Investigate Menu Permission
While applying permissions to groups in Active Directory is generally considered a best practice, there are issues that may arise due to group nesting and lack of granularity.
Cadebill interacts with Active Directory by leveraging group membership. Active Directory allows nesting groups within other groups to create a hierarchical structure. While this can simplify permission management, it can also lead to complex permission inheritance scenarios for Cadebill.
Cadebill permissions are typically assigned at the group level, which means that all members of the group inherit the same permissions. However, there may be cases where fine-grained control is required at the individual user level. In such situations, additional measures, such as individual user permissions or nested groups, may need to be implemented to achieve the desired granularity.
The Investigate Menu Permissions page is a useful tool for troubleshooting these and other permission related issues with Cadebill and Active Directory.
The page consists of three panels: User Menus Permission Filter (top), User Menus (middle), User Menus Permission (bottom).
An explanation of these panels and their interactions follows.
User Menus
This panel is the result of the criteria from the User Menus Permission Filter. The AD User Name and AD Group Name are displayed.
Note that an AD User may be a member of one or more AD Groups. These group memberships are a common source of contention when managing permissions.
For each AD User Name and AD Group Name, the Application, Module, Sub Module, and Menu are displayed where there is an explicit or implicit (i.e., via group membership) permission.
The Allow checkbox is checked when the user/group is permitted access to that menu. When unchecked, the permission is explicit to Deny.
Note: The order of precedence is that Deny overrides Allow.
Field's Description
Permissions How Id Internal ,Identity field.
AD User Name Displays the name of the user as defined in Active Directory. Not used when User Type is G.
AD Group Name Displays the name of the group as defined in Active Directory. If blank, application permission was granted to the user explicitly (i.e., not inherited via group membership).
User ID System-generated integer to uniquely identify a user instance in the system. Read-only.
Application Displays the name of the application as defined in Nebula Framework.
Module Displays the name of the module as defined in Nebula Framework.
Sub Module Displays the name of the sub module as defined in Nebula Framework.
Menu Displays the name of the menu as defined in Nebula Framework.
Permission IDs Unique identifier for a record in Application Permissions.
User Type Displays U when the security principal is a user and G when the security principal is a group.
Allow When checked, the Nebula Framework path (i.e., application, module, sub module, menu) is accessible for the AD user via membership in the AD group, if applicable. When unchecked, the Nebula Framework path is inaccessible.
User Menus Permission
This panel displays the sequence of inherited permissions for the selected user/group selected in the User Menus grid. Based on the selected user (and group membership), the inherited permissions to the selected menu are displayed.
Refer to the figure above. Assume the following permissions:
While Menu 1.1.1 has an explicit Permit (ID 45), the menu is not accessible because of the explicit Deny on Sub Module 1.1 (ID 21) which is inherited to all menus contained therein.
Therefore, this grid would display the permissions in order of precedence whether they are explicit or implicit due to inheritance. Thus, the Deny would be the first record in the grid.Field's Description
Permission ID Unique identifier for a record in Application Permissions.
Application User Displays the name of the user as defined in Application Users.
Application Displays the name of the application as defined in Application Permissions.
Module Displays the name of the module as defined in Application Permissions.
Sub Module Displays the name of the sub module as defined in Application Permissions.
Menu Displays the name of the menu as defined in Application Permissions.
Include All Child Menus When checked, menu level permissions are inherited to child menus as defined in Application Permissions.
Permission Displays the permission as defined in Application Permissions. May be Permit, Permit and grant, or Deny.
Permission Precedence The order of the Application Permissions record when evaluating if a path is allowed.
Comments Provides an explanation of the effect of the Application Permissions record.
Restriction For internal use only.
Mode ID Reserved for future use.
User Menus Permission Filter
This panel creates the request for information that gets processed by the system.
Once the selection criteria are complete, click the Apply Filter button to begin the analysis. Use the Clear Filter button to remove all previously selected values.
Note: If there have been changes to the Active Directory, use the Refresh AD Data to obtain the latest updates. In large organizations, this may take a few minutes.
Field's Description
Effective Date Since Application Users has the option to set a start and end date, an effective date may be used to limit the results to only users that were active on the specified effective date. Defaults to the current date and time.
User Type Select either User or Group to perform the analysis. Default to User.
User Name Displays the list of all users or groups – depending on the User Type selected – from the Active Directory. If left blank, all users or groups will be analyzed.
Module ID Select from the list of available modules. If selected, all menus under that module will be analyzed. If blank, all modules will be analyzed.
Menu ID Select from the list of available menus. If selected, only that menu and any child menus under the menu will be analyzed. If blank, all menus will be analyzed.
Permission Select from either Allow, Deny, or Allow and Deny to perform the analysis. Defaults to Allow and Deny.
Allow When checked, the Nebula Framework path (i.e., application, module, sub module, menu) is accessible for the AD user via membership in the AD group, if applicable. When unchecked, the Nebula Framework path is inaccessible.