Secure Data Access by Assigning a Data Restriction Role to Users or Groups

Aternity enables data restriction by tagging certain users or group of users and defining what data they are allowed to view. As Administrator of Aternity, when adding or editing users in Aternity, you can choose what data restriction value to assign to each user or group of users. This way you can separate users' data by country or region to comply with data privacy regulations.

For example, this capability allows IT Service Desk people to see only relevant users and devices from a certain region they support instead of a long list from all over the world. This makes their work easier and their response time shorter. Another example, this capability allows a local IT person to see devices only from his/her department.
Allow user to see only limited data
Note

Data Restriction can be set using device data (attributes) only, do not use applications data.

By default, Aternity supports one attribute for data restriction. If you want to restrict data access by several attributes (for example, by both Business Location and Username), it is possible to combine the values using custom attribute #6 (learn more).

Any user with the Data Restriction tag views dashboards related to a single device or single user, such as User Experience, Troubleshoot Device, and IT Service Desk. In addition, this user can view Analyze dashboards and Enterprise Summary.

As... Get familiar with...
An Administrator of Aternity

(For all devices except mobile), First step is to decide by what attribute to restrict data access and to supply this information to Aternity SaaS Administration. Aternity will configure the system for you.

When contacting Aternity SaaS Administration, supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data, by location/country/region/host/other.

To set grouping rules for data restriction is possible by creating scripts with exclude or other relevant commands. For example, create a script that defines two countries as locations whose data users are allowed to view and the rest of the world as a location whose data users cannot view. Send the conceptual structure of the script to Aternity SaaS Administration and we will create the script for your account.

After Data Restriction is enabled by Aternity SaaS Administration by the values you asked, the next step is to add a predefined role to users or groups.
Set data restriction to a User
Set data restriction to the SSO Group

Now users will see the data only from Los Angeles and Miami offices.

As for SSO groups, note that if one user belongs to several groups, where in one group that user is restricted, that user can view all data despite the restriction due to permissions in the second group. To prevent this, make sure to create permissions per groups and verify that same user does not belong to groups with different permissions.

A user
Here are some usage tips:
  • In the top left corner, select Main Menu > and then choose the dashboard you want to view. Restricted users see the limited menu with only supported by this view dashboards.
    Aternity Main Menu
  • Restricted users see in the search results only allowed to them users or devices.

  • Users can see if their viewing options are limited by selecting the User icon on the top bar: restricted users have the security shield icon.
    User icon
  • When drilling down to a dashboard that you are not allowed to view, the error message will appear informing that you are not allowed to see this data.
    Access Denied error message

In the dashboards that present data by location, restricted users see the data from the allowed regions only.

See data from the allowed business location

Restricted users can view the shared dashboards, which will be automatically filtered and show the allowed data only. Advanced dashboards, when shared, are available for viewing only. (Exceptions are Installed Software and Software Changes. These two will not be shared.)

Note

Aternity uses Custom Attribute 6 placeholder for a data restriction attribute which can be any attribute available in Aternity, for example location, region, or host name. It can also have a prefix or suffix words. It can be anything you choose as long as it helps separate the devices that can be accessed only by a limited group of users. Contact Aternity SaaS Administration to supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data (by location/country/region/host/other).

Since Custom Attribute 6 is used for data restriction, do not use it for other purposes. If data restriction is enabled, users of that account cannot use Custom Attribute 6 any more. In this case, if it's been already used for other purposes, replace it with another custom attribute.

Note
Users assigned a data restriction role CAN do the following:
  • View Analyze dashboards and Enterprise Summary

  • View dashboards related to a single device or user, such as User Experience, Troubleshoot Device, and IT Service Desk.

  • Initiate remediation actions for a single device from the IT Service Desk dashboard

  • Execute remediation actions on the devices they are allowed to view (one action after another via single device dashboards)

Users assigned a data restriction role will NOT have access to Administration screens, REST APIs, Insights, editing dashboard tools, NOC Autorefresh and My Workspace dashboards.