[Index]
Administrators above Provider level can maintain access profiles as a part of role management. For example, hcsadmin.
An access profile assigned to a role provides a general set of permissions and type-specific operations that are associated with specific models.
For type-specific operations, wild cards may be used in model references, for example data/*.
Note
Type-specific permissions that are also configured as general permitted operations will override the general permissions.
The default access profiles show typical configurations, for example an Operator-type profile at a hierarchy would only require Read type-specific permissions, while the administrator profile at the same hierarchy would have Create, Update and Delete permissions for the same type.
The default access profiles of the following administrators above Provider level have full general and type-specific permissions to all models:
The lists below provide details on the types of settings.
Miscellaneous Permissions
Many of these are general permissions that can be overridden per model as Type Specific Permissions.
The explanations below show the affect of enabling the permission.
Dashboard Permissions
Insights reporter resources (data/ReporterResource) required for the display of data on dashboards can be assigned individually as Specific Permissions in an access profile, or grouped into Dashboard Permission Groups which can then be assigned - thereby simplifying the management of dashboard permissions. Access profiles allow for the management of these by means of transfer boxes.
If a user has access to a dashboard containing widgets that use reporter resources but the related access profile does not contain the resource, the widget data will not display and the user cannot manage the widget.
Administrators who have access to Dashboard Permission Groups can manage these groups so that they can be managed in an access profile.
If a specific permission is not selected but is in a selected permission group, the group selection applies. An access profile's Dashboard Permissions is therefore the union of resources selected from groups and specific permissions.
For details on dashboards, see: Automate Dashboards.
Type Specific Permissions
These are typically available on the GUI when listing or showing the type.
Note
Typical operations are listed below:
Create, Delete, Read, Update: management operations on models.
Configuration Template, Field Display Policy: create these for the model.
Export, Export Bulkoad Template : allow export formats of the model.
Bulk Update: from a GUI list view, more than one item can be selected and updated.
For system level administrators above provider level: Purge for device models. From a list or instance view, remove the local database instance but retain it on the device.
Note
This operation is only applicable in cases where the UC server is still online and available in the VOSS Automate system.
For designers: Migration: a migration template can be obtained.
For designers: Tag and Tag Version: a model instance can be tagged and a version provided.
Dependent Permissions
Dependent permissions are permissions that apply to some API endpoints which maybe be granted by virtue of having another permission in the Access Profile.
The following dependent permissions apply:
Permission to /api/handle_oauth_webex/
Granted by the permission to the Update operation on relation/SparkCustomer
Related Topics
Introduction to Access Profiles in the Core Feature Guide
The following table provides an explanation of the Miscellaneous Permissions that can be set on an Access Profile.
| Name | API URL | Description |
|---|---|---|
| Api Root | /api/ | For example to allow display of the model tree view. |
| Device Type Root | /api/device/cucm/ | Typically used to drill down into model types of a given device type in the model tree view. |
| Export | /api/export/export_data/ /api/export/bulkload_ template/ | For export of resources and bulkload template. |
| Help | /api/help/ | For help tree. |
| Help Export | /api/help/export/ | Export help as zip. |
| Meta Schema | /api/meta_schema/ | To access the schema of resource meta data section. |
| Model Type Choices | /api/data/choices/ /api/device/choices/ /api/tool/choices/ /api/wizard/choices/ /api/domain/choices/ | |
| Model Type Root | /api/data/ /api/device/ | Typically used to drill down in the model tree view. |
| Operations | /api/operations/ | A list of all the misc permissions (API operations that do not map to a model type, tool, and so on). |
| Tool Root | /api/tool/ | Displays a list of all tools available. |
| Type Operation | /api/+tag_version/ | Grants access to non-model-type-specific custom operations. |
| Upload | /api/uploadfiles/ | Uploading of files, for example used by bulk load, import, and the data/File model. |
The following table provides an explanation of the Permitted Operations for the associated Permitted Types that can be set on an Access Profile.
The Permitted Types that are classified into Create-Read-Update-Delete groups:
Create
| Name | Description |
|---|---|
| Add | Grants access to the form used to enter data for a new model instance, for example: HTTP GET on /api/data/User/add/. |
| Create | Grants access to create a new instance of a given model type, for example: HTTP POST on /api/data/User/. |
Read
| Name | Description |
|---|---|
| Choices | Grants access to view a list of all instances of a given model type, which is used to populate drop downs, for example: HTTP GET on /api/data/User/choices/. |
| Config | Grants access to the form used to create a data/ConfigurationTemplate model for a given model type, for example: HTTP GET on /api/data/User/config/. |
| Display Policy | Grants access to the form used to create a data/FieldDisplayPolicy model for a given model type, for example: HTTP GET on /api/data/User/display_policy/. |
| Get | Grants access to retrieve instance data, for example: HTTP GET on /api/data/User/<pkid>/. |
| Help | Grants access to viewing help of a given model type, for example: HTTP GET on /api/data/User/help/. |
| List | Grants access to listing all instance of a model type, for example: HTTP GET on /api/data/User/. |
| Meta Choices | Deprecated. |
| Operation Schema | Grants access to view schema of custom operations, for example: HTTP GET on /api/data/User/+tag/schema/. |
| Property Choices | Grants access to listing all the attributes of a given model as choices. Typically used to populate drop-down in GUI rule drop-downs, |
| Schema | Grants access to the schema of a given model type, for example: HTTP GET on /api/data/User/schema/. |
| Template Choices | Grants access to view a list of all instances of a given template model type, particularly for populating drop downs, for example: HTTP GET on data/DataModel, data/DomainModel, data/ProvisioningWorkflow, data/ConfigurationTemplate, data/Macro, and data/FieldDisplayPolicy. Unlike the 'Choices' operation the search for template choices apply system-specific rules, such as only searching up the hierarchy. |
Update
| Name | Description |
|---|---|
| Replace | Grants access to overwrite an entire model instance, for example: HTTP PUT on /api/data/User/<pkid>/. |
| Update | Grants access to update a model instance, for example: HTTP PATCH on /api/data/User/<pkid>/. |
| Bulk Update | Grants access to the feature that allows a user to modify multiple model instances in a single request, for example: HTTP POST on/api/data/User/bulk_update/. |
| Bulk Update Form | Grants access to the form used to enter date for the Bulk Update operation, for example: HTTP GET on /api/data/User/bulk_update/. |
| Migration | Grants access to the model migration form, for example: HTTP GET on /api/data/User/migration/. |
Delete
| Name | Description |
|---|---|
| Remove | Grants access to deleting model instances, for example: HTTP DELETE on /api/data/User/. |
The operations that do not fall into these four groups, are explained in the following table.
| Name | Description |
|---|---|
| Download | Grants access to tool download capabilities a given type, typically tool, for example: HTTP POST on /api/tool/Theme/<pkid>/?action=download. |
| Execute | Grants access to execute a given model instance, for example: HTTP POST on /api/data/ProvisioningWorkflow/<pkid>/execute/. |
| Graph | Grants access to viewing a graph for a type, typically the search tool, for example: HTTP GET on /api/tool/Search/graph/. |
| Import | Grants access to import device models for the device referenced by the given instance, for example: HTTP POST on /api/data/Ldap/<pkid>/import/. |
| Import Device | [Will be deprecated] Grants access to import device models for the device referenced by the given instance, for example: HTTP POST on /api/data/Ldap/<pkid>/import/. |
| Instance Operation | Grants access to all custom operation of a given model, for example: HTTP POST/PUT/PATCH on /api/data/Countries/<pkid>/+tag/. |
| Instance Operation By Method | Grants access to all custom operation of a given model with the operation name as a URL parameter, for example: HTTP POST on /api/data/Countries/<pkid>/?method=tag. |
| Operations | Grants access to list, as choices, all supported operations for a given model type, for example: HTTP GET on /api/data/User/operations/. |
| Replay | Grants access to transaction replay, for example: HTTP GET on /api/tool/Transaction/<transaction_id>/replay/. |
| Report | Deprecated, for example: HTTP GET on /api/tool/Search/report/. |
| Run Saved Search | Grants access to fetching results of a saved search, for example: HTTP GET on /api/tool/Search/saved_search/. |
| Sub Transactions | Grants access to view s/DomainModelub-transaction of a given transaction, for example: HTTP GET on /api/tool/Transaction/<transaction_id>/sub-transactions/. |
| Test Connect | Grants access to test if a device reference by a data model is online, for example: HTTP GET/POST on /api/data/Ldap/test_connect/. |
| Type Operation | Grants access to model-type-specific custom operations, for example: HTTP POST/PUT/PATCH on /api/data/User/+tag_version/. |
| Visualize | Deprecated. |
The Access Profile can be assigned to a user role from Role Based Access > User Roles.
Access profiles define model types that a user is permitted to access. Access profiles are assigned to users via Roles
| Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name * | The name that is given to the Access Profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Description | A description for the Access Profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Full Access | Enabling this flag, grants the user full system access. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Miscellaneous Permissions | The list of miscellaneous operations permitted by this Access Profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Dashboard Permissions |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Dashboard Permission Groups | The list of dashboard permission groups that are permitted by this Access Profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Specific Permissions | The list of specific resources permissions that are permitted by this Access Profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Type Specific Permissions | The list of types that are permitted by this Access Profile. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Permitted Type * | The type that is permitted by this Access Profile. This field supports the use of the * wildcard. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Permitted Operations | The operations that are permitted by this Access Profile for the given type. |
|
|||||||||||||||||||||||||||||||||||||||||||||||