SKIP TO TUTORIAL

About RBAC

GroundWork Monitor incorporates Role Based Access Control (RBAC) to enable Administrators to restrict specific system access to authorized users. This includes access control at the role level for menu navigation, inventory visibility and configuration of inventory entities including host groups, service groups, and custom groups. 

Groups, Roles, Users

A Users access to GroundWork Monitor menu options and inventory is based on the associated roles. Roles are assigned to users to determine a user access. The GroundWork default system users and roles and their assignments are admin/Admin and admin/BSM-Admin, operator/Operator, user/User and user/BSM-User. These system defaults cannot be deleted.

TIP

  • If a user is given a role that is a restricted role (e.g., access to a single host group), and also given the BSM-User role or the BSM-Admin role, the user will have some elevated permissions, such as capability to view all hosts and hostgroups.
  • Inventory role restrictions have not been ported to all the applications in GroundWork Monitor. Some menu items (e.g., Dashboards > Log Analysis) allow access to the full range of application functionality to users who have access to the menu item. Care should be taken when allowing access to menu items to ensure no users who do not have clearance, training or experience can use them. 

Roles are assigned access to inventory through Groups, including host groups, service groups, and custom groups. This controls which users can see which monitored resources in inventory, i.e., which groups of hosts and/or services. Assigning any of the group types to a role sets an access control allowing users with that role to access resources in the group.

If a role is left without specific access to any group of any type, the role gets full access to all inventory. If a role has access to more than one group, or a user is a member of more than one role, the user can access the union of all resources in all groups assigned to their roles. 

As an example; aEast Region role is restricted to host groups host-group-a and host-group-b, the service group service-group-a, and the custom group custom-group-aRoles are assigned to users, therefore any users assigned the East Region role will be restricted to host-group-a, host-group-b, service-group-a, custom-group-a inventory. Additionally, roles are assigned to menu items, therefore any menu items assigned the East Region role will be accessible to users with that role. In addition, inventory accessed through applications on those menu items will generally be restricted to host-group-a, host-group-b, service-group-a, custom-group-a inventory.

Menu Items

Roles are also assigned access to applications through Menu items. This controls which users can access which menu items. The AdministrationMenu Editor feature allows administrators to customize the GroundWork menu, by modifying top-level and sub-menu items and permitting secure access by role.

An example; the user user has access to the Configuration > Nagios Monitoring > Hosts menu item, however no other Nagios Monitoring menu items. Why? Because, by default, the menu item Configuration permits All Roles*, the menu item Nagios Monitoring permits All Roles*, and the menu item Hosts permits All Roles*. However, all other Nagios Monitoring sub-menu options are assigned to only the role Admin. Therefore, the user user which is assigned the role User will have restricted access to only the Hosts menu item.

Similarly, the user admin has access to all Dashboards, where, again by default, the user user has access to a sub-set of Dashboards.

Default roles and menu items

The table below outlines the default GroundWork menu structure and the default user and role access. The top-level and sub-level options are listed in the left most column, and the default users and roles along the top two rows.

For each menu option the   symbol indicates it is accessible by all roles. The  symbol indicates the menu option is accessible by only the checked role. For example, the menu folder Administration has several underlying Menu Items, including My Account, Users, Roles and so on. Administration is accessible by all roles and so is My Account, however the Users menu option is only accessible by the Admin role and the admin user. Toggle expandable table below.

User
adminoperatoruser

RoleAllAdminOperatorUserBSM- AdminBSM-User
Administration >





   My Account





   Users




   Roles




   LDAP




   Security




   License




   Plugins




   Audit Log




   Menu Editor




   Branding





Configuration >





Nagios Monitoring >





   Control




   Groups




   Hosts





   Services




   Profiles




   Commands




   Time Periods




   Contacts




   Escalations




   Maintenance (+ sub items)




Downtime >




   List




   Host




   Host Group




   Service Group




BSM and SLAs >



   BSM




   SLAs




   SLA Dashboards




Auto Discovery >




   Discovery




   Automation




Cloud Hub




Connectors





Network Discovery




Notifications




   Notification Methods





   Configuration





Devices




   Black List





   Alias





Custom Groups




Dashboards >





   Status





   Insight





   His List





   NOC Board





   Events





   SLA Carousel





   Graphs




   Log Analysis




   Virtualization





Nagios (+ sub items)




Reports >





   SLA Reports



   Custom Reports








Resetting a Password from Docker Host CLI

In cases where users cannot access the GroundWork Monitor user management within the UI, you can reset a password for a known local user from the Docker host CLI.

  1. From the command line, navigate to the /gw8 directory.
  2. Run the following command to reset the default local admin account. This will reset the admin password to the installation default password admin.

    [gwos@gw8-server gw8]# docker-compose exec pg psql -c "update gwuser set passwordhash ='#admin' where name ='admin';"
    UPDATE 1
    CODE

RBAC Tutorial

GroundWork Monitor incorporates Role Based Access Control (RBAC) to enable Administrators to restrict specific system access to authorized users.

WHAT YOU WILL LEARN

  • How to add Groups used to control monitoring inventory access.
  • How to add Roles and assign Groups.
  • How to add Users and assign Roles. 

GETTING STARTED

  • Log in to GroundWork Monitor as a user with an Administrator role (e.g., admin/admin), then expand and follow each section below.

20  30  60  90 MIN

  1. Navigate to Configuration > Custom Groups. Host groups and service groups are used to create custom groups.
  2. To create a host group, click the Host Groups tab.
    • Click the icon.
    • Fill in the fields for Name (must be unique), Alias, and Description.
    • For Group Membership, in the corresponding box start typing a host name to search for hosts. Check the boxes next to the hosts to be added to the host group, or select Add All to add all of the filtered hosts to the Selected Hosts list, each can then be unchecked to remove. Selecting Clear will clear the list of filtered hosts.
    • Click Add to create the new host group.
  3. To create a service group, click the Service Groups tab.
    • Click the icon.
    • Fill in the fields for Name (must be unique), and Description for the new service group.
    • For Select Services, in the box for Search for services enter a specific service name or a partial service name, then select a service and the associated hosts will be populated based.
    • Use the Search for hosts entry to filter hosts for the selected service, and select from the filtered list, or click add all to select all services and hosts based on filtered criteria. Clicking the orange All button will remove the filter for host and list all hosts based on the selected services.
    • Selections are marked in grey and each can be eliminated clicking the corresponding X, selecting Clear Existing will undo the current selections, and selecting Clear Selection will clear the current filters.
    • Click Create to add selections to the new service group.
  4. To create a custom group, click the Custom Groups tab.
    • Click the CG+ icon.
    • Fill in the fields for Name (must be unique), and Description for the new custom group.
    • For Group Membership, in the box for Type to search for groups enter a specific group name or a partial group name, then select (check) each available group to be added as a custom group member.
    • Click Add to save the custom group.

TIPS

  • Host groups created using Configuration > Nagios Monitoring > Hosts > Host Groups are also available to add to a Custom Group. These will be automatically listed under Available Groups.
  • A custom group can be edited by right clicking the title and selecting EditDelete or Other, each described below:
    • Edit: Remove or add group members
    • Delete: Group or Group and make children root nodes; Group: Removes a custom group and all of its members, Group and make children root nodes: Removes the custom group and makes any associated children become root nodes.
    • OtherDetach and make root: Detach the custom group and move it with any children to the root level.
  1. Navigate to Administration > Roles.
  2. Click the  icon at the top right of the screen.
  3. Enter a Role Name:
    • If the role should have access to all monitored inventory, proceed to Save without assigning host groups.
    • If the role should have access to a subset of monitors click in the areas for Host Groups, Service Groups, and or Custom Groups and select groups, then Save.
  4. The new role can now be assigned to a user(s).

TIPS

  • Default system roles include Admin, Operator, User, BSM-Admin and BSM-User, these  cannot be removed.
  • By default, the user account admin is assigned the system roles Admin and BSM-Admin, the user account operator is assigned the system role Operator, and the user account user is assigned the system roles User and BSM-User
  1. Navigate to Administration > Users.
  2. Click the icon at the top right of the screen.
  3. Enter the fields for User Name (e.g., first initial last name) and First Name, Last Name, and Email Address.
    • Continue by clicking No Roles Assigned to assign appropriate role(s) for the user. 
    • If LDAP is enabled you can enter the LDAP User Name.
    • Optionally, click the user image to add a new image.
  4. Click Save.
  5. Enter and confirm a user password, click Set password.

TIPS

  • Default system users include admin, operator, and user.
  • If you are creating a new user with the Admin role you may want to consider also adding the BSM-Admin role, which will enable the user to fully utilize the BSM application and create contacts for notifications.
  • LDAP user passwords cannot be changed in this UI.
  • Existing user configurations can be edited using the action icons at the top of the Administration > Users page, where you can add users, and modify roles, deactivate/activate, and remove selected (checked) users.
  • To change a users password as an Administrator, from the Administration > Users page click into a user's name and select Change Password. Non administrative users may change their own passwords. 

    In cases where users cannot access the GroundWork Monitor user management within the UI, a password can be reset for a known local user from the Docker host CLI. Navigate to the /gw8 directory and run the following command to reset the default local admin account, which will reset the admin password to the installation default password admin

    [gwos@gw8-server gw8]# docker-compose exec pg psql -c "update gwuser set passwordhash ='#admin' where name ='admin';" UPDATE

Related Resources