GroundWork Monitor incorporates Role Based Access Control (RBAC) to enable Administrators to restrict specific system access to authorized users.

About Role Based Access Control

RBAC includes access control at the role level to menu navigation, inventory visibility and configuration of inventory entities including hosts, services, host groups, service groups, and custom groups. 



User access to GroundWork Monitor menu options and inventory is based on associated roles.

ROLES are assigned to USERS. This determines user access.

  • The default system users include admin, operator, and user.
  • The default system roles include Admin, Operator, UserBSM-Admin, and BSM-User.
  • The default user/role assignments are admin/Admin and admin/BSM-Admin, operator/Operator, user/User and user/BSM-User.
  • These system defaults cannot be deleted.


ROLES are assigned access to inventory through GROUPS, including host groups, service groups, and custom groups. This controls which users can see which monitored resources in inventory, i.e., which groups of hosts and/or services.

  • Assigning any of the group types to a role sets an access control allowing users with that role to access resources in the group.
  • If a role is left without specific access to any group of any type, the role gets full access to all inventory.
  • If a role has access to more than one group, or a user is a member of more than one role, the user can access the union of all resources in all groups assigned to their roles. 
  • An example:
    • An East Region role is restricted to host groups host-group-a and host-group-b, the service group service-group-a, and the custom group custom-group-a.
    • Roles are assigned to users, therefore any users assigned the East Region role will be restricted to host-group-a, host-group-b, service-group-a, custom-group-a inventory.
    • Roles are assigned to menu items, therefore any menu items assigned the East Region role will be accessible to users with that role. In addition, inventory accessed through applications on those menu items will generally be restricted to host-group-a, host-group-b, service-group-a, custom-group-a inventory.


      If a user is given a role that is a restricted role (e.g., access to a single host group), and also given the BSM-User role or the BSM-Admin role, the user will have some elevated permissions, such as capability to view all hosts and hostgroups.

      Inventory role restrictions have not been ported to all the applications in GroundWork Monitor. Some menu items (e.g., Dashboards > Log Analysis) allow access to the full range of application functionality to users who have access to the menu item. Care should be taken when allowing access to menu items to ensure no users who do not have clearance, training or experience can use them. 

Menu Items

ROLES are assigned access to applications through MENU ITEMS. This controls which users can access which menu items. 

  • The AdministrationMenu Editor feature allows administrators to customize the GroundWork menu, by modifying top-level and sub-menu items and permitting secure access by role.  
  • An example: The user user has access to the Configuration > Nagios Monitoring > Hosts menu item, however no other Nagios Monitoring menu items.
    • Why? Because, by default, the menu item Configuration permits All Roles*, the menu item Nagios Monitoring permits All Roles*, and the menu item Hosts permits All Roles*. However, all other Nagios Monitoring sub-menu options are assigned to only the role Admin. Therefore, the user user which is assigned the role User will have restricted access to only the Hosts menu item.
    • Similarly, the user admin has access to all Dashboards, where, again by default, the user user has access to a sub-set of Dashboards.

      menu items

Default Roles and Menu Items

The table below outlines the default GroundWork menu structure and the default user and role access. The top-level and sub-level options are listed in the left most column, and the default users and roles along the top two rows.

For each menu option the   symbol indicates it is accessible by all roles. The  symbol indicates the menu option is accessible by only the checked role. For example, the menu folder Administration has several underlying Menu Items, including My Account, Users, Roles and so on. Administration is accessible by all roles and so is My Account, however the Users menu option is only accessible by the Admin role and the admin user. Toggle expandable table below.

 Click here to expand table

RoleAllAdminOperatorUserBSM- AdminBSM-User
Administration >

   My Account







   Audit Log

   Menu Editor

Configuration >

Nagios Monitoring >







   Time Periods



   Maintenance (+ sub items)

Downtime >



   Host Group

   Service Group

BSM and SLAs >



   SLA Dashboards

Auto Discovery >



Cloud Hub

Network Discovery


Devices **

Custom Groups

Dashboards >



   His List

   NOC Board


   SLA Carousel


   Log Analysis


Nagios (+ sub items)

Reports >

   SLA Reports

   Custom Reports

Adding a New Role

System Roles, which cannot be removed, include AdminOperatorUserBSM-Admin, and BSM-User. By default, the user account admin is assigned the system roles Admin and BSM-Admin, the user account operator is assigned the system role Operator, and the user account user is assigned the system roles User and BSM-User

This section steps through adding a new role, and indicating inventory access (you may want to visit How to create Custom Groups before creating a role). After adding a new role you will want to add it to a user(s) as described in the next section, and also to specific Menu items.

  1. Login as an Administrator and navigate to Administration > Roles.
  2. Click the  icon at the top right of the screen.
  3. On the New Role screen enter a Role Name. If the role should have access to all monitored inventory, proceed to Save. If the role should have access to a subset of monitors click in the areas for Host Groups, Service Groups, and or Custom Groups and select groups, and Save. The latter will restrict the role to only those groups.

    new role and inventory

  4. The new role can now be assigned to a user(s).

Adding a New User

Default system users include admin, operator, and user. This page steps through adding a new user.

  1. Login as an Administrator and navigate to Administration > Users.
  2. Click the  icon at the top right of the screen.
    create a new user
  3. On the New User screen, enter the user information:
    • Enter the fields User Name (e.g., first initial last name), First Name, Last Name, and Email Address.
    • Continue by clicking No Roles Assigned and assign appropriate role(s) for the user, e.g., East Region. Roles map to application pages, actions, hostgroups, service groups and custom groups. 

      If you are creating a new user with the Admin role you may want to consider also adding the role BSM-Admin. This will enable the user to fully use the BSM application and create contacts for notifications.

    • If LDAP is enabled you can enter the LDAP User Name.
    • Optionally, click the user image to add a new image.
    • Click Save.
      new user
  4. Enter, confirm and set a user password.

    LDAP user passwords cannot be changed in this UI.

    set password

  5. Existing user configurations can be edited using the action icons at the top of the Users page. In addition to adding users, each user selected can be updated; roles can be modified, status can be set (active/inactive), and users can be removed. To change a user password, click the user name and select Change Password. Non administrative users may change their own passwords.

Resetting a Password from Docker Host CLI

In cases where users cannot access the GroundWork Monitor user management within the UI, you can reset a password for a known local user from the Docker host CLI.

  1. From the command line, navigate to the /gw8 directory.
  2. Run the following command to reset the default local admin account. This will reset the admin password to the installation default password admin.

    [gwos@gw8-server gw8]# docker-compose exec pg psql -c "update gwuser set passwordhash ='#admin' where name ='admin';"
    UPDATE 1

Related Resources