Secure Data Access with Role-based Access Control (RBAC)

Aternity enables data restriction by tagging certain users or group of users and defining what data they are allowed to view.

As Administrator of Aternity, when adding or editing users in Aternity, you can choose to restrict users by one of the following:
  • Aternity attribute values

  • SAML Claims

Decide what data restriction value to assign to each user / group of users or customize SAML Claims. This way you can separate users' data by country or region to comply with data privacy regulations.

For example, this capability allows IT Service Desk people to see only relevant users and devices from a certain region they support instead of a long list of users from all over the world. This makes their work easier and their response time shorter. Another example, this capability allows a local IT person to see devices only from his/her department.

Data restriction roles assignment for groups and users can be done automatically based on attributes of a user in group predefined in a SAML Claim. SSO response needs to contain a SAML Claim. For example, to restrict users in a group based on departments, define a department as a SAML Claim. Make sure to configure SSO settings to provide the claim. The exact process for adding claims depends on what IdP you are using. For details, see the documentation for your IdP software. You need to create appropriate SAML claims in your IdP. When the IdP sends a SAML response to Aternity Agent, it includes a SAML claim. A claim is information about the user and its groups. This lets you make sure that SAML authentication responses from your IdP contain the necessary attributes that Aternity Agent uses to check permissions for users and groups (when users log in).

Allow user to see only limited data
Tip

For Data Restriction use only device data (attributes), do NOT use applications data.

By default, Aternity supports one attribute for data restriction. If you want to restrict data access by several attributes (for example, by both Business Location and Username), it is possible to combine the values using custom attribute #6 (learn more).

Aternity uses Custom Attribute 6 placeholder for a data restriction attribute which can be any device attribute available in Aternity, for example location, region, or host name (it cannot be an application attribute). It can also have a prefix or suffix words. It can be anything you choose as long as it helps separate the devices that can be accessed only by a limited group of users.

Contact Aternity SaaS Administration to supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data (by location/country/region/host/other).

Since Custom Attribute 6 is used for data restriction, do not use it for other purposes. If data restriction is enabled, users of that account cannot use Custom Attribute 6 any more. In this case, if it's been already used for other purposes, replace it with another custom attribute.

As... Get familiar with...
An Administrator of Aternity

(For all devices except mobile) First step is to decide by what attribute to restrict data access and to supply this information to Aternity SaaS Administration. Aternity will configure the system for you. Alternatively, make sure to configure SSO settings to provide the SAML Claim.

When contacting Aternity SaaS Administration, supply information about your common use case and main purpose for data restriction, as well as how you want to separate user’s data, by location/country/region/host/other.

To set grouping rules for data restriction is possible by creating scripts with exclude or other relevant commands. For example, create a script that defines two countries as locations whose data users are allowed to view and the rest of the world as a location whose data users cannot view. Send the conceptual structure of the script to Aternity SaaS Administration and we will create the script for your account.

After Data Restriction is enabled by Aternity SaaS Administration by the values you asked, the next step is to add a predefined role to users or groups: Select Values and define the value.

Set data restriction to a User

Now users will see the data only from Los Angeles and Miami offices.

Add a predefined role to SSO groups:
  1. Select either Values or SAML Claims.
  2. Define the value for the Values field or enter the claim as predefined in the IdP settings.
Set data restriction to the SSO Group
Tip

When a user is a member of multiple groups, but restrictions apply only to one user group, this user can view all data despite the restriction due to open data access in the second group. To prevent this, create permissions for every group and make sure that the same user does not belong to groups with different permissions.

Tip

If there is no need for data access restrictions, keep the default selection (Values) and leave the field empty.

A user
Here are some usage tips:
  • In the top left corner, select Main Menu > and then choose the dashboard you want to view. Restricted users see the limited menu with only supported by this view dashboards.
    Aternity Main Menu
  • Restricted users see in the search results only allowed to them users or devices.

  • Users can see if their viewing options are limited by selecting the User icon on the top bar: restricted users have the security shield icon.
    User icon
  • When drilling down to a dashboard that you are not allowed to view, the error message will appear informing that you are not allowed to see this data.
    Access Denied error message

In the dashboards that present data by location, restricted users see the data from the allowed regions only.

See data from the allowed business location

Restricted users can view advanced dashboards shared with them. In this case, the dashboards will be automatically filtered to show allowed data only.

Note

If Installed Software, Installed Software Changes , or Remote Display Latency dashboards are shared with restricted users (or with all the users), they will not be filtered. Therefore, it is not recommended to share such dashboards with restricted users.

Note
Users who were assigned a Data Restriction role CAN view a specific set of dashboards:
  • View Analyze dashboards, such as:

    • Applications

    • Business Activities

    • Device Health

    • Host Resources

    • Process Resources

    • Remediation actions

    • WiFi

  • View Monitor dashboards, such as:

    • Enterprise Summary

    • Application

    • User Experience

    • Activity Resource Analysis

    • Skype for Business Calls Details

    • NOC

  • View Troubleshoot dashboards, such as:

    • User or Device

    • Device Events

    • IT Service Desk (can initiate remediation actions for a single device only)

    • Troubleshoot Application

    • Troubleshoot Activity

    • Remote Display Latency

    • Boot Analysis

  • View Validate dashboards, such as:

    • Application Change

    • Configuration Change

    • VDI Migration

  • View Inventory dashboards, such as:

    • Analyze Device Inventory

    • Device Inventory

  • View additional dashboards, such as:

    • Desktop Reliability

    • Device Health (Enterprise level)

    • Performance (My Enterprise)

    • Low Usage Incident

  • Also, they can execute remediation actions on the devices they are allowed to view (one action after another via single device dashboards)

Note

Users assigned a data restriction role do NOT have access to Administration screens, Insights, editing dashboard tools, and My Workspace dashboards.