Displaying SolarWinds dashboards securely for non-SolarWinds users

I work for one of the largest retailers in the US. We have thousands of stores in 3 countries, and cover timezones from the east coast of the US to the shores of Hawaii.

We have developed a cross-department opening team that includes senior staff from ALL departments, and they have the job of conducting readiness evaluations for each time zone, where they do one in advance of the open hour, and one just after the opening hour. The idea is to reduce MTR as it impacts the retail environment. Hundreds of thousands of dollars are saved each time we solve a problem before the retail environment is impacted. As the time zones sweep by, the load on our systems is gradually increased, and this effort increases visibility of a part of day where a problem is most likely to occur, shaving MUCH time off the gap between an alarm, and a full engagement of all the teams needed to resolve a problem. Each problem becoming a half million dollars cheaper, as a general theory.

With overnight change windows, with changes coming in from multiple application teams, network teams, cybersecurity teams, this effort is effective at reducing the impact of incidents impacting the retail operation.

We are so large, we are too large for a single SolarWinds NPM deployment. AND not all of the teams are networking teams, so most of them do not have access to SolarWinds, and duty rotates across their senior engineers, so a non-network-engineer might only need access to solarwinds for a brief period of time. This results in a requirement to present SolarWinds dashboards, to users that are not solarWinds users.

I'm in the Cybersecurity side of the house, so turning security off with the DirectLink user is a non-starter. That feature is desirable for specific dashboards, but when I tested it I was able to find multiple security exposures it creates, including the ability to change the password of the account, breaking everything that uses it. My direct link user has every permission turned off, every tab turned off... Yet it has access to everything, and has tabs that have buttons that can cause damage. So this is just not a solution.

There is the option to hand out access to SolarWinds, but the approval process, and the need to tear it back down later creates a maintenance cost. AND when a non-network engineer tries to find his way around inside of SolarWinds, he can quickly stumble into red alarms that do not really exist, and create emergency escalations solving problems he created by not being experienced with SolarWinds.

I have perfected the dashboard for these teams using Orion Maps, giving them almost intuitive drill-down all the way to the fan and power supply level. But only SolarWinds accounts can see it. So I am looking for a way to share that Orion Map structure with a wider audience.

We tried to display it in a frame, but that quickly dropped us into re-creating the cross-sight scripting vulnerability that we spent half of last year fixing with the Log4j fiasco. So we aren't going to be displaying this in a frame. My head programmer even tried to do some tricks to get around this, and quickly found that easier said than done.

So this is the problem, and by reading the forums I see that other people over the years have had similar requirements to share SolarWinds dashboards with non-SolarWinds users. So the first question is, has your company solved this problem? If so, what did they do?

Use the API Luke!

So yeah, this is a job for SWQL.

Using SWQL, can I directly query the Orion Maps data? For example, I have a node and drop it on a map, the node is green. If I drop that pam on another map, it bubbles up with green. BUT if I create a resource map of a node, I might see memory is yellow, and a disk is red. So when I drop a node on a map, I drop the node's resource map (basement map?) right next to the node, and now the yellow or red are available to bubble up into the higher levels of the map. The top level map only has a small number of objects, and the network status can be read in a 100ms glance. And detail is available by drilling in. (drilling in on Orion Maps is non-intuitive and REQUIRES training to be successful, a weakness in the solution) My leadership LOVE Orion maps. With Orion Maps they get exactly what they need, at a speed they appreciate. Yay Orion Maps!

Second question. Is there a way to get the data in a specific Orion Map, and it's drillable child maps, in a single SWQL query? If not, what query should I use to pull all of the monitored objects states? Is there a query you can use to tell you everything about a node's state and the state of all it's monitored components? Obviously I don't want to pull is data for system I do not monitor, so if Cisco ISE always has cache and shared memory exceeding threshold, if I don't select it in the "List Resources" page for a node, I do not need to be pulling that into the report (these are the red alarms a non-network engineer will attempt to escalate because they are too easy to accidently find with the search tool an inexperienced user tends to use, leaving me to explain how computers work to an executive misinformed about a non-problem over and over.

Does anyone have a suggestion on the right approach to pulling all monitored data on a single node? Or perhaps a list of nodes belonging to a group defined in a Custom Property?

Obviously getting the data out id only half of the battle, but once the data is extracted, it will need to be presented on a web page that ultimately resembles my Orion Maps dashboard (with simpler point-and-click navigation).

We have a application we are developing for the operations teams where this web page will live, and we already have the users using that application, so dropping a new page on that will not be creating any new work for entitlement management because that work is already done, we are just adding one more web page.

I see people asking the same questions I do for over a decade, so I'm hoping we have some people with good examples of how they solved the problem. With any luck, I will be able to pull dashboard data from both of my SolarWinds installations, and combine the data into a single dashboard.

Thanks!

Find more posts tagged with

external dashboard

iframes

SWQL

orion maps

external users

Dashboards

directlink

Accepted answers

All comments

adam.beedell

The Not-Quite-The-Answer to the red questions is

1) Not with great satisfaction, saw someone on here recently taking the line of not-quite-directlink-but-something-simmilar. Got some code around pulling data out from behind the creds wall for images. Havnt worked quite the same problem as you though.

2) The single query part is the hard part. Maps are a container, so you can pull map objects via a [select from orion.containers where ID = x] query. Doing it recursively for submaps I dont know a good method for. Could be scripted fairly easily by adding a loop though. There's some extensive documentation on SQL recursion but it hurts my brain.

3) I think this is a recursive thing again unless you like join everything which seems like a performance issue waiting to happen. "All" is the hard bit, like you could select from a large list, but all requires some weird solutions.

Someone on here YEARS back had a very clever "what's causing my bad status" code, which is along these lines. I dont have it to hand

bobmarley

Is there any reason you are not using the alerting engine to simply send alerts to those responsible for each region? We assign each device an 'owner' which is the team that supports that specific device for that geographical area and the alerts go directly to the ticketing system and routed to the appropriate team.

mesverrum

So getting into real web dev best practices there is no actual secure, legit way to siphon pages or UI elements out of one website and present it cleanly in another website. That whole scene is riddled with buggy behavior and security loopholes to where anyone who designs websites for at least the last 10 years has known it's just not to be done.

The real solution for taking data from one website and displaying it in another without introducing all these bad practices is to have a front end dev write a website that uses server side scripts to reach out to the Orion API and requests whatever data is pre determined to be needed and then create your own presentation layer, probably in javascript. It sucks to do it because it sounds like Orion maps is probably like 90% of what you need, but unfortunately it is only going to be available to users of the Orion web console and makes you dependent on the security practices that are, or are not, implemented by the SW devs. Taking that info and exposing it to non users and having a different security model basically forces you to reinvent almost all of the UI functionality that the SW devs already created. Thats the reason why you see people wishing they had something like that going back through the entire history of the product but nobody actually coming through on it, because it is a serious dev effort with ongoing costs to keep it in sync with all the tools people want to tie it to.

It's not just going to be one easy query, it's going to be a lot of small queries as you load things into the UI you want to build and ends up requiring someone to get a pretty encyclopedic understanding of SWQL. I've actually seen a few MSP's around the world who do have their own presentation layer that they present between their customers and the underlying Orion instance. They needed it because their multi tenant relationships with their clients obviously require way more control about user permissions and visibility than what SW devs would be thinking about since they don't generally focus on multi tenancy as a core feature to most of their customers.

The best abstraction layer I have seen for data viz that isn't entirely rolling your own would be to use Grafana, but it's probably still a fair bit more clunky than what you are imagining.