LMS 3.0.1; Login Module: CiscoWorks Local;
RME > Reports > Custom Report Templates
- shows a table whith all Templates generated by any user - no matter if they are created with a public or private scope;
- a user can edit only templates created by himself - this is ok;
- *every* user can click on the template name and view the template summary (even if it is private)
this - at least - is worth a discussion ....
- the admin account is not authorized to edit the templates generated by any other users; no matter if they are private or public; this is the error message:
CRIN0002: Not authorized to modify template sysUptime public.Contact your system administrator for further help.
==> the admin account should have access to *ALL* reports, rules, groups etc.....
RME Group Administration
RME > Devices > Group Administration
- for RME Groups every *public* group can be edit by any user; this is ok
- private groups can be viewed and edit only by the creator - even not the admin account can view private groups!
so far so good (or not so good) but the clue comes when you delete a user...
the report templates still belongs to the (removed) user name; if they need to be changed it is not possible,- but you can delete them....(and recreate them with an existing account - as you can view the template summary...)
for User defined Groups in RME its different:
- for groups with a public scope all is ok as other users can edit or delete them as before
- but for groups with a private scope it is tricky as they disappear from the GUI but still exists in the database and can consume some space depending on the number of devices they contain (**OgsGroupCacheTable);
recreating the deleted user account gives you back the old permissions and brings back the invisible private groups in RME...
I cannot believe that this works as designed...
I am not sure if upgrade procedures from previous versions of LMS respect these issues and clean up the databases (in terms of access privileges for reports or invisible private OGSGroups..)
Is it possible to change the behaviour that if a user is deleted the ownership of all his reports, groups, etc are moved to the admin account ? With this procedure no information would be lost and the admin can decide what to do.
Another idea is to move the ownership to a special named account (e.g. Zombie) which has no GUI login permission but the admin can see the reports and groups and move them to other accounts (like Unix chown).
A last idea is to force the admin to move reports and groups to existing accounts when the user is deleted...
Maybe with a PERS, this approach could be revisited. The import/export feature will allow you (or should allow you) to move groups from one user to another, so it should help with some of this, yes.