Managing Security Permissions

About Permissions

Individual permissions (tasks/actions) are gathered together into roles. Permissions for users and groups are then granted by means of these roles. Analytics includes two types of role:

Global Roles: Determine in general the tasks/actions that a given type of user should be able to perform in Analytics.
Folder Roles: Determine the tasks/actions that the user should be able to perform on resources within specific folders.

For example, if a user has the Global Basic role, this grants them the ability to run reports. It also grants the ability to view reportable resources (such as agents), which is necessary for populating a parameter set for the report. However, the user can only perform these actions within specific folders for which they also have a suitable folder role. The user must have a report-running role for the folder in which the report is located, and they must have a resource-viewing role for the folder containing the reportable resources.

This ensures that access to different parts of the folder hierarchy can be controlled. It also means that the same user can be granted different levels of access in different parts of the folder hierarchy.

Global Roles

Analytics includes the following global roles . These are assigned automatically to users based on membership of default groups, so you do not need to assign these explicitly:

Global Basic: This role is granted to all users automatically and provides a basic level of access to Analytics, although a user is able to view or interact with resources as permitted by their folder roles.
Global Advanced: Members of the Advanced Users group in any folder gain this role which provides access to Security, Resource Manager and Information Notice tools. In addition, Cisco users can provision any resource type and can use the Bulk Provisioning Upload tool.

Folder Roles

Analytics includes the following folder roles which you can apply to a user or group to provide them with an appropriate level of access to a given policy root folder and its inherited folders:

Field	Description	Entry
Basic	Analysts & supervisors who need to self-serve reporting.	Use, create and manage reports, parameter sets & dashboards. Read-only visibility of reportable resources & users. Read-only visibility of information notices.
Advanced	Managers, administrators and super-users.	As Basic users, plus the ability to manage: The folder hierarchy. Resources (and to provision Cisco resources). Security (users, groups, permissions and password reset). Information notices.
Supervisor	Users with specific management responsibilities.	Manage users and groups. Manage & provision Cisco agents, agent teams, persons and skill groups, using the dedicated tools for these tasks.
Browse Shared Reports and Gadgets	Analysts who should be limited to a pre-defined set of data which they cannot stray beyond.	Use pre-existing reports, parameter sets & dashboards. Cannot create anything.
My Reports	Report creators and users who need personal sandbox.	Use, create and manage reports, parameter sets & dashboards within the folder. Manage the folder hierarchy.
Full Permissions		Perform any actions (as enabled on your instance of Analytics).

Managing User or Group Permissions

To manage permissions from the perspective of users or groups:

Open the Tools menu.
Select Security > Permissions.
Navigate to the folder where the users or groups are located.

The folder in which the users and groups are located is not necessarily the folder over which you grant or remove permissions. That folder is selected in a later step.
View the Users tab to manage the permissions of one or more users, or view the Groups tab to manage the permissions of one or more groups.
In the list, find the users or groups whose permissions you wish to manage and check the box next to each one.
Click Change Permissions. A permissions dialog opens.
Select the policy root folder over which you want to grant or remove permissions.
You can see the list of folder roles to choose from, with check-boxes. Any folder roles already granted to the selected users and groups are checked.

If you have selected an inherited policy folder then you do not see a list of folder roles. Instead, you see a message informing you that the selected folder inherits its permissions. You can convert this folder into a policy root in its own right, but if you do not wish to do this, you should find the policy root above this in the folder hierarchy.
Check the boxes next to any roles that you wish to grant to the selected users/groups in the selected folder. See About Roles for the complete list of folder roles, but the most commonly used options are:
- Select the Advanced role if you want the users and groups to be able to manage security and resources in the selected folder as well as using reporting.
- Select the Basic role if you simply want the users and groups to use reporting in the selected folder.
Uncheck the boxes next to any roles that should no longer be granted to the selected users or groups in the selected folder.
Check the box marked Change Permissions for Subfolders to copy the changed permissions to any policy root folders below this one in the folder hierarchy. Any inherited policy folders below it inherently have these permissions.
Repeat steps previous steps to grant or remove roles in other folders. Your selections from each folder are retained.
Click Save to save the changes (you have one last chance to confirm) or click Cancel to discard any changes without saving.
If you choose to save the changes, a dialog appears summarizing the permissions being added or removed. Click Confirm to commit these changes or Cancel to discard them.

Changing the Inheritance of a Folder

You can convert an existing inherited policy folder into a policy root. This “breaks the inheritance” so that the security within the folder can be managed independently of its parent folder and a different set of users can be granted access.

You can also take an existing policy root folder and convert it back into an inherited policy folder. Any permissions that are specific to this folder are deleted and it inherits the permissions from the policy root folder above it in the hierarchy.

If you convert a folder into a policy root, three default groups are created automatically with the correct permissions: Advanced Users, Basic Users and Supervisors. You can add users as members to these groups to provide access to the folder.
Other groups may already have had permissions over this folder before you made this change. Those groups are “grandfathered in”, meaning that they still have the same permissions over the folder by default. However, you can choose to remove those permissions.
If you convert a folder into an inherited policy folder, any permissions for the folder are deleted and it inherits the permissions of the root policy folder above it. Any default groups that were created in the folder still exist but have no permissions over it.

To convert an inherited policy folder to a policy root or vice versa:

Open the Tools menu.
Select Security > Permissions.
Navigate to the folder you wish to convert.
Under the Permissions tab, you see a check box marked Inherit permissions from {parent folder name}. For root policy folders, this is unchecked. For inherited policy folders, it is checked.
Uncheck this box to convert the selected folder to a root policy folder, or check the box to convert the selected folder into an inherited policy folder.
You are prompted to confirm this action. Click OK to commit the change or Cancel to discard this change without saving.

Managing the Permissions of a Folder

You can inspect a folder’s permissions to confirm that the correct users and groups have access to it. You can also remove a user or group’s permissions.

To manage a folder’s permissions:

Open the Tools menu.
Select Security > Permissions.
Navigate to the folder you wish to manage.
Under the Permissions tab, you can see a list of the users and groups who have one or more folder roles in the selected folder. In each case, the full folder path is shown and the list is sorted alphabetically by path. The specific folder roles of each user/group are shown.
Click the Remove icon next to a user or group to remove all of their permissions from the folder. Alternatively, to remove specific permissions or to add permissions, see Managing User or Group Permissions.

The Remove icon takes effect immediately and does not prompt for confirmation. Do not click this unless you are sure that you want to remove all of a user/group’s permissions in the selected folder.

Viewing a User’s Permissions

You can inspect a user’s permissions from the user properties page in order to confirm that a user has all of the permissions that are expected. This is a read-only view and any changes must be made via the Permissions tool.

To view a user’s permissions:

Open the Tools menu.
Select Security > Users.
Navigate to the folder where the user is located.
In the list, find the user you want to edit and click their name. The user properties screen opens.
In the toolbar, click Access in the toolbar. The User Permissions list opens:
- The list shows every folder for which the user has one or more folder roles (including both policy roots and inherited policy folders). In each case, the full folder path is shown and the list is sorted alphabetically by path.
- Next to each folder in the list, the folder role(s) which the user has in that folder are shown. Note that these roles may have been applied directly to the user or may have been inherited from groups that the user is a member of.
- At the bottom of the list, any global roles that the user has are shown. These are inherited from the default groups that the user belongs to (for example, all users have the Global Basic role due to their membership of the Everyone group).
- If there is an asterisk (*) beside a folder role or global role in the list, then that permission is not currently active. This can happen if the user inherits the permission by being a member of a group that has the permission, but the group is not enabled.
Click Back to leave this screen