User right management
Introduction
The Versio.io platform offers several options for enabling or restricting user access at the level of functionality and data. The first step is to present the basic concept of user rights management, on which all subsequent documentation is based.
The Versio.io platform can manage several logically completely separate environments ( multi-tenant / mandant concept). User access to an environment can be restricted at function and data level (inventory). So-called workspaces must be defined for the restriction at data level. These define the workspaces to which each instance of the inventory belongs.
User groups make it possible to define which users may use which functionalities in connection with which workspaces (data) of the user group. This means that a user always requires at least one assignment to a user group in order to be able to access an environment. The following diagram illustrates the structure of authorisation management once again:
Figure: User rights management concept in the Versio.io platform
The following figure illustrates once again the relationships and cardinalities of all user group management entities involved:
Figure: Domain model for user rights management in the Versio.io platform
Based on this basic concept, general and very detailed authorisation access can be implemented in Versio.io.
Customers have two implementation options for separation at data level:
- Environment (client): The data is stored in separate environments and users are only given access to a dedicated environment.
- Workspace: The data is stored in one environment and logically assigned to different workspaces. Users then only have access to the data in their workspace within the environment.
Examples of implementation variants:
| Example | Description |
|---|---|
| Company with different departments | A company does not want to lose the context between the inventoried data (topology), but the individual departments should not be able to access the data from each other, or only to a limited extent. Inventory all data in a Versio.io environment and define workspaces for each department that mark their data. User groups can then be defined to determine which users can do what with which data. |
| TEST and PROD environment | A customer inventories data from the TEST and PROD environments in separate Versio.io environments. This means that the data is logically separated and can be easily accessed by different users. In the TEST environment, he can manage with fewer rights restrictions due to the low criticality. |
| Managed Service Provider | A Managed Service Provider offers services for customers. He does not want to define a separate environment for each customer, as he always has to change environments due to the number of customers in the context of service provision and never gets an overall view. In this case, the provider uses one environment and assigns the data instances to be managed to corresponding workspaces. |
User
Users can be created and assigned to an environment by assigning them to a user group by entering an e-mail address.
These are always global users within the entire Versio.io platform. This means that the individual user is stored across all environments. The user can make individual adjustments and settings in the user profiles.
By removing the user from all user groups, access to an environment is withdrawn from the user.
User groups
The user group plays the central role in the assignment of rights. Here you can define:
- Which users are part of the user group. To do this, you can assign or remove existing users in the environment.
- Which authorisations (roles) the users are allowed. All available roles are specified below.
- Which data of the included workspaces can be accessed by the user with the authorisations. If no workspace is defined, the user can access all data.
The following table describes the roles and group assignment in detail:
| Roles | Scope | Description | Rights |
|---|---|---|---|
| Server administrator | Server | Configure Versio.io server instance settings and create or deactivate environments. | Administrator |
| Environment administrator | Environment | Configure Versio.io environment settings and user access. | Environment Admin, Environment Viewer, User admin, User viewer, API token admin, API token viewer |
| User GUI access | Environment | Get GUI access for the specific environment. | Environment Viewer, User and password settings |
| User API token management | Environment | Define and manage user specific API tokens for the specific environment. | User API token management |
| CMDB viewer | Environment | Navigate, search and visualize configuration items and assets. | CAMDB reader |
| CMDB writer | Environment | Save or update configuration items and assets via API. Depends on User API Token management. |
CAMDB writer |
| CMDB configurator | Environment | Configure the settings for configuration items and assets (entity, entity groups, importer). | CAMDB configuration |
| CA viewer | Environment | View and analyse the cost allocation. | CA reader |
| CA configurator | Environment | Create and configure price models for cost allocations. | CA writer --> define price models |
| GC viewer | Environment | View and analyse the violations and notifications based on governance & compliance rules. | GC reader |
| GC executor | Environment | Execute a verification process for a ruleset. | |
| GC configurator | Environment | Create and configure rulesets for governance & compliance verification. |
Table: Versio.io roles (rights)
Folgende Abbildung zeigt, wie sie eine Benutzergruppe in Versio.io konfigurieren können:
Figure: User group configuration
Workspaces
A workspace is a powerful approach in Versio.io to define sub-areas of all instances (data) available in the inventory. Typical examples of workspaces are the mapping of organisational structures and areas of responsibility. Workspaces can be used in Versio.io in role and rights management to enforce access authorisations to instances in the inventory. Furthermore, the user can use all workspaces assigned to him as a filter criterion for Versio.io views. Workspaces can overlap, just as the responsibilities of teams can overlap.
The following graphic shows some of the ways in which workspaces can be cut:
Figure: Examples of a workspace, two overlapping workspaces and an invertible workspace
The following assignment criteria can be used for a workspace definition:
| Types of assignment criteria | Description | Example |
|---|---|---|
| Instances | Inclusion of a predefined list of instances | Host test-myapp |
| Entities | Inclusion of all instances of an specific entity | Entity Host |
| OneImporter/OneGate | Inclusion of all instances that were inventoried using of a specific OneImporters and OneGates | OneImporter prod-myhost |
| Module type | Inclusion of all instances of a specific module type | Module SSL Certificate |
| Importer configuration | Inclusion of all instances that have been inventoried via a special importer configuration | Importer configuration My importer configuration |
Table: Types of assignment criteria for a workspace definition
All assignment criteria of a type are logically OR-linked and logically AND-linked across types.
Workspaces können in Versio.io in den Environment Seetings verwaltet werden (Environment settings -> Workspaces). Folgende Abbildung zeigt, wie man Workspace Regeln definieren kann:
Figure: Workspace rule configuration