以指定,类,功能甚至是访问菜单所需的刺激。

当标签enable_admin_only设置为1时,将忽略提供的任何<enable_class>标签:只有具有管理员简档的用户才能看到此菜单。
如果要授予对enable_admin_only菜单的访问权限,则必须将标签enable_admin_only设置为0,或者使用_delta =“ delete”完全删除标签,并至少添加enable_class和enable_标签标签。

设计旨在与以前的iTop版本保持扩展兼容性。

NewObjectMenuNode,SearchMenuNode和OQLMenuNode具有控制可访问的自动类

需要保护WebPageMenuNode以防止直接访问(用户可能会猜测WebPage的URL,即使他没有看到菜单也尝试访问它)。为此,每个网页都将根据ApplicationMenu :: CheckMenuIdEnabled(“ MenuId”);进行检查。与MenuIdbeeinging在菜单的xml定义中使用的ID。这确保了为了能够执行网页,用户必须有权访问相应的菜单。

新的抽象类

一些管理菜单没有任何逻辑类可绑定,因此我们创建了专门用于控制此访问的新类。您可以根据需要使用此列表。

班级名称用法
抽象资源新的访问权限类应继承自AbstractResource
资源运行查询菜单用于根据菜单运行查询检查用户访问权利
资源管理菜单默认情况下用于所有没有适当类别的菜单

bizmodel vs grant_by_profile classes

组*具有bizmodel类别的所有类。某些简档具有对组*的读取访问权限。

默认情况下,除Administrators以外的用户无法访问带有类别grant_by_profile classes。

  • 用于控制“管理工具”菜单的应用类具有类别grant_by_profile。
  • 新的抽象类还具有类别grant_by_profile。

Grant矩阵型的变更

授权矩阵型显示具有类别grant_by_profile或bizmodel的类。
在iTop 2.5之前,仅显示带有类别bizmodel的类。

示例:对于具有用户经理简档的用户,请参见授权矩阵型中的新条目:

https://www.itophub.io/wiki/media?media=2_7_0%3Acustomization%3Agrant_matrix.png

新组

这是6个新的组,它们是预定义,可以由现有的或新的简档(角色)使用:

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
 
   <user_rights>
      <group id="Notification" _delta="define">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Trigger"/>
          <class id="lnkTriggerAction"/>
          <class id="Action"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="User">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="User"/>
          <class id="URP_UserOrg"/>
          <class id="URP_UserProfile"/>
          <class id="URP_Profiles"/>
        </classes>
      </group>
      <group id="Audit">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="AuditCategory"/>
          <class id="AuditRule"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="Query">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Query"/>
          <class id="QueryOQL"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="SynchroData">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="SynchroDataSource"/>
        </classes>
      </group>
  </user_rights>
</itop_design>

原贴链接:https://www.itophub.io/wiki/page?id=2_7_0%3Acustomization%3Adelegate_rights


Delegate 'Admin tools' menus

Prerequisite: You must be familiar with the Syntax used in Tutorials and have already created an extension.

learning:
Grant admin menus to users other than Administrator
level:
Advanced
domains:
XML, Access rights
min version:
2.5.0

Since the 2.5 version of iTop, you can grant admin menus to users other than Administrator.

Limitations

The following menus cannot be given to anyone else than an Administrator:

  • Schedule Backup

  • Configuration

  • ITSM Designer

  • ITop Hub

Some classes such all those related to object history have no organization, as a result, providing access to Run Query to user with Allowed Organizationsgenerate a security hole, as they can see the history of objects that they are not allowed to see.

Menu visibility

With the 1.5 version of the XML, it is now possible to control the access to any menu based on a class and an action right (read,write,delete,…). Only people having that action on this class will be able to see this menu.

Access to a menu can be tied to an action right on a class

See the XML Reference for details on XML tags to customize a menu.

Group menus are not displayed if they have no sub-menu allowed to the current user

The following admin menus are by default controlled by an action on a class.

  • Userswrite on User

  • Profile : write on Profile

  • Notifications : write on Trigger

  • Auditwrite on AuditCategory

  • Run Querywrite on ResourceRunQueriesMenu

  • Query phrasebookwrite on Query

  • Exportwrite on ResourceAdminMenu

  • Data Modelwrite on ResourceRunQueriesMenu

  • Universal Searchwrite on ResourceAdminMenu

  • Synchronization Data Sourceswrite on SynchroDataSource

All the classes above can have their access managed within Profiles (through Groups).
Out of the box, there are 6 new Groups which are predefined and can be used by existing or new profiles:

Group idMenus included by defaultClasses included in the Group
UserUser Accounts, ProfilesUser, URP_UserOrg, URP_UserProfile, URP_Profiles
AuditAudit, Run QueryAuditCategory, AuditRule, ResourceRunQueriesMenu
NotificationNotification, Run QueryTrigger, Action, lnkTriggerAction, ResourceRunQueriesMenu
QueryQuery Phrasebook, Run QueryQuery, QueryOQL, ResourceRunQueriesMenu
SynchroDataSynchronization Data SourcesSynchroDataSource
AdminToolsall menus aboveall classes above

To give access to one of this Group, just add the Group to a Profile or create one of the below suggested Profiles

What ever you configure, a non-Administrator user will never be allowed to:

  • edit users having the Administrator profile,

  • give Administrator profile to a user.

Step by step example

Let say that you want to make the 'Export Menu' accessible to users having the profile 'Config Manager'

  1. There is no obvious Class to control this menu, we will create a new Abstract class, lets name it: 'RessourceExportMenu'

  2. We will customize the 'Export Menu' entry to tied it on that newly created class (replace 'ResourceAdminMenu' by 'RessourceExportMenu')

  3. We will customize the 'Config Manager' profile to include 'modify' on the class 'RessourceExportMenu', through a new Group

Create the Abstract Class

You may use an existing class which would make sense to control the access to that menu, but in the case or 'Export' we don't find any satisfying class, so we will create a new one.

The new class must:

  • extends AbstractResource

  • have the category grant_by_profile

    <class id="RessourceExportMenu" _delta="define">
      <parent>AbstractResource</parent>
      <properties>
        <comment>/* Export Menu access control. */</comment>
        <abstract>true</abstract>
        <category>grant_by_profile</category>
      </properties>
      <presentation/>
      <methods/>
    </class>

Overwrite menu definition

datamodels/2.x/itop-welcome-itil/datamodel.itop-welcome-itil.xml
 
    <menu id="ExportMenu" xsi:type="WebPageMenuNode" _delta="must_exist">
      <enable_class _delta="redefine">RessourceExportMenu</enable_class>
      <enable_action _delta="redefine">UR_ACTION_MODIFY</enable_action>
    </menu>

Complete Group & Profile definition

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
 
  <user_rights>
    <groups>
      <group id="Export" _delta="define">
        <classes>
          <class id="RessourceExportMenu"/>
      </group>
    </groups>
    <profiles>
      <profile id="3" _delta="must_exist">
        <!-- id=3 correspond to the Configuration Manager profile -->
        <groups>
          <group id="Export" _delta="define">
            <actions>
              <action id="action:write">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
  </user_rights>

Check in datamodel.itop-profiles-itil.xml for id of existing Profiles.

Profiles which could be created

Those Profiles do not exist, but you can create them, in order to delegate “Admin tools” menus to users:

<user_rights>
    <profiles>
      <profile id="43" _delta="define">
        <name>User Manager</name>
        <description>create/modify/delete users...</description>
        <groups>
          <group id="User">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="44" _delta="define">
        <name>Notification Manager</name>
        <description>Has the rights to create and modify the triggers and actions</description>
        <groups>
          <group id="Notification">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="45" _delta="define">
        <name>Audit Manager</name>
        <description>Has the rights to create and modify the audit</description>
        <groups>
          <group id="Audit">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="46" _delta="define">
        <name>Query Manager</name>
        <description>Has the rights to create and modify the Query Phrasebook</description>
        <groups>
          <group id="Query">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="47" _delta="define">
        <name>SynchroData Manager</name>
        <description>Has the rights to create and modify the Synchro data source</description>
        <groups>
          <group id="SynchroData">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
              <action id="action:read bulk">allow</action>
              <action id="action:write bulk">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
      <profile id="48" _delta="define">
        <name>Admin Tools Manager</name>
        <description>Has the rights to Admin</description>
        <groups>
          <group id="AdminTools">
            <actions>
              <action id="action:write">allow</action>
              <action id="action:delete">allow</action>
              <action id="action:read">allow</action>
            </actions>
          </group>
        </groups>
      </profile>
    </profiles>
</user_rights>

Technical details

Explained in details what was modified/added in 2.5 around Menu access:

'Admin tools' menus in XML

The admin menus were previously totally written in plain PHP, secured by a isAdministrator() check. It has been translated in XML, so it can now be overwritten.

The Menu XML reference has been enriched to specify, class, action and even stimulus which are required to get access to a menu.

When the tag enable_admin_only is set to 1, any <enable_class> tag provided is ignored: only users with Administrator profile can see this menu.
If you want to give access to a enable_admin_only menu, you must either set the tag enable_admin_only to 0 or remove the tag completely with _delta=“delete”and add at least the enable_class and enable_action tags.

The design was made to maintain extensions compatibility with previous versions of iTop.

NewObjectMenuNode, SearchMenuNode and OQLMenuNode have a automatic class which control its access

WebPageMenuNode need to be secured against direct access (a user may guess the url of a webPage and try to access it even if he do not see the menu). To do so, each web page is checking against ApplicationMenu::CheckMenuIdEnabled(“MenuId”); with MenuIdbeeing the id used in the xml definition of the menu. This ensure that in order to be able to execute a webpage the user must have access to the corresponding menu.

New Abstract Classes

Some admin menus haven't any logical class to tie to, so we have created new classes dedicated just to control this access. You can expend this list if needed.

Class nameUsage
AbstractResourcenew classes for access right should inherit from AbstractResource
ResourceRunQueriesMenuused to check the user access rights against the menu Run Query
ResourceAdminMenuused by default for all menus that do not have a proper class

bizmodel vs grant_by_profile classes

The group * has all classes having bizmodel category. Some profile has read access for the group *.

The class with category grant_by_profile is not accessible by default to users other than Administrators.

  • The application classes which are used to control the “admin tools” menus, have the category grant_by_profile.

  • The new Abstract Classes have also the category grant_by_profile.

Changes in the Grant Matrix

The grant matrix displays classes having the category grant_by_profile or bizmodel.
Before iTop 2.5, only classes with category bizmodel where displayed.

Example: See the new entries in the grant matrix for a user with User Manager profile are: https://www.itophub.io/wiki/media?media=2_7_0%3Acustomization%3Agrant_matrix.png

New Groups

Here are the 6 new Groups which are predefined and can be used by existing or new profiles:

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml
 
   <user_rights>
      <group id="Notification" _delta="define">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Trigger"/>
          <class id="lnkTriggerAction"/>
          <class id="Action"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="User">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="User"/>
          <class id="URP_UserOrg"/>
          <class id="URP_UserProfile"/>
          <class id="URP_Profiles"/>
        </classes>
      </group>
      <group id="Audit">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="AuditCategory"/>
          <class id="AuditRule"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="Query">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="Query"/>
          <class id="QueryOQL"/>
          <class id="ResourceRunQueriesMenu"/>
        </classes>
      </group>
      <group id="SynchroData">
        <classes>
          <!-- This class list is also present in AdminTools group -->
          <class id="SynchroDataSource"/>
        </classes>
      </group>
  </user_rights>
</itop_design>
标签:
由 superadmin 在 2020/08/27, 17:22 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司