Managing Object Permissions Using Tags

Principles of tag use

Tags are used to assure the integrity and security of Network Objects. All objects can be viewed and edited by Admin. Tagged objects can be edited by users assigned the same tag as that assigned to the object, with edit privileges for that tag. Tagged objects are view-only for users with the same tag as assigned to the object but lacking edit privileges.

Object representation when user lacks permission to view

Application Flows

When tagged objects are displayed in application flows, only users assigned the same tags can view them. Other users see a lock-icon indication with a hover-tool-tip informing them that an object that they do not have permission to view due to permissions filtering is present in the flow.

Projects

Also when working with projects, users can see only those objects for which they have permissions (i.e. objects with which they share a tag). When an object has assigned tags and none of those tags are also assigned to the non-admin user, the user sees no indication of that object when planning migration, cloning, etc. When the user exports the plan to PDF, however, the exported PDFwill show empty fields for objects that the user lacks privilege to see.

Example of Migration Task during planning stage: All objects are seen by administrator:

Example of Migration Task during planning stage: Non-admin user sees consolidated list of objects that this non-admin user has permission to see:

The Exported PDF of the migration plan for the administrator shows all objects relevant to the plan:

The PDF exported by the non-admin user shows only the IP address or name of the objects the user shares tags with. The rest of the relevant objects are indicated by empty fields is displayed:

Searches

There will be no results in the various searches (Applications, Network Objects, Projects, etc.) if the searched entity is tagged with a tag that is not associated with the user.

Creating and applying tags

There are several ways in which the admin and other users can view and edit tags. They are described in this section.

• Admin Tag Creation

• Admin Assignment of user permissions and tags to users

• Applying tags to network objects

• Associating applications with tags via Administration/Customization

• Associating objects with tags via Administration/Customization

• Creating objects with tags through CSV import

• Behavior of Object-related APIs

Admin Tag Creation

1. In AppViz, click on Administration under your user name. (This requires Admin permission.)

2. Click on the Customization tab and then, in the Tags section, click Manage next to Manage Tags.

3. Click +Add Tag at the top of the tag list.

4. On the right side of the screen, enter the tag name in the Tag Name field.

5. Add applications and objects to the tag as required.

6. Click Save Changes

Admin Assignment of user permissions and tags to users

The Admin assigns tags to users as follows:

1. In AppViz, click on Administration under your user name. (You must have Admin permission).

2. On the General tab presented, click the Manage button next to Manage User Settings and Permissions.

   

   The User Settings and Permissions page is displayed:

   

3. Click on a user on the left side of the screen.

4. In the Authorized Views and Actions section, selectable user permissions are divided into categories of:

   • General

   • Network and Service Objects

   • Applications

   • Tags

5. Click inside the Object Tags area near the bottom of the screen. Perhaps there are object tags in this area already.

   1. You can remove object tags from the selected user by clicking the x at the right of the tag

   2. You can associate tags with the selected user by typing inside the tags area. Add existing tags or add new tags with any name you choose.

      Note: The tags that you add may already be associated with users, applications and objects and can include system tags.

      However, in version A32.20, applications must be added to the user using the Add Application button above the Object Tags area.

      

6. Configure (Select or Deselect) the Edit all objects checkbox as required:

   1. If the Edit all objects checkbox is not selected, the user can view network objects that have no tags assigned to them or have tags assigned to them but the user cannot edit the object. For example, the user cannot add tags or remove tags from the object.

   2. If the Edit all objects checkbox is selected, the user can view and edit all network objects that have no tags assigned to them or have tags assigned to them that are also assigned to the user. For example, the user will be able to add and remove tags from the object.

Applying tags to network objects

There are several ways to apply and remove tags from network objects:

• From Network Objects

• From Edit Object Details

• From Administration, customization

From Network Objects

Admin or user with read-write privileges for the Network Object can apply tags to the Network object.

1. Open Network Objects

2. Click the required object.
   The object's dashboard is displayed.

3. Enter the new tag name in the Tags area and then click Save Changes.

   

From Edit Object Details

From edit object details, you can do other edit object activities while adding a new tag.

1. Open Network Objects

2. Click the required object.
   The object's dashboard is displayed.

3. Click on Edit Object button at the top right of the dashboard.

   
   The Network object details are displayed.
   

4. Add the required tags to the tag area.
   

5. Click on the Add New Tags message under the tag area:
   

6. Click the Apply button (upper right).

7. Acknowledge the message confirming the tag creation.
   The network objects dashboard is displayed displaying the added tag.

From Administration, customization

See:

• Associating applications with tags via Administration/Customization

• Associating objects with tags via Administration/Customization

Associating applications with tags via Administration/Customization

To add tags to applications:

1. In AppViz, click on Administration under your user name. (You must have Admin permission).

2. Click on the Customization tab and then click Manage next to Tags - Manage Tags.

   
   The Tags management page is displayed:
   

3. Click on a tag name in the tag list to edit it.

   Note: You can also search for a tag or click the Add a new tag button.
   

4. Use the Add Application button to Add Applications from the list of available applications that is displayed to the tag that is in focus in the list at the left. (Use the <ctrl> button to select several applications one by one or use the <shift> button to select several contiguously-listed applications.)

5. Click add.
   The applications are added to the Assigned Applications list.

Associating objects with tags via Administration/Customization

1. In AppViz, click on Administration under your user name. (You must have Admin permission).

2. Click on the Customization tab and then click Manage next to Tags - Manage Tags.

   
   The Tags management page is displayed.

3. You can select the Show system tags checkbox.

   Note:

   1. System tags are automatically produced and retrieved tags resulting from the AFA-AppViz sync process. These tags provide a way of automatically tagging large numbers of endpoints.

   2. Critical Processes tags - These tags are defined in AppViz on the Customization page to associate applications to the critical process. A new label is automatically created with the critical process name.
      

   3. Dynamic tags associated with a Dynamic Objects (Dynamic Endpoints) in AFA. It is determined by AFA if an endpoint is dynamic.
      

   4. PCI tags, defined in AFA Administration, define PCI zones.

4. Associate the tag to the user.

   
   

5. Click on a tag name in the tag list to edit it.

   Note: You can also search for a tag or click the Add a new tag button.
   

6. Use the Add Object button to Add Objects from the list of available applications that is displayed to the tag that is in focus in the list at the left. (Use the <ctrl> button to select several applications one by one or use the <shift> button to select several contiguously-listed applications.)

7. Click add.
   The applications are added to the selected objects.

Creating objects with tags through CSV import

By importing a CSV file with the correct configuration, you can create objects with tags (and custom fields) configured:

1. Click on down button under your username and then go to Administration > Objects Update tab.
   Note: Under Update Objects from file, you can download and examine an example file:

   

2. When your .csv file is prepared, click Update Now.

3. The Update Network Objects dialog is displayed:

   
   

4. Click Select a File and select the required .csv file.

5. Click Update Now.

Behavior of Object-related APIs

1. API behavior is as follows:
   Object-related APIs return objects and tags to requestor only if the requestor has permissions for those objects (i.e. object has no tag or has a tag common to requestor and object).

2. Requestors can edit objects using APIs only if:

   1. the requestor has edit permission for all objects, and

   2. the object to be edited has no tag or has a tag in common with the requestor

3. Object Tags are part of AppViz network-object-api return values.

View and Edit access to network objects

A non-admin user's ability to edit and view network objects is defined by the Edit all network objects checkbox and the tags that are assigned to the network objects.

If the Edit all network objects checkbox is not selected for the user, the user can view network objects as follows:

• All network objects that have no tags

• All network objects assigned the same tags that are assigned to the user

• No network objects assigned tags that are not assigned to the user

If the Edit all network objects checkbox is selected for a user, the user can view and edit all network objects as follows:

• All network objects that have no tags

• All network objects assigned the same tags that are assigned to the user

• No network objects assigned tags that are not assigned to the user

Disassociate Objects and Applications from Tags

You can use the remove all buttons to disassociate all objects or all applications from the selected tag or you can use the delete icon next to any listed application and object to disassociate that entity individually from its tag.

Tags and Permission from the Roles

It is important to remember that users inherit all the tags and permissions of any role that is assigned to them.

Object representation when user lacks permission to view

Application Flows

When tagged objects are displayed in application flows, only users assigned the same tags can view them. Other users see a lock-icon indication with a hover-tool-tip informing them that an object that they do not have permission to view due to permissions filtering is present in the flow.

Projects

In Projects, the user not privileged to the tag of an object, sees an empty field where the object he does not have privilege for would be represented.