Secure Data Access by Assigning a Data Restriction Role to Users or Groups

Aternity enables data restriction by tagging certain users or group of users and defining what data they are allowed to view. As Administrator of Aternity, when adding or editing users in Aternity, you can choose what data restriction value to assign to each user or group of users. This way you can separate users' data by country or region to comply with data privacy regulations.

For example, this capability allows IT Service Desk people to see only relevant users and devices from a certain region they support instead of a long list from all over the world. This makes their work easier and their response time shorter. Another example, this capability allows a local IT person to see devices only from his/her department.
Allow user to see only limited data

Data Restriction can be set using device data (attributes) only, do not use applications data.

By default, Aternity supports one attribute for data restriction. If you want to restrict data access by several attributes (for example, by both Business Location and Username), it is possible to combine the values using custom attribute #6 (learn more).

Aternity uses Custom Attribute 6 placeholder for a data restriction attribute which can be any device attribute available in Aternity, for example location, region, or host name (it cannot be an application attribute). It can also have a prefix or suffix words. It can be anything you choose as long as it helps separate the devices that can be accessed only by a limited group of users. Contact Aternity SaaS Administration to supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data (by location/country/region/host/other).

Since Custom Attribute 6 is used for data restriction, do not use it for other purposes. If data restriction is enabled, users of that account cannot use Custom Attribute 6 any more. In this case, if it's been already used for other purposes, replace it with another custom attribute.

As... Get familiar with...
An Administrator of Aternity

(For all devices except mobile), First step is to decide by what attribute to restrict data access and to supply this information to Aternity SaaS Administration. Aternity will configure the system for you.

When contacting Aternity SaaS Administration, supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data, by location/country/region/host/other.

To set grouping rules for data restriction is possible by creating scripts with exclude or other relevant commands. For example, create a script that defines two countries as locations whose data users are allowed to view and the rest of the world as a location whose data users cannot view. Send the conceptual structure of the script to Aternity SaaS Administration and we will create the script for your account.

After Data Restriction is enabled by Aternity SaaS Administration by the values you asked, the next step is to add a predefined role to users or groups.
Set data restriction to a User
Set data restriction to the SSO Group

Now users will see the data only from Los Angeles and Miami offices.

As for SSO groups, note that if one user belongs to several groups, where in one group that user is restricted, that user can view all data despite the restriction due to permissions in the second group. To prevent this, make sure to create permissions per groups and verify that same user does not belong to groups with different permissions.

A user
Here are some usage tips:
  • In the top left corner, select Main Menu > and then choose the dashboard you want to view. Restricted users see the limited menu with only supported by this view dashboards.
    Aternity Main Menu
  • Restricted users see in the search results only allowed to them users or devices.

  • Users can see if their viewing options are limited by selecting the User icon on the top bar: restricted users have the security shield icon.
    User icon
  • When drilling down to a dashboard that you are not allowed to view, the error message will appear informing that you are not allowed to see this data.
    Access Denied error message

In the dashboards that present data by location, restricted users see the data from the allowed regions only.

See data from the allowed business location

Restricted users can view advanced dashboards shared with them. In this case, the dashboards will be automatically filtered to show allowed data only.


If Installed Software, Installed Software Changes , or Remote Display Latency dashboards are shared with restricted users (or with all the users), they will not be filtered. Therefore, it is not recommended to share such dashboards with restricted users.

Users who were assigned a Data Restriction role CAN view a specific set of dashboards:
  • View Analyze dashboards, such as:

    • Applications

    • Business Activities

    • Device Health

    • Host Resources

    • Process Resources

    • Remediation actions

    • WiFi

  • View Monitor dashboards, such as:

    • Enterprise Summary

    • Application

    • User Experience

    • Activity Resource Analysis

    • Skype for Business Calls Details

    • NOC

  • View Troubleshoot dashboards, such as:

    • User or Device

    • Device Events

    • IT Service Desk (can initiate remediation actions for a single device only)

    • Troubleshoot Application

    • Troubleshoot Activity

    • Remote Display Latency

    • Boot Analysis

  • View Validate dashboards, such as:

    • Application Change

    • Configuration Change

    • VDI Migration

  • View Inventory dashboards, such as:

    • Analyze Device Inventory

    • Device Inventory

  • View additional dashboards, such as:

    • Desktop Reliability

    • Device Health (Enterprise level)

    • Performance (My Enterprise)

    • Low Usage Incident

  • Also, they can execute remediation actions on the devices they are allowed to view (one action after another via single device dashboards)

Users assigned a data restriction role do NOT have access to Administration screens, Insights, editing dashboard tools, and My Workspace dashboards.