Security Enhancement - using existing system security

We have a multi-company IT shop. One group manages the hardware/infrastructure (network, routers, etc), another the servers (actually these are split up depending on the platform type - Windows vs non-Windows), another group maintains some applications/databases, a cyber security group, helpdesk group, desktop support group, and another company manages another group of applications & it's services. We spend a lot of time setting up groups & permissions, etc to give people the right access to the right machines. SolarWinds appears to disregard all of this security and allow this to be overridden fairly easily. We just installed SAM 5.5 and now users can start/stop services, reboot machines, monitor processes & terminate them, if the permissions are given at the user or group level. This is another level of security that I don't think the SW administer should have to deal with nor be responsible for. Ideally, at our installation, some groups should only have view information for some nodes, and more permissions on other groups of nodes. I don't see how I can replicate this within the SAM setup options. Unless I'm missing something, permissions to start/stop services are at the user level, not at the node group level. Wouldn't it be more secure to use the permissions already setup? I understand some of them are specific to SolarWinds and would need to be maintained there, but others aren't. It's making me very leary of giving our entire IT staff access to SolarWinds in fear that they will gain permissions that they should not have.

Is there a white paper on how to best setup the software given this scenario to limit reworking it later and to minimize the work load?

Right now, I added two custom fields to the nodes, with the admin email address and the application admin email addresses. I've also created a couple node groups, let's call them 'Application group 1 production servers' and 'Application group 1 test servers' for this conversation. I setup a test user and gave them permission to the application group 1 production & test servers, which seems to be working OK. (I had to remove their IPAM access and the netflow screens because it appears to be giving them access to all nodes). However, it is only showing them the apps for their nodes, which is great. Is this the preferred method for my situation? If there are links in alerts, will someone be able to gain access to a node they shouldn't?

Find more posts tagged with

Security

sam

prodfr

active_directory_authentication

setup_question

Status: None

Comments

aLTeReGo

More granular permissions for remediation actions is a good feature request, and one I'm tracking internally under FB196255. In the meantime however, newly created users or groups, as well as existing users and groups who did not have the "Orion Admin" permission do not inherit these privileges automatically. They must be enabled manually on the user or group for obvious reasons. If you're unsure what SAM permissions to grant a group or user then I suggest view only, which does not allow for stopping/starting services, rebooting servers, or terminating processes.

marunderwood

OK. I still would like a recommended configuration given my scenario. I see others suggestions and think I'm going down the right path to get alerts and errors to the right folks, then I find out it doesn't interface with Alert Central.