Secure Data Access by Assigning a Data Restriction Role to Users or Groups

Aternity enables data restriction by tagging certain users or group of users and defining what data they are allowed to view. As Administrator of Aternity, when adding or editing users in Aternity, you can choose what data restriction value to assign to each user or group of users. This way you can separate users' data by country or region to comply with data privacy regulations.

For example, this capability allows IT Service Desk people to see only relevant users and devices from a certain region they support instead of a long list from all over the world. This makes their work easier and their response time shorter. Another example, this capability allows a local IT person to see devices only from his/her department.
Allow user to see only limited data
Note

Data Restriction is allowed today by device data (attributes) only, do not use applications data.

The default out of the box support is one attribute for data restriction. If you need to restrict access to the data by several attributes (for example, both Business Locations and Username), it is possible to combine values using custom attribute #6 (learn more).

Any user with the Data Restriction tag will see only dashboards related to a single device or user, such as User Experience, Troubleshoot Device, and IT Service Desk. In addition, this user can view simple Analyze dashboards and Enterprise Summary.

As... Get familiar with...
An Administrator of Aternity

(For all devices except mobile), First step is to decide by what attribute to restrict data access and to supply this information to Aternity SaaS Administration. Aternity will configure the system for you.

When contacting Aternity SaaS Administration, supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data, by location/country/region/host/other.

To set grouping rules for data restriction is possible by creating scripts with exclude or other relevant commands. For example, create a script that defines two countries as locations whose data users are allowed to view and the rest of the world as a location whose data users cannot view. Send the conceptual structure of the script to Aternity SaaS Administration and we will create the script for your account.

After Data Restriction is enabled by Aternity SaaS Administration by the values you asked, the next step is to add a predefined role to users or groups.
Set data restriction to a User
Set data restriction to the SSO Group

Now users will see the data only from Los Angeles and Miami offices.

As for SSO groups, note that if one user belongs to several groups, where in one group that user is restricted, that user can view all data despite the restriction due to permissions in the second group. To prevent this, make sure to create permissions per groups and verify that same user does not belong to groups with different permissions.

A user
Here are some usage tips:
  • In the top left corner, select Main Menu > and then choose the dashboard you want to view. Restricted users see the limited menu with only supported by this view dashboards.
    Aternity Main Menu
  • Restricted users see in the search results only allowed to them users or devices.

  • Users can see if their viewing options are limited by selecting the User icon on the top bar: restricted users have the security shield icon.
    User icon
  • When drilling down to a dashboard that you are not allowed to view, the error message will appear informing that you are not allowed to see this data.
    Access Denied error message

In the dashboards that present data by location, restricted users see the data from the allowed regions only.

See data from the allowed business location

Restricted users can view the shared dashboards, which will be automatically filtered and show the allowed data only. Advanced dashboards, when shared, are available for viewing only.

Note

Aternity uses Custom Attribute 6 placeholder to use it as a data restriction attribute which can be any available in Aternity attribute, for example location, region, or host name. It can also have a prefix or suffix words. It can be anything you choose as long as it helps separate the devices you want to restrict access to a limited group of users. Contact Aternity SaaS Administration to supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data (by location/country/region/host/other).

Custom Attribute 6 is used for data restriction and you cannot use it for other purposes. If data restriction is enabled for an account, users cannot use Custom Attribute 6 in this account any more. In this case, if it was used for other purposes, replace it with another custom attribute.

Note

Users assigned a data restriction role will not have access to REST API, license provisioning, and remediation, and they will not be able to administer Agents. However, they can still initiate remediation actions for a single device from the IT Service Desk dashboard. Restricted users cannot manage remediation, but can still execute remediation scripts on the devices they are allowed to view one by one via single device dashboards.