Users, Roles and Permissions

Role Based Access Control

This page reviews the GroundWork Monitor default system users, roles and permissions managed from the Administration menu option.

A users menu options and inventory access is based on their role.

  • GROUPS: Roles are assigned access to the inventory for the entities host groups, service groups, and custom groups. This controls what users can see.
  • MENU ITEMS: Roles are assigned access to applications via the Menu Editor. This controls which menu items are available to roles.
  • USERS: Roles are assigned to users. This determines users access.
    role based access control

Default system users and roles

By default, the GroundWork Monitor system users include admin, operator, and user,

default system users

and system roles include Admin, BSM-Admin, BSM-UserOperator, and User. The default system users and roles cannot be deleted.

default system roles

Groups and roles

Roles can be assigned specific host groups, service groups, and or custom groups. This ability controls which users are able to view which monitors. 

Assigning any group type sets a restriction for a role. If a role is left with unrestricted access to any group type, the role gets full access.

This this example, the East Region role and any users assigned this role will be restricted to the host groups DOCK-M:cadvisor and HG2, the service group SG1, and the custom group Docker

edit role

Roles are assigned to users. In the image below you can see the user operator is assigned the role Operator.

edit user

Menu items and roles

To control what a user can access, Roles are assigned to menu items. 

The Menu Editor feature allows administrators to customize the GroundWork menu by modifying top-level and sub-menu items, and assigning secure access by role. See How to manage menu items for details.

For example, in Administration > Menu Editor, each menu item shows its associated Role(s) which determines access. Access by all roles are indicated by the * symbol.

menu items and roles

Clicking the Dashboards folder (from above) displays its sub-level menu options.

The menu options Graphs and Log Analysis have the assigned role of Admin, where the other dashboards are accessible by all roles.

This means all Roles can access the top level Dashboards menu option, however only the Admin role can access the sub-menu options Graphs and Log Analysis.

menu item role default

The table below outlines the GroundWork menu structure listing the top-level options, sub-level components, and the default roles assigned.

For example, the menu folder Administration, has several underlying Components, each with their role AssignmentUsers assigned the Admin role can access all Administration menu items, all other roles can only access My Account.

FolderUnderlying ComponentsAssignments
AdministrationMy Account, Users, Roles, LDAY, Security, License, Plugins, Audit Log, and Menu Editor.Admin role is assigned to all components, except My Account is assigned all * roles.
ConfigurationNagios Monitoring, Downtime, BSM and SLAs, Auto Discovery, Cloud Hub, Network Discovery, Notifications, Devices, Custom Groups.Admin role is assigned to all components, except Nagios Monitoring is assigned all * roles, and BSM and SLAs is assigned Admin, BSM-Admin roles.

Note: All Nagios Monitoring underlying components are assigned Admin role, except Hosts is assigned all * roles.
DashboardsStatus, Insight, Hit List, NOC Board, Events, SLA Carousel, Graphs, Log Analysis, VMware, NagiosAll * roles are assigned to all components, except GraphsLog Analysis, and Nagios are assigned Admin role.
ReportsSLA Reports, Custom ReportsAll * roles are assigned to all components, except SLA Reports is assigned AdminBSM-Admin roles.

my account all role access

Related articles