====== ACL Enterprise System ======
{{indexmenu_n>23}}
We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.
===== Introduction =====
The **Open Source** ACL model is based on unix style:
''role/action/group/user'' (4 items).
{{:wiki:icono-modulo-enterprise.png?23x23 |Enterprise Version}}The **Enterprise** ACL system allows defining -according to profile- which pages (defined one by one or by "groups") have access users. This will allow you to redefine which sections of the interface a user can see. For example, allowing a user to view only the **Group** view and the **Detailed** agent view, skipping pages such as **Alert view** or **Monitor view**, already grouped in the system classic Pandora FMS ACL as ''AR'' (Agent Read Privileges).
[[:es:documentation:pandorafms:introduction:03_glossary#superadmin|superadmin]] are exempt from ACL control, other users are bound by ACL, even if they have the **Pandora Administrator** profile (**Pandora FMS Administrator** ) assigned.
This functionality allows you to restrict the administration by pages. It is very useful to allow some specific low-level operations.
Both models are parallel and compatible. The classic ACL system is complementary to, and is evaluated before, the ACL Enterprise system.
===== Settings =====
{{:wiki:icono-modulo-enterprise.png?23x23 |Enterprise Version}}In order to use the **ACL Enterprise** system, the first thing to do is to activate it in the configuration tab. This option is only visible if you are using the Enterprise version: **Management** menu → **Setup** → **Setup** → **Enterprise**, enable **Use Enterprise ACL System** → click **Update** button.
To configure the Enterprise ACL Enterprise system: **Management** → **Profiles** → **Enterprise ACL Setup**. In this screen you can add new items in the ACL System and see the items defined by profile. You can also delete items from the ACL Enterprise system.
If the **ACL Enterprise system** is activated, ALL pages to ALL groups (Administrator included) are restricted to all pages defined (allowed) in the ACL Enterprise system. If a user with the **Administrator** profile does not have pages included in the ACL Enterprise system, they will not be able to see anything.
**Please be careful with this because you may lose access to the console if you activate the wrong ACL Enterprise configuration for your user**.
If you have inadvertently lost access to the Console, you can deactivate the ACL Enterprise system from the command line:
/usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
==== Operation ====
There are two ways to add pages to a profile: with the **wizard** (default) or with the **custom edition**. For this there is a button next to the **Add** button that toggles between **Wizard** and **Custom**.
=== Wizard ===
With the wizard you will choose the sections and pages of some drop-down list controls.
* The pages that appear in these dropdown lists are only those accessible from the menu. To give access to pages that are otherwise accessed (for example, the main agent view) you must use the custom editor.
* All menu options are displayed, regardless of whether the selected profile has access to them. Adding a menu option to which a profile does not have access will not cause that item to appear in the menu.
* Always the default profile in the drop down list under **User profile** is ''Chief Operator'', this should always be changed before adding permission to another profile.
To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in the **Section** control the section that contains the desired page. At that time, you will be able to select in the **Section 2** control any of your pages and it works the same way for **Section 3**.
{{ :wiki:acl_setup4.png }}
Another option is to select a section and the value **All** in the **Section** control. This will allow the chosen profile to see "everything" of the chosen section. Also selecting **All** on both controls will allow users of that profile to see "all" of "all" sections, just as they would without the ACL Enterprise System for that profile.
Moving the pointer over any of the items will display the corresponding delete button.
For a section to be displayed in the menu, the user must have access to at least the first page of the section.
=== Custom Edition ===
To add single pages that are not accessible from the menu you can manually enter the corresponding **sec2**. To do this, the page to be added is accessed and the parameter is copied.other **Section 2**.
For example, to add the main view of the agents, you enter the view of any agent and you will find a URL similar to this:
http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
Enter the content of the **sec2** parameter (''operation/agents/ver_agent'') in the **Section 2** text box.
{{ :wiki:acl_setup5.png }}
For a "drop" page the user will need the URL, otherwise permission must be granted to the corresponding menu. In the image of the previous example, the **Operator (read)** profile was added access to **Monitoring** (**Section**), **Views** (**Section 2**), **Agent detail** (**Section 3**).
===== Security =====
Any page that is limited will not be displayed in the menu and will not be allowed to be used, even when the user puts the URL in "manual" mode.
Any page not allowed by the "Classic" ACL system of Pandora FMS will not be allowed by the ACL Enterprise system (this is valid for the classic ACL system).
In addition, there is a control that checks if a page belongs to a section, which reinforces the security against manual modifications of the URL. This check will skip pages added with the custom editor, as well as access to each page in an entire section that is allowed access, thus optimizing loading.
You can check at any time the pages allowed for each profile using **Filter by profile** and then clicking the **Filter** button:
{{ :wiki:acl_example.png }}
In order for users to be able to change their own user data, they must be granted access to **Profile | Configure user | All** .