Users and Groups

DEPRECATED AS AT v2. See Release Notes for Open-AudIT v2.0.1

Open-AudIT makes extensive use of the Users and Groups concept.

An Open-AudIT User is anyone with logon credentials to the Open-AudIT application. Credentials can be validated internally or against Active Directory.

An Open-AudIT Group is a set of devices that is defined by the Open-AudIT Administrator. A Group definition can contain any property (or multiple properties) of a device. Custom fields/properties (which can be added in Open-AudIT using the GUI) can also be included. Several Group definitions have been provided, but only the "All Devices" Group is activated by default. To active a Group go to Admin -> Groups -> Activate Group. You should never delete the "All Devices" Group. A group uses a SQL query to determine the systems that belong to it. Each system has an entry in oa_group_system noting it's system_id and the group_id from the oa_group table. Thus, a system can belong to more than one group and one group can have more than one system.

A User has a level of access to a specific Group. That level can be:

  • 0 - no access
  • 3 - view only in "list" type screens
  • 5 - view basic individual system details
  • 7 - view "sensitive" details about a system (software install keys, etc)
  • 10 - edit system details and custom data

So, if a user wishes to view a group, it is first checked that his group_access_level is at least 3.
The user_id is known (cookie). 
The group_id is known (in the url).
If it is, the group is listed as per the details from oa_group.
If it is not (ie - the user has a group_access_level of 0 or null), the user is redirected to the "list all groups" type page (the Home page).

The same principle applies to individual systems.
The user_id is known.
The system_id is known.
They are combined and the group_access_level is determined, hence access granted or denied.
The highest group_access_level is used - not the lowest.
Thus, if a system belongs to more than one group, but a user has differing levels of access to those groups, the highest level will be applied and used.

The database schema looks like the below graphic.

  • No labels