Configurable Catalog Authorization (CCA): How to restrict access to service catalog items with custom settings h3 { color: #293e40; margin-top: 9px; font-size: 16pt; } ul, ol { padding-left: 1em; font-size: 14pt; } .kb_content_card { background-color: #f7f7f7; color: #293e40; padding: 10px; /*height: 4rem;*/ border-radius: 5px; -moz-border-radius: 5px; border: 1px solid #dedede; } .kb_content_cards { max-width: 1200px; margin: 0 auto; display: grid; grid-gap: 1rem; grid-template-columns: repeat(auto-fit, minmax(400px, 1fr)); } td, th { padding: 10px; } Contents What is Configurable Catalog Authorization (CCA) Navigating and creating custom configurations Configurations landing page Managing configurations for a catalog Editing existing configurations for a catalog Creating new configurations for a catalog Deleting configurations for a catalog What are authorization groups Creating new Authorization group Updating an Authorization group Deleting an Authorization group What does Reset button do When are configurations unique and can be saved Alert scenarios: Information and errors Description What is Configurable Catalog Authorization (CCA): Self-service catalogs are available on Now Support portal via Automation Store. To know more about this feature, refer KB0960324. Catalog items in the Instance Management category are currently accessible to users, based on the roles assigned to them in Now Support. To enhance this availability, and also to ensure that the right users have access to make requests, Configurable Catalog Authorization (CCA) provides a customized solution for access configurations. With this feature, you can set custom rules on catalog items to further restrict access to certain user groups or roles or users. This is helpful if accounts require segregation of instance activities based on different criteria in the company. Navigating and creating custom configurations: Available to Customer and Partner account admins only, CCA can be used to setup custom configurations for catalog items, from the Automation Store. Navigate to Service catalog -> Instance Management and use the Manage button on the top banner to access the configurations setup pages. Configurations landing page: On clicking Manage button, user is navigated to a catalog configuration summary page. Here the commonly used catalogs with current selections are listed. The catalog can be configured to be applicable to instances, user groups, roles or users. Depending on the setup, the selection is highlighted as green if it exists for that catalog. Since all catalogs are, as of today, available for all customer instances and specific roles, the "Instances" and "Roles" are shown in green. Each catalog is provided with a Manage icon to create custom configurations for further access restrictions. Managing configurations for a catalog: The “Manage” gear icon will open a page that displays a summary of configurations setup for a catalog. A “Default” configuration of catalog access applicable to All instances and user roles, is seeded to continue to allow existing access and use of the catalog. Custom configurations appear below the “Default” and can be expanded to view further details. These custom configurations can be edited to make changes. However, the Default cannot be edited. A “Create new configuration” link helps to add newer configurations. The “Review and Submit” button will help to save the custom configurations. Default configuration: All catalogs will have pre-configured default settings. This is the ensure that the current day access still works and users can continue to use the catalogs even if custom configurations are not setup. Behavior of default and custom configuration on a catalog’s settings: When a catalog is setup with custom configurations then, the custom and default will apply cumulatively on a catalog’s access. The custom configuration will override the default completely, when the two have the same instance and access settings. Editing existing configurations for a catalog: To edit any existing configurations, expand it and use the “Instance” and “Access” tabs to make appropriate selections. Update the configuration name to any user friendly tag. The Instance tab shows the below options: All instances – configuration applies to all instances owned by the customer/partner account. All prod instances - configuration applies to all production instances owned by the customer/partner account. All non-prod instances - configuration applies to all non-production instances owned by the customer/partner account. Selective instances - configuration applies to specifically selected instances owned by the customer/partner account. User can search and add instances. All the selected instances are listed. To remove a selected instance, use the “x”. To undo all changes, use the Reset button. Once the Reset button is clicked, the newest changes will be erased. By removing the instances, they are disassociated, and the configuration is no longer applicable to the instance. It does not remove the instance itself. The Access tab displays a form with information to edit. It shows the Authorization user groups for the configuration, roles selected, or users added. At least one of Authorization groups or users or roles, is mandatory. If an Authorization group or user is removed, or a role is deselected, then those selections are disassociated, and the configuration is no longer applicable. The groups, roles and users are however, available for future selection. Creating new configurations for a catalog: To create new configurations, click on the “Create new configuration” link and repeat the selections in the Instance and Access tabs. Add a user friendly name to the configuration. Instance tab: OR Access tab: Once the selections in the configuration are completed, the user can click the “Review and Submit” button to navigate to a summary page. Here, a comprehensive list of all the configurations for the catalog with the changes made are listed for review. Any change (edit or new) is indicated by a dot. The user can review the selections and submit if satisfactory. A message is shown, intimating the user of successful save. If the user chooses to make more edits, can do so with the “Continue to edit” button. This will take the user back to the “Manage configurations” page to make further updates. If the user chooses to completely discard the changes, can do so by using the “Discard” button. This will take the user back to the authorization request page for all the catalogs. If there are issues with saving a configuration, there can either be a missing selection or a conflicting configuration. Please use the table below to review the error scenarios that can manifest. Deleting configurations for a catalog: Existing configurations for a catalog can be deleted using the delete button on each configuration. Once deleted, this configuration will no longer apply for the catalog. What are authorization groups: New custom Authorization user groups can be created for use in the configurations. These groups are not available for functionality in other parts of the portal. Create: Manage (Create/Edit): Creating new Authorization group: Use the “Create new authorization group” link to create groups on the fly. Enter the minimal required information. Save the changes using “Create New” button. This group is created for that account and can be used in any catalog configurations for that account. If managing a hierarchy of accounts, the group should be available for any configuration. Updating an Authorization group: To edit any authorization group, navigate to the configurations landing page and choose the “Authorization Groups” tab. Please note: user can also create new groups in this tab. Use the “Manage” icon to make updates to an existing Authorization group Deleting Authorization group: To delete any authorization group, navigate to the configurations landing page and choose the “Authorization Groups” tab. Click on "Manage" icon and delete the group. Please note that in order to delete the group successfully, it should not already be associated with any configuration. Else it will result in an error and cannot be deleted. Disassociate the group from the configuration that it is attached to and then delete. What does Reset button do: A “Reset” button is provided while creating or editing a configuration. Available for Instances and Users, this allows the user to undo any new changes started in the configuration. If it is a new configuration, then any instances or users added will be completely removed. If it is an existing configuration, then any newly added instances or users will be removed, and the previous state will appear. When are configurations unique and can be saved: It is not possible to have 2 or more configurations that have the same selections for a given catalog. As this doesn’t help functionally. The uniqueness check is conducted between the custom configurations that the user creates for a catalog. For scenarios of duplicate configurations, check the table below Alert scenarios: Information and errors: Alert Meaning Resolution Type of alert Authorization group creation For a catalog, user created a new authorization group to add to a configuration No action Information Discard For a catalog, user used the Discard button in the Review and Submit summary page No action Information Authorization group name not unique For a catalog, user created an authorization group that is already used for another configuration Change new group name or reuse existing group Error No instances selected for 'Selective Instances' Instance Type For a catalog, user chose “Selective Instances” in Instance tab of the configuration. Did not choose the instances to include. Use Search and select to add the specific instances Error No Groups, no users & no roles for a configuration For a catalog, user created a custom configuration but did not choose authorization group or role or user in the access tab Edit the configuration to set at least one of Authorization group/Role/User Error Configuration for one or more non-prod instances are present in configuration <config name> Cannot have non-prod instance type conflicting configuration for any of the non-prod instance(s). For a catalog, custom configuration for specific chosen non-prod Instance type already exists. User tries to create a different configuration to apply to “All non-prod” instances. This is a conflict. Edit the existing configuration to apply only to All non-prod instances Error Configuration for one or more instances are present in configuration <config name>, Cannot have all instance type conflicting configuration for any of the instance(s). For a catalog, custom configuration for specific chosen instances already exists. User tries to create a different configuration to apply to “All” instances. This is a conflict. Edit the existing configuration to apply only to required instances Error Configuration for a catalog is existing for the sub prod instance type already in configuration {0}. Cannot have different configurations for a selected sub prod instance. For a catalog, custom configuration for “All non-prod” Instance type exists. User tries to create a different configuration for selective non-prod instances Edit the existing configuration to apply only to selective non-prod instances Error Configuration for a catalog is existing for one or more selected instance(s) already in configuration <config name>. Cannot have different configurations for instance(s). For a catalog, custom configuration for selective instances already exists. User tries to create a different configuration for the same set of instances Edit the custom configuration that exists for the selective instances Error Configuration for a catalog is existing for the all instance type already in configuration <config name>. Cannot have different configurations for selected instance. For a catalog, custom configuration for “All” Instance type exists. User tries to create a different configuration for selective instances Edit the existing configuration to apply to selective instances Error Configuration for the selected instance type is already present in configuration <config name>. Cannot have multiple configuration for same instance types. For a catalog, custom configuration for an Instance type already exists. User tries to create a new configuration for the same type Edit the existing configuration for the instance type Error Configuration for one or more prod instances are present in configuration <config name>, Cannot have prod instance type conflicting configuration for any of the prod instance(s). For a catalog, custom configuration for specific prod Instance type exists. User tries to create a different configuration for a “All prod” instance Edit the existing configuration to apply to All prod instances Error Configuration for a catalog is existing for the prod instance type already in configuration <config name>. Cannot have different configurations for a selected prod instance. For a catalog, custom configuration for “All prod” Instance type exists. User tries to create a different configuration for a selective prod instances Edit the existing configuration to apply only to selective non-prod instances Error