About Connection Role Security

Who Can Access Connections?

Tenant Admins and above always have access to all Connections. 

As Admins, they can use Connection Roles to prevent Regular users accessing a Connection. Such a Connection will be invisible and will give a Macro Error if the user runs a macro either in Report Studio or in a Schedule that requires a Connection to which they do not have access.

CRON-initiated Schedules are special (more details below).

For example, suppose you wanted to allow only some Regular users access to a specific LogicMonitor Connection. You can add those users into a relevant Role (with Role Permissions) and ensure the "Read" permission checkbox is not selected. Read permission grants the user access to the Connection when running macros, or when using the [ReportMagic.ConnectionList:] macro.

Note: Connection Roles are unrelated to the ability to run restricted macros.

About Restricting Connections 

A Connection is considered unrestricted - accessible to all users - when:

  • The Connection has no associated Connection Roles (see below)
  • The Connection has one or more Connection Roles but they are not completely set up:
    • A Connection Role without an associated Role
    • A Connection Role with a Role, but that Role has no associated Role Permissions

You may well want to restrict access to a Connection which you can do:

  • From the Admin menu, click Connections 
  • From the Admin menu, click the Access Control page

Restricting Access to a Connection

To restrict access to a Connection use the steps below.

Step 1 - Create Roles and Permissions

To set up the relevant Roles, Role Permissions and Role Memberships:

  1. From the Admin menu, click Access Control.
  2. Create a new Role if required, or choose an existing one.
  3. Click the Create button to add a Role Permission.
  4. Add the Name and Description, then in the Type drop-down, choose Connection.
  5. Select Read to make the Connection visible, or leave the box clear to hide it.
  6. Select the relevant Role.
  7. In the Role Memberships section, assign regular users to the Role.
    Note that Role Permissions are 'additive'. In other words, if you created one that allows read access and another that denies read access, then read would be granted by the presence of one or more read permissions.

Step 2 - Connections and Connection Roles

To set up the relevant Connection Roles, follow these steps:

  • Go to the Admin => Connections page
  • Scroll down to the Connection Roles section (assume you already have a Connection set up)
  • Click Create to open the dialog
  • Enter the Name and Description fields to something memorable
  • Choose the Connection that you want to restrict, from the Connection drop-down
  • Choose the Role that you want to associate with, in the Role drop-down

By performing the actions above, you have now associated a Connection with a Role (with its associated Role Permissions), and Role Memberships (i.e. the users that are in those Roles).

The Admin => Connection Roles table will indicate (in the Connection column) whether the Connection is restricted or unrestricted, and what the restrictions are.

Who Can Access Connections?

Using Connection Roles, you can effectively make a Connection inaccessible to certain users. When they attempt to run macros that would use that Connection, they see a message that the Connection does not exist - i.e. the system behaves as if the Connection does not exist for that user.

There are several scenarios to consider when determing whether a Connection can be accessed by:

1. Connections used by macros, in a manually-run Schedule

The Connection will be accessible (visible and usable by macros) when any of the following are true:

  1. The user is an Admin of any kind (Tenant Admin, Super Admin, or Uber Admin)
  2. The Schedule has been locked by an Admin. See the Schedule help.
  3. The Connection is "unrestricted" i.e.
    • There are no Connection Roles associated with the Connection
    • There are Connection Roles but none are associated with any Role (by way of Role Permissions)
  4. The Connection is "restricted" but the user is in at least one Role that gives them Read access to the Connection

2. Connections used by macros, in Report Studio

The Connection will be accessible (visible and usable by macros) when any of the following are true:

  1. The user is an Admin of any kind (Tenant Admin, Super Admin, or Uber Admin)
  2. The Connection is "unrestricted" i.e.
    • There are no Connection Roles associated with the Connection
    • There are Connection Roles but none are associated with any Role (by way of Role Permissions)
  3. The Connection is "restricted" but the user is in at least one Role that gives them Read access to the Connection

3. Connections used by macros, in a CRON-initiated Schedule

The Connection will be accessible (visible and usable by macros) when any of the following are true:

  1. The Schedule has been locked by an Admin. See the Schedule help.
  2. The Connection is "unrestricted" i.e.
    • There are no Connection Roles associated with the Connection
    • There are Connection Roles but none are associated with any Role (by way of Role Permissions)

Admin-Locked Schedules

Complete access to Connections (by CRON-initiated Schedules and manually-run Schedules) can be granted to all the Tenant's users when an Admin locks a Schedule. This does not apply in Report Studio, as there is no "Schedule" as such. More details can be found here.

Home ReportMagic AlertMagic DataMagic NCalc 101 Docs
Feedback
Type
Priority
Summary
Description
Page
Username
Include Screenshot
Search
Search Term
Search Product
An unhandled error has occurred. Reload 🗙