Administrator group default group level

Solved257 viewsAdministrator Group Level param level
6
0 Comments

Hi Dojo,

While following Kata #36: Manage and monitor your Service Level Agreements I noticed I can't edit certain parameters. After investigating I realised that those parameters had level attribute on them and it was set to 3(note that figuring this out took a while and I had to try out few different things and was frustrated by the experience). Since my account is administrator I found it weird that anything can be off limits for my account. I soon figured out what was causing the issue, Administrator(installer) group has default Group level set to 5, which again seems weird.

Out of this, few question came to mind:

  1. Why is default Group level for Administrator(installer) set to 5? Wouldn't it make more sense for it to be 1(or 0 based on question 2)? What is the reasoning behind this behaviour?
  2. Documentation for level attribute indicates level 0 for administrator account, however it is not possible to set level 0 in System Center -> Users/Groups -> Groups. Is there different way to configure it to be 0?
  3. Could I have figured out in some easier way that my Group level is too low to access write param? If I wasn't watching Kata I wouldn't have even known that there is a write param.
  4. When writing connectors how exactly is level attribute to be used? It seems to me that every developer can create arbitrary permission levels that end user has to be familiar with and set group levels specifically with that connector in mind. I feel like this can get out of hand quickly if user has multiple connectors that use level attribute.

Cheers

Edib Šupić [SLC] [DevOps Catalyst] Selected answer as best 15th July 2024

1 Answer

2
5.44K 1 Comment

Hi Edib,

As far as I know there's no real guidance on how to use the level attribute, which is probably one of the reasons why the level attribute is not used that often in connectors.

That then probably explains what the "Administrator (installer)" group has the same level 5 as what any new group gets by default. The "Administrators (installer)" group is a group created by the installer but does not have special powers because of its name.

The "Administrator" user being mentioned is one with an actual name "Administrator". That account gets a special treatment and does get level 0 assigned. Other users that are part of groups like "Administrator (installer)" get their levels from there. Not allowing to set this level 0 on groups is probably a choice that was made, but my feeling says that it is something that should be allowed.

As far as I know, there's no indication given that parameters got hidden because of level settings. The only way to know is by knowing the driver or by seeing the parameters popup for a different user.

Alberto De Luca [DevOps Enabler] Edited comment 1st August 2024
Alberto De Luca [DevOps Enabler] commented

I experienced this in the past as well: indeed it can take some time to dig this and address by defining a newer group. Logging this feature suggestion to possibly add new behaviour that can either highlight when level attributes are in use &/or make 0 the default access for some sort of super-admin group:

https://community.dataminer.services/new-feature-suggestions/level-attribute-info-available-at-group-access-layer/

PS: unrelated to the level, but is it possible to restore the “duplicate group” function that was available in System Display before CUBE was introduced?

The feature seems to have collected some consensus over the years:
https://community.dataminer.services/new-feature-suggestions/system-centre-users-groups-right-click-duplicate-group/
Features in this functional area of CUBE for access & groups may be helpful for several admins