Configuring CA Executive Insight › Grant Access to CA Executive Insight using CA EEM › Create CA Executive Insight Application Access Policies

Create CA Executive Insight Application Access Policies

You can create a user and can assign the user to various CA Executive Insight business services or categories.

Follow these steps:

1. Open CA EEM, select ExecutiveInsightForSA from the Application list, and log in as an Administrator.

   The CA EEM home page opens.

2. Click Manage Access Policies.

   The Policies page opens.

3. Click the Explicit Grants tab to view grant policies or the Explicit Deny tab to view deny policies.
4. Select an Access Policy class: Administration, BusinessServices, or Category to view/add/update/delete the corresponding policies.
5. Select the type of policy to create:

   For an explicit GRANT (the green color indicates allowing users privileges)

   For an explicit DENY (the red color indicates denying users privileges)

   The New Access Policy form opens.

6. Specify all General field values, such as Name, Type, etc.
7. Do the following in the Identities section:
   1. Select User or Group from the Type list.
   2. Click Search Identities button.

      The Search Identities fields display.

   3. Click Search.

      A list of Users or Groups displays.

      Note: This assumes you have pre-established users and groups defined in CA EEM. If not, you need to create them first.

   4. Select the users or user groups and use the arrow button to populate the 'Selected Identities' column.
   5. After you have specified the users, within the 'Add resource' field you enter the application resources, like BusinessService or Category name. You click the plus (+) button for every resource you add to the policy. You can leave the field blank if the policy applies to all resources.

   Note: In case the Business Service to be specified as a resource name in the policy is hierarchical, then provide the whole path leading up to the name. Delimit the different nodes in the path by using the colon character. See Business Service Specified as Resource Name Considerations below.

   Note: The name of the resource must exactly match as it is defined in CA Executive Insight.

   Note: The Administration class policies do not need a resource name.

8. Select an appropriate action(s), like Read or Full by using the action check-box.
9. The policy now provides (or denies for Explicit Deny policy type) the specified users access to the BusinessService or Category defined and also to the indicators belonging to the specific Category or Business Service or Administrative privileges (if the policy is tied to the Administration class).
10. Select 'Save'.

    The access policy is created.

Note: CA Executive Insight is not able to update CA EEM automatically when a new category or business service is added, deleted, or updated. Use CA EEM to create the corresponding access policies as needed.

Business Service Specified as Resource Name Considerations

If you specify the Business Service as a resource name and the policy is hierarchical, then provide the whole path leading up to the name. Delimit the different nodes in the path using a colon character. For example, the following Business Service name consists of three hierarchical nodes: Android-Service, Android-Main, and Android_DSN-2.

Android-Service:Android-Main:Android-DNS-2 

In order to grant or deny access to the Android-Service:Android-Main:Android-DNS-2 service and its business indicators full path Android-Service:Android-Main:Android-DNS-2 has to be used as a resource name in the EEM Access Policy. Also, to be able to see lower level nodes on a mobile device while displaying Business Services in a hierarchical menus all the higher level nodes have to be also listed as Access Policy resource names. In the previous example this would be Android-Service and Android-Service:Android-Main. 

Because listing all these resource names in Access Policies is resource intensive, the 'Treat resource names as regular expressions' flag may be used. For example, a single resource name 'Android*' and the flag turned on all will achieve the same result as listing all three full node names as resource names.

The above example assumes Business Service nodes hierarchical structure is reflected in the node names. If this is not a case, using a resource name as a regular expression still can make the Access Policy creation task easier. For example, for the following Business Services an access to a financial data is denied to a group of users.

NorthAmerica:FinancialService:CA
NorthAmerica:FinancialService:MA
NorthAmerica:FinancialService:NY

The explicit denial Access Policy for the user group with resource name, use the following example and a regular expression flag can be created to achieve the task.

^ NorthAmerica: FinancialService

Special Considerations for Business Indicator Authorization

A business indicators access authorization is performed based on its membership in a Category or a Business Service. 

To be authorized a business Indicator must satisfy at least one of the following conditions:

• belong to at least one authorized Category
• belong to at least one authorized immediate level parent Business Service
• does not belong to any Category or Business Service

Note: If you are explicitly denied access to a Category or Business Service, it does not necessarily imply denial of access to all contained business indicators. If the same business indicator also belongs to other groups (either category or Business Service), one of which is explicitly granted access to the user, then the user will still be allowed access to this indicator.