====== Application Authorization Profiles ====== ===== Purpose ===== * **Define which features a user can see and use** * Application authorization profiles allow to define the level of access to the various application menus: * Those profiles can be assigned to teams or users to define what they can see and how they can interact with the application. {{:common:icon_note.png}} Combined with teams and device authorization profiles, application authorization profiles are a great way to manage user permissions ===== Application authorization Profiles UI ===== * The application authorization profile settings shows tables of the existing application authorization profiles within the tenant. * both tabs allow the following actions: * **Create/Edit** an application authorization profile * **Delete/bulk delete** application authorization profiles {{..:settings:pasted:20210623-144643.png?1000}} ---- ===== Manage Authorization profiles ===== * To create or edit an application authorization profile's, press **Create** or select **Edit** in the table action menu to open the application authorization profile editor * Set the application authorization profile's parameters * Name * Description * Permissions: To select/remove an authorization object, simply click on its name * You can **delete** a single application authorization profile or a group of them by either using the table action menu or the **bulk delete** button {{:products:cockpit:1.0:userguide:settings:pasted:20220616-143713.png?width=1200}} ====== Device Authorization Profiles ====== ===== Purpose ===== * **Manage what devices a user can see and what he can do with them** * Device authorization profiles allows to define visibility and permissions for a group of devices * This profile can be associated to a user or a team to define what device a user can see and which actions a user can do on the devices * The granularity of the authorizations is the group: The permissions set to a group applies to all its associated devices * Permissions can also be set on tags (Production, etc...) so you can apply different permissions within a group. {{:common:icon_note.png}} Combined with teams and application authorization profiles, device authorization profiles are a great way to manage user permissions ===== Device authorization Profiles UI ===== * The device authorization profile settings shows tables of the existing device authorization profiles within the tenant. * both tabs allow the following actions: * **Create/Edit** an device authorization profile * **Delete/bulk** delete device authorization profiles {{..:settings:pasted:20210623-172506.png?1000}} ---- ===== Manage device authorization profiles ===== * To create or edit a device authorization profile, press **Create** or select **Edit** in the table action menu to open the device authorization profile editor * Set the device authorization profile parameters * Name * Description * Global permissions for viewing, editing and deleting * Permissions per group and tags * You can **delete** a single device authorization profile or a group of them by either using the table action menu or the **bulk delete** button * Permissions can be applied on a group and on tags * **Group:** All devices belonging to the group will have the same permissions * **Tags:** All devices assigned to a tag will have the same permissions {{:common:icon_info.png}} ===== Permissions ===== * Device permissions apply on the following **configuration items**: * Organizations * Groups * Systems * Connectors * Monitoring users * Devices {{:products:cockpit:1.0:userguide:settings:pasted:20231107-161741.png}} ==== Global permissions ==== * Global permissions will apply to all existing and future configuration items * **View all**: Users will be able to see everything * **Edit all**: Users will be able to edit any item, including: * Changing CI definition * Assigning users * Assigning profiles * **Delete all**: Users will be able to delete anything. ==== Groups and tags permissions ==== * Allows to define custom permissions per group or tag * All underlying configuration items attached to a group or tag will be associated to the configured permission ^ Permission ^ Description ^ | View | Must be set for all the devices belonging to the group to be visible | | Edit | Allows to modify devices properties | | Delete | Allows to delete a device | * Tag permissions will prevail over group permissions * Combined with global permission you can allow user to see everything, but only to edit a subset of items associated with a given group or tag {{:common:icon_info.png}} The privileges granted to an item will **always** be transfered to its childs, even if they are set with less privileges. **Example:** * If an organization is set to be VIEW + EDIT, then all its underlying components will have VIEW + EDIT, even if some are set to VIEW only in the profile.