Object Categories

IF YOU ARE USING THE MULTI-TENANCY FEATURE, PLEASE MAKE SURE TO READ THIS POST CAREFULLY.

Multi-tenancy Changes

We’ve received a lot of feedback on the multi-tenancy feature.  THIS RELEASE contains two significant changes to the multi-tenancy logic:

  1. Behavior of “orphaned objects”
  2. Object Categories replace groups on devices, assets, and PDUs

Prior to this release, when multitenancy is on, non-superusers do not see any objects whatsoever until they are granted permission to see those objects either directly or via a hierarchy (see https://docs.device42.com/multitenancy-overview/ for an explanation of hierarchies). Starting with this release, this behavior is an option but is no longer the default.

If you navigate to Tools / Settings / Global Settings, you will see the following new choices:

Multi-tenancy 1

An “orphaned object” is an object (e.g. a rack or a subnet) that has no group assigned to it directly AND has no group assigned to a “parent object”. To refresh your memory, the parent objects of racks are rooms and buildings and the parent objects of subnets are their parent subnets and vrf groups. Prior to this release, orphaned objects could not be viewed by any non-superuser.

Customers have told us that this behavior is overly restrictive. You can maintain this behavior by unchecking the three options above. However, the default will be to leave these unchecked so that orphaned objects are visible to everyone.

The “Building hierarchy” option applies to building hierarchy objects, specifically buildings, rooms, racks, devices, assets, and pdus. For example, if this option is checked, a non-super can view and change any building that has no groups assigned to it AND can view and change any room, rack, device, asset or pdu in the building.

The “IP hierarchy” option applies to IP addresses and subnets. For example, if this option is checked, a non-super can view and change any subnet that has no groups assigned to it or to a parent subnet.

The “Other objects” option applies to purchases, customers, and certificates. For example, if this option is checked, a non-super can view and change any purchase that has no groups assigned to it.



Object Categories replace groups on devices, assets, and PDUs

In this release, you will no longer see a Groups section on the view and edit pages of devices, assets, and PDUs. Instead, you will see an Object Category drop-down:

Multi-tenancy 2

Object Categories work much like Subnet Categories in previous releases.

There is a separate menu items for Object Categories:

mt-bp3

The Add form looks like this:

mt-bp4

You just enter a Name and an optional description then designate which group(s) can view and change devices, assets, and PDU’s that are assigned to this Object Category.

Permissions assigned to devices, assets, and PDU’s via Object Categories are additive to those assigned via the Building Hierarchy (i.e. to buildings, rooms, and racks). In other words, if a device is in building “Folsom St” and that building conveys view-only access to a device but the Object Category conveys change permission to that device, then the user will have change permission. Similarly, if the building conveys change permission to a device, assigned an Object Category that only conveys view permission will not restrict the user’s access to the device and the user will have change permission to the device.

If an Object Category is assigned to a blade chassis, all the blades in the chassis will be assigned the category. Similarly, if a category is assigned to a virtual host, all the VM’s in the host will be assigned the category.

For your convenience, all objects affected by permissions (see https://docs.device42.com/multitenancy-overview/ for a list) now also have a new view-only field named “Group Permissions”. This field tells you what groups are assigned to this device taking into account any groups assigned via Object Categories (see below) and taking into accounts groups assigned via buildings, rooms, or racks that contain the device and take into account VMs and blade chassis that contain the device.

What to do if you have been using groups directly on devices, assets, and PDU’s

This release contains a special utility to help you convert groups on devices, assets, and pdu’s to Object Categories. Navigate to

Tools > Templates and Bulk Operations > Conversion Exports

and a spreadsheet will be downloaded. When you open the spreadsheet, you will see three tabs:

mt-bp5

There is a tab for devices, one for assets, and one for PDU’s (The groups for each will be listed). The simplest approach (though not necessarily the best approach), is to define an Object Category for each unique entry in the groups column. Then enter this category in the new_object_category column.

mt-bp6

Then navigate to

Tools > Import

and import the spreadsheet. Please note that you must define your Object Categories first (see above) or you will get a set of error messages. The import can be rerun with different object_category entries as often as you need. And also, the imports will ignore the group column.

Please Note: The Conversion Exports feature will be removed in the first release after Jan 1, 2017.