Follow

Info: Limiting Permissions Within the Discovery Tree

Applies To:

Network Discovery jobs only

All versions of Venafi Trust Protection Platform / TLS Protect Datacenter 

 

Info:

When trying to limit permissions under the discovery tree, there needs to be certain steps taken to ensure these permissions work how you are intending. If not done correctly, the users or group you are trying to give access will not be able to create discovery jobs in aperture.

 

Use Case:

Customer wants a specific group or user to have permissions to create a discovery job. The condition is, they can only create a job in a single child container and can't have the ability to view any other jobs that are created.

 

**Make sure you are logged in to Webadmin as a master admin**

 

1. Navigate to the Discovery tree

 

1. Within the Discovery tree, create a container that you will restrict permissions on. In this example here it is named "test container"

Screen_Shot_2019-02-13_at_10.44.17_AM.png

 

2. Select the newly created container in the container tree and navigate to the General tab where you see permissions.

3. Add the group or user to that container and give them the permissions desired. You can give admin access to that container unless you want to restrict that further. Click Save

Screen_Shot_2019-02-13_at_10.56.17_AM.png

4. Now, navigate to the root container in the Discovery tree. Navigate to the General tab on the root and give that same group or user Create permission. If you do not do this, the users or group will not be able to create jobs in aperture. The button will not even show up.

Screen_Shot_2019-02-13_at_12.25.33_PM.png

5. This will now enable the user or group to create discovery jobs that will default to the child container "test container". (They will not have an option to place it in any folders when creating that job. That is because it is defaulting to the only folder they have permission to.)

6. Now, if you login with one of those users in aperture, the create new job button will be accessible.

Screen_Shot_2019-02-13_at_12.30.52_PM.png

**Note** The user or group will still be able to view other discovery jobs within aperture not created by them unless you place those jobs into a separate container where the user or group does not have explicit permissions.

 

Was this article helpful?
0 out of 0 found this helpful

Comments