Users roles permissions
Click the link above if you are not automatically redirected in 10 seconds.
Role Based Access Control
GroundWork Monitor incorporates Role Based Access Control (RBAC) to enable Administrators to restrict specific system access to authorized users. This includes access control at the role level to menu navigation, inventory visibility and configuration of inventory entities including hosts, services, host groups, service groups, and custom groups.
Users
User access to GroundWork Monitor menu options and inventory is based on associated roles.
ROLES are assigned to USERS. This determines user access.
- The default system users include admin, operator, and user.
- The default system roles include Admin, Operator, User, BSM-Admin, and BSM-User.
- The default user/role assignments are admin/Admin and admin/BSM-Admin, operator/Operator, user/User and user/BSM-User.
- These system defaults cannot be deleted.
Groups
ROLES are assigned access to inventory through GROUPS, including host groups, service groups, and custom groups. This controls which users can see which monitored resources in inventory, i.e., which groups of hosts and/or services.
- Assigning any of the group types to a role sets an access control allowing users with that role to access resources in the group.
- If a role is left without specific access to any group of any type, the role gets full access to all inventory.
- If a role has access to more than one group, or a user is a member of more than one role, the user can access the union of all resources in all groups assigned to their roles.
- An example:
- An East Region role is restricted to host groups host-group-a and host-group-b, the service group service-group-a, and the custom group custom-group-a.
- Roles are assigned to users, therefore any users assigned the East Region role will be restricted to host-group-a, host-group-b, service-group-a, custom-group-a inventory.
- Roles are assigned to menu items, therefore any menu items assigned the East Region role will be accessible to users with that role. In addition, inventory accessed through applications on those menu items will generally be restricted to host-group-a, host-group-b, service-group-a, custom-group-a inventory.
Inventory role restrictions
Inventory role restrictions have not been ported to all the applications in GroundWork Monitor. Some menu items (e.g., Dashboards > Log Analysis) allow access to the full range of application functionality to users who have access to the menu item. Care should be taken when allowing access to menu items to ensure no users who do not have clearance, training or experience can use them.
Menu Items
ROLES are assigned access to applications through MENU ITEMS. This controls which users can access which menu items.
- The Menu Editor application allows administrators to customize the GroundWork menu, by modifying top-level and sub-menu items and permitting secure access by role.
- An example: The user user has access to the Configuration > Nagios Monitoring > Hosts menu item, however no other Nagios Monitoring menu items.
- Why? Because, by default, the menu item Configuration permits All Roles*, the menu item Nagios Monitoring permits All Roles*, and the menu item Hosts permits All Roles*. However, all other Nagios Monitoring sub-menu options are assigned to only the role Admin. Therefore, the user user which is assigned the role User will have restricted access to only the Hosts menu item.
- Similarly, the user admin has access to all Dashboards, where, again by default, the user user has access to a sub-set of Dashboards.
Default roles assigned to menu items
The table below outlines the GroundWork menu structure listing the top-level options, sub-level components, and the default roles assigned. For example, the menu folder Administration, has several underlying Menu Items, each with their assigned role. Users assigned the Admin role can access all Administration menu items, all other roles can only access My Account.
** includes underlying items
Users > | admin | operator | user | ||||
Roles > | Admin | Operator | User | BSM- Admin | BSM-User | ||
Administration > |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
My Account |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Users |
fas fa-check
| ||||||
Roles |
fas fa-check
| ||||||
LDAP |
fas fa-check
| ||||||
Security |
fas fa-check
| ||||||
License |
fas fa-check
| ||||||
Plugins |
fas fa-check
| ||||||
Audit Log |
fas fa-check
| ||||||
Menu Editor |
fas fa-check
| ||||||
Configuration > |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Nagios Monitoring > |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Control |
fas fa-check
| ||||||
Groups |
fas fa-check
| ||||||
Hosts |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Services |
fas fa-check
| ||||||
Profiles |
fas fa-check
| ||||||
Commands |
fas fa-check
| ||||||
Time Periods |
fas fa-check
| ||||||
Contacts |
fas fa-check
| ||||||
Escalations |
fas fa-check
| ||||||
Maintenance ** | fas fa-check | ||||||
Downtime > |
fas fa-check
| ||||||
List |
fas fa-check
| ||||||
Host |
fas fa-check
| ||||||
Host Group |
fas fa-check
| ||||||
Service Group |
fas fa-check
| ||||||
BSM and SLAs > |
fas fa-check
|
fas fa-check
| |||||
BSM |
fas fa-check
| ||||||
SLAs |
fas fa-check
| ||||||
SLA Dashboards |
fas fa-check
| ||||||
Auto Discovery > |
fas fa-check
| ||||||
Discovery |
fas fa-check
| ||||||
Automation |
fas fa-check
| ||||||
Cloud Hub |
fas fa-check
| ||||||
Network Discovery |
fas fa-check
| ||||||
Notifications |
fas fa-check
| ||||||
Devices ** |
fas fa-check
| ||||||
Custom Groups |
fas fa-check
| ||||||
Dashboards > |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Status |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Insight |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
His List |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
NOC Board |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Events |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
SLA Carousel |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Graphs |
fas fa-check
| ||||||
Log Analysis |
fas fa-check
| ||||||
Virtualization |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
Nagios ** |
fas fa-check
| ||||||
Reports > |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
| ||
SLA Reports |
fas fa-check
|
fas fa-check
| |||||
Custom Reports |
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
fas fa-asterisk
|
Related articles
-
How to configure LDAP (Knowledge Base)
-
How to create a new role (Knowledge Base)
-
How to create a new user (Knowledge Base)
-
How to create Custom Groups (GroundWork Support 8)
-
How to manage menu items (Knowledge Base)
-
LDAP Mapping (GroundWork Support 8)
-
Menu Editor (GroundWork Support 8)
-
Users Roles and Permissions (GroundWork Support 8)