Reports and permission sets

[Ufoto 14]

Hello,

I am using ESMC 7.2 and I am trying to create a permission set which should be used to restrict user access only to a single static group. Everything seems to be working as expected, except reports.

I am selecting the static group X as home group for a test user, and I am setting the same group as 'Static Group' during the Permission set creation. As for active permissions I allowed read/use for Groups & Computers and read/use/write for Reports & Dashboards and Server Tasks & Triggers -> Generate report.

With the configuration above, I would expect that the user should see all reports (data inside limited to static group X). However, the user doesn't see any reports. I created new reports with filters restricting results only to static group X, but the user is not seeing even these ones. 

The only way for the user to use reports is either to create them all on his own, or import them. Am I missing something? Is there a way how I as an ESMC administrator can give access to particular reports to users with restricted access?

Thank you in advance!

[MartinK 378]

1 hour ago, Kostadin_k said:

With the configuration above, I would expect that the user should see all reports (data inside limited to static group X). However, the user doesn't see any reports. I created new reports with filters restricting results only to static group X, but the user is not seeing even these ones. 

The only way for the user to use reports is either to create them all on his own, or import them. Am I missing something? Is there a way how I as an ESMC administrator can give access to particular reports to users with restricted access?

Thank you in advance!

Problem is, that report templates are actually also objects, that are "tied" to specific static group (= access group) and thus have limited visibility. In case of default report templates created during installation, they are configured with access group set to group "All", which means that only user which have access to "Reports & Dashboards" on group "All" will see those reports. The same applies also for other managing objects in console (policies, dynamic groups, notifications, ...).

Unfortunately I cannot verify now, but there might be two solutions, where both do require some redesign of security model you are using:

• Users might be assigned special permission set, that will give them permission to "Use" Reports from group All - but I would recommend to double check it does not give user access to devices
• Move/Change access group of required Report templates so that user can see it. We have seen that especially MSPs were creating specific "Shared" static group just to share such objects between users.

[Ufoto 14]

Hello Martin,

 

Thank you for your prompt response. Indeed the reports seem to be objects which inherit everything as I was duplicating reports until now and only changing their access group. When I created a brand new report as administrator into the respective restricted access group, the user was then able to see it. Although not perfect, I believe I can work with that. 

While I was testing this I discovered that for reports which I want duplicated (in order to avoid creating them manually for every new user/access group), I can simply export them, log in with a test user which shares the same permission set as my restricted accounts and import them. Once imported as user sharing the same permission set, even duplicate default reports work and show correct data. 

Thank you for pushing me in the direction