The Need for Secure Menus
There can be certain NMS operations whose accessibility may be required to be constrained based on user-level permissions. A major part of these operations can be accessed through menus. The menu operations get triggered only on clicking a particular menu item. Using the secure menus functionality, it is possible to disable or hide certain menu items thereby preventing access to specific operations for users by configuring the corresponding menu configuration file. The secure menu functionality is applicable to all types of menus such as Frame menus, Panel-Specific, Object-Specific, etc. The functionality of Secure Menus is based on the permissions model provided by the Security Management module of Web NMS.
Defining the Menu Securing Options
The following are the requisites for securing a menu or a menu -item.
An <OPERATION> </OPERATION> tag must be defined inside a <MENU-ITEM></MENU-ITEM> tag for the menu-item that is to be secured in the respective menu configuration file. The operation defined inside the <OPERATION> tag must be one among those listed in the "Permission Tree" of the Security Administration wizard (accessed through Tools -> Security Administration menu).
The operation that is defined in step 1 must be disallowed in the Permission Tree of the Security Administration wizard (i.e. it must be crossed in the checkbox) for securing a menu-item. This is so because the framework secures a menu (i.e. disables or hides) only after verifying whether the operation specified in the permission tree ( of Security Administration wizard) is disallowed.
The menu-item to be secured must contain the attribute ACTION-ON-NO-PRIVILEGE inside the respective <MENU-ITEM> tag as shown in the snippets below.
Based on the value of the ACTION-ON-NO-PRIVILEGE attribute, the menu-item is either hidden or disabled.
The menu configuration files can be present in <Web NMS Home>/html/defaultsToAllUsers directory or in any specific user directory, namely <Web NMS Home>/users/<username>. Web NMS searches for the menus in <Web NMS Home>/users/<username> directory first, and if not found it searches in <Web NMS Home>/html/defaultsToAllUsers directory. The defaultsToAllUsers directory is used to provide a one place configuration of permissions for all the users, instead of doing the configuration in each user-specific directory.
The Object-Specific menu configuration files which cater to Maps and Network Database panels are searched first in the user-specific directory, and if not found, then searched in either <Web NMS Home>/mapdatas/menus directory or <Web NMS Home>/listmenus directory based on whether they are specific for the Maps or the Network Database panels, respectively.
Entries in Menu Configuration Files for Securing Menus
In order to associate an operation configured in the security permission tree to a menu or a menu item, it is required to specify the same in the corresponding menu configuration file. The menu configuration files (i.e., .xml file) contain the entries of the menus and their menu items in an XML format. The operation which is to be used for authorizing a menu item or menu must be defined within the <OPERATION></OPERATION > tag for the particular menu or menu item. The following snippet explains the above description:
<MENU-ITEM name = "Delete Map"
action_command = "Delete Map"
shortcut_key = "D"
<OPERATION name="Map Editing Operations"/>
In the above snippet, the security permission or operation named "Map Editing Operations" is associated with the menu item "Delete Map". For any user who connects to the client, this menu-item will be disabled or enabled based on whether that user is authorized for the permission "Map Editing Operations" or not. The above snippet also contains the attribute named ACTION-ON-NO-PRIVILEGE defined. This attribute setting determines the action to be taken on authorization failure, i.e., whether to hide a menu item or to disable it when authorization is denied. In this case, it is set to "DISABLE"; hence on authorization failure, the menu item will be disabled.
Securing Menus through clientparameters.conf
The default action value for the attribute ACTION-ON-NO-PRIVILEGE to be applied for all the menus configured (i.e., OPERATION tag included for the menu in the configuration file) can also be specified in the clientparameters.conf file present in <Web NMS Home>/conf directory. This file will be read by the Web NMS client during startup and this setting will be applied globally for all the menus. The default value specified for this action type is 'HIDE'.
You can specify a value for this attribute ACTION-ON-NO-PRIVILEGE at the level of each particular menu item in the respective menu configuration file. The value that is specified in this menu configuration file overrides the default value specified in the clientparameters.conf file. This means that the menu item 'Delete Map' (as in the above snippets) gets disabled and not hidden (as per the default value) when an unauthorized person logs into the Client.
The entry for the attribute in the clientparameters.conf file is as shown below :
It is seen here that a 'comma' appears after the value specified for the attribute. This is so because the same attribute is used for securing the Client tree nodes. Therefore, the value after the 'comma' is interpreted as that for securing tree nodes.
You can secure the menus or menu items by associating the appropriate permissions using <OPERATION> tag for the desired menu or menu item and specifying a desired value for the action type ACTION-ON-NO-PRIVILEGE in the corresponding menu configuration file.
Configuring Menus Manually (Enable/Disable)
If you want to just disable a menu-item manually for the simple reason of deactivating the usage of the menu-item for a particular user or so then you can make use of the attribute namely "isEnabled" inside the <MENU-ITEM></MENU-ITEM> tag. The values taken by this attribute are "TRUE"or "FALSE". Disabling a menu-item in this manner depends on whether the attribute "ACTION-ON-NO-PRIVILEGE" is specified in clientparameters.conf file. If its specified, then the value specified for this ACTION-ON-NO-PRIVILEGE attribute takes precedence over the value specified for the attribute "isEnabled". The declaration of this attribute is as given below:
<MENU-ITEM name="Example" isEnabled="FALSE">
This "isEnabled" attribute does not depend on the <OPERATION> tag when compared to the ACTION-ON-NO-PRIVILEGE attribute.
Securing the Client Tree
The same secure mechanism used for menus can also be used in securing the client tree. Using the same <OPERATION> tag mechanism described above, it is possible to authorize the presence of each tree node shown for the user in the client tree. The configurations are to be done in the configuration file named Tree.xml present under the <Web NMS Home>/users/<username> directory. The detailed description is available in the topic titled Authorizing Tree Nodes.