Previous Topic: Step 5: Log on as Win-Admin UserNext Topic: Restricting Access for a Role: PCI-Analyst Scenario

Administration GuideCustom Roles and PoliciesRestricting Data Access for a User: Win-Admin ScenarioStep 6: Extend Granted Actions

Step 6: Extend Granted Actions

The policies and access filter defined in steps 2, 3, and 4 of this example enable the Win-Admin user to view System Access reports, with limits on the data. With this access alone, the Win-Admin user cannot schedule a report, schedule an alert, or annotate a report. To do these things, add Win-Admin to the Analyst Auditor Report Server Access Policy and the Analyst Create-Schedule-Annotate policy. Example of these policies with Win-Admin added follow:

You can add the user to whom you have limited access with an access filter the ability to take other actions. Just add the identity name to other policies.

For Win-Admin to be able to create a report, this user needs write access added to the Win-Admin System Access policy. This requires opening the Win-Admin System Access policy for editing and adding write to the permitted actions.

The example gratns Win-Admin read access to AppObject.

For Win-Admin to be able to use prompts, the filter for Win-Admin System Access can be modified such that the attribute calmTag equals either System Access or Event Viewer.

You will just need to update the policy to have filters (calmTag="System Access" OR calmTag="Event Viewer")