Jamf Nation Community

althea · ‎06-20-2014

Hi folks,

We're testing Casper 9 while we maintain Casper 8 in production and have come across a puzzling discrepancy between the two when looking at setting up JSS accounts for folks whom we want to grant limited JSS access. I'm hoping we've just missed a checkbox somewhere, and/or someone has already encountered and resolved this.

In Casper 8, I can set up an account in the JSS for a user (JSS > Settings > Accounts) and simply check the "View Inventory Tab" box (listed under "JSS - Inventory Tab Privileges") to allow a user to login, click inventory and do searches and NOT view entire records. An equivalent item does not appear to exist in Casper 9 (JSS > Settings > JSS User Accounts and Groups), and the closest I can find is "Computers". Unfortunately choosing to allow "Read" for the "Computers" option allows the account to search for records and then also view their entire contents (including a system's installed Applications, uptime, DOP, etc), which is far more information than we want exposed by default.

It seems weird that the only way to allow an account the simple means to see if a record exists in the JSS is to let them view the entire contents of any record in the JSS.

I'm hoping there's a way in Casper 9 to replicate the limited access we have been able to grant users in Casper 8.

TIA for any insights!

pblake · ‎06-20-2014

I use Auditor.

talkingmoose · ‎06-20-2014

Casper 9 introduced the concept of most everything in the JSS, and the Casper applications too, as being objects and then objects having permissions for create, read, modify and delete. Each JSS user can have its own level of permissions to access these objects.

I'm not sure if there's a way to allow a user to see the existence of an object without seeing its properties too. What are you trying to accomplish by allowing someone to only know a computer exists in the JSS? What's the concern with allowing access to see the properties of computers? Have you considered using Sites to limit the scope of machines a user can see?

althea · ‎06-23-2014

@talkingmoose, you raise a good point about the object paradigm in Casper 9, and just looking at the way the account access settings are laid out in Casper 9 it is very clear that there have been big changes.

It's really the depth of info about systems that it would be nice to have some granular control over. We have one staff member that needs to be able to look up systems by MAC and see who related users are to do their job, but certainly doesn't need to have visibility into the specs of the system the president of the company uses, the configuration profiles in place on employee X's system, or who in department Y has or hasn't run the updates that they were instructed to run last week. None of that is the staff member's concern, and we just want to grant access to the limited amount of info they need to get their job done.

It could be argued that we're trying to use Casper to prevent issues with humans here (call it nosiness, busybody behavior, whatever). But it was possible in Casper 8 and it's disappointing that we can't seem to replicate the same in Casper 9. Using Sites won't help because we can't limit the user's access to ranges of machines -- we want to limit access to the depth of information available about all machines.

Jamf Nation Community

Read only JSS access - Casper 8 versus Casper 9