Hello @Marnix Wisselaar , can you please tell me, what is your version of Ataccama? Permissions work quite differently in v13 and v14.

In general, the Global settings section cannot be hidden completely, but you should be able to configure permissions to several sections there, including the Users section. To provide more information, we need to know the version.

Thank you.

Kind regards,

Anna

V13.9.4

Hello @Marnix Wisselaar , in that case, you can change the access using the the Manage default access button. When you open the Users screen and click on the three dots in the upper right corner → Manage default access. There, you can remove all roles that shouldn’t have the ability to see the users. Please do NOT remove the MMM_admin role. Also, it can take some time to remove the roles as on the backend it is recomputing the permissions in the database. This behaviour is expected.

Please let me know if this helps. You can do the same on the Roles screen.

Kind regards,

Anna

Hi @anna.spakova , I've tried this in our test environment (I work in the same team as @Marnix Wisselaar ). In default access I removed viewer rights for MMM_read-only (Application User). Then I tested it with a test user with very few permissions. That user only has default-roles-ataccamaone and an AD group that maps to a role with no permissions).

I logged in with that test user and I still was able to view all users.

The reason why that is, I think, is because the MMM_user role also has viewer rights on users by default. And every user is in that role by default (via the default-roles-ataccamaone, which has the default role, which has the MMM_user role).

I tried removing MMM_user from the default access of users, but you don't want to go there. After that the test user wasn't even able to log in again.

Hello @Marcel-Jan ,

yes, MMM_user is a mandatory role that allows the access itself into the platform. Simply put, you need to remove from the Default access all the roles that you don’t want to give view access on Users and Roles, so including this one. But in Keycloak, the MMM_user needs to be kept for every user that should access Ataccama.

It should be fine to remove all roles, I just recommend to keep the MMM_admin there so at least someone has permissions to see and edit.

Kind regards,

Anna

Hi @anna.spakova 

I did not remove the MMM_user role. 

Let me reproduce exactly what I've done. So this is the default access to users:

I have a test user logged in, in a different browser on the same system, and this user can still view all users. (I'm not going to share a screenshot with the user list, so that part you have to assume is true). The user can use the web application without errors. But it can see very little, because of the lack of other permissions.

Now I will remove MMM_user from the User default access.

And now I go over to my test user. And immediately the user gets this screen:

So removing MMM_user from the User default access is not the way to go.

Hello @Marcel-Jan ,

thanks for sharing that. I guess the Application user capability has more functions here so it might be tight to the access itself.

In that case, let me ask our engineering, if there is a way how to do this.

Anna

Yes, I see no way around this. Definitely dont remove MMM_user from the User default access. Removing MMM_user from the test user itself is not going to work because it's in the default role. And probably the user will get the same issues if you remove it that way too.

If you want, we can also raise a ticket.

Hello @Marcel-Jan , the ticket will be probably the best, so that we have it tracked.

Thank you very much!

Anna