Administration GuideCustom Roles and Policies › Restricting Data Access for a User: Win-Admin Scenario

Previous Topic: Example: Allow a Non-Administrator to Manage Archives

Next Topic: Step 1: Create the Win-Admin User

Restricting Data Access for a User: Win-Admin Scenario

You can limit reports users can view to those with a specified tag. You can limit the data users can view on those reports to data generated from specified event sources. Limiting access to reports with a given tag is done with an access policy. Limiting data access to events returned to a particular CA Enterprise Log Manager server is done with an access filter. With an access filter defined, a role assignment is optional. That is, you can create a new user, assign no role, and limit data access for that user with an access filter.

Consider the scenario for ABC company with four data centers in the U.S. The Administrator wants to give the Windows Administrator in the Houston region read access to Windows events processed by the domain controller in the Houston area. Windows events processed by the CA Enterprise Log Manager server installed on the Houston domain controller are sent from sources where the host names begin with the string, ABC-HOU-WDC.

This example walks you through creating a user called Win-Admin and ensuring that this user can only view reports that have a System Access tag and that the data on these reports is limited to events from event sources with host names that begin with the known naming convention.

The example provides details for each of the following steps:

  1. Create the new user, Win-Admin.
  2. Give Win-Admin basic access to CA Enterprise Log Manager. Add this identity to the CALM Application Access policy.
  3. Restrict access to reports for Win-Admin to those tagged as System Access. Create a scoping policy with read access to AppObject with filters that specify the EEM folder where Reports are stored and specify the calmTag is equal to System Access. Test the policy.
  4. Limit the data Win-Admin can view to that generated by the domain controller in Win-Admin's region. Create an access filter, named Win-Admin Data Access, that limits the query and report data Win-Admin can view to Windows events from event sources with a hostname that begins with ABC-HOU-WDC.
  5. Log onto CA Enterprise Log Manager as the Win-Admin user and evaluate the access provided by the policies.
  6. If the access is too limited for the user to perform intended tasks, extend the access with additional policies.

More information:

Step 1: Create the Win-Admin User

Step 3: Create Win-Admin System Access Policy

Step 4: Create Win-Admin Data Access Filter

Step 6: Extend Granted Actions