We’re on v16.3. Is it possible to have an MMM role which has:
read metadata access
run profiling jobs
run lkp builder jobs
run monitoring project jobs
But without the ability for example to edit the contents? e.g. just run a lkp builder job but not be able to amend the configurations of the lkp, or run the monitoring project without ability to change anything.
I tried looking at documentation, seems like for Monitoring Project, the levels of view metadata access and view data access doesn’t allow running the project, while full access can. However full access also gives editing rights to monitoring projects which we don’t want to allow.
Has anyone else run into the same scenario? How have you solved it?
Best answer by may_kwok
Amazing @anna.spakova thank you for your hint! Here are the exact steps I did:
Ensure the keycloak role that I want to grant to the users exists (create in keycloak, I called it MMM_poweruser) and synced over to ONE (users → update users)
Take db backup of ONE before making change
Go to Metadata model, monitoringProject node, Access Levels tab, and define something for Operate Access (Anna’s screenshots above). I set it so that the Operate access can:
Access asset
View sharing
View properties
View comments
Read comments metadata
Read comment thread metadata
Run data processing
Go to governance roles, find my Governance role (I’m choosing ONE Operator), and set the Monitoring Project to have Operate Access
Then I need to go to each Group that I have, and add the Group role and allocate my MMM_poweruser role into it:
I have created a test user that belongs to MMM_poweruser and I am able to run project but not do anything else in the project.
you can create a new Access level and set it up for each of the metadata model node where you need this specific access. For example on monitoringProject entity in the metadata model, there is a tab Access levels:
Under the Access levels are operations you can edit:
So you could take access level settings similar to View Metadata Access (so allow just viewing), and just enable the Run processing operation.
Please let me know if this helps, or if this is also something you considered and it didn’t help.
Amazing @anna.spakova thank you for your hint! Here are the exact steps I did:
Ensure the keycloak role that I want to grant to the users exists (create in keycloak, I called it MMM_poweruser) and synced over to ONE (users → update users)
Take db backup of ONE before making change
Go to Metadata model, monitoringProject node, Access Levels tab, and define something for Operate Access (Anna’s screenshots above). I set it so that the Operate access can:
Access asset
View sharing
View properties
View comments
Read comments metadata
Read comment thread metadata
Run data processing
Go to governance roles, find my Governance role (I’m choosing ONE Operator), and set the Monitoring Project to have Operate Access
Then I need to go to each Group that I have, and add the Group role and allocate my MMM_poweruser role into it:
I have created a test user that belongs to MMM_poweruser and I am able to run project but not do anything else in the project.
In case anyone is interested, I managed to work around this by tracking down the component of the nested VCI, and sharing that component to the target group. (Thanks to @Antonio DeChausay !)
I’ve raised it with the product team that I believe setting stewardship on the nested VCI should be enough. Hopefully this gets accepted to be worked on 🤞