SLA checks and account limitations

njoylif

we have customers that we expose their map to them for monitoring (we own and manage the gear).  We use IPSLA pings to go across the WAN as most of our WAN has GRE tunnels across MPLS or VPN and those interfaces will show up even if no connectivity.

so, I can allow them to see their IPSLA if I include the view for their account, but a savvy user could change the URI from (i.e.):

http://orion.xxxxxx.int/Orion/Voip/IpSlaOperation.aspx?NetObject=ISOP:327

to

http://orion.xxxxxx.int/Orion/Voip/IpSlaOperation.aspx?NetObject=ISOP:435

and actually see another customer's IPSLA.

I think the same would go true for any other module that does not have ability to include in account limitations.

am I missing something or anyone have any ideas?

I've created a ticket and will keep thread updated:  383024

jiri.tomek

Hello njoylif,

group limitations does not limit to group content globally in this version. If you for example have a group with two operations and limit user to this group, user will see only this group on "groups" resources but will still see all operations on other resources.

As Robert mentioned, you should set the limitation to a node or group of nodes. Each IPSLA operation has a source and destination node. If you set account limitation for the user to "single node" or "group of nodes" and select nodes that are set as source for users' operations, it should limit user to see just those operations. However if same node is source for multiple operations for multiple users, it may allow these users to see others operations as well. Then you may try to use destination nodes instead of source nodes if possible.