Restrict Node Management by custom property or group membership, while still allowing views?

ahbrook

First off, I need to apologize if this is a duplicate of another question that has been asked. I have tried searching for my use case, and I don't see anything that exactly matches it.... but I might just be bad at articulating what I'm looking for.

We are a mid-sized University, where our infrastructure IT is going to be eventually offering Orion access to our other units, departments, and IT staff on campus.

We want to empower our partners to do as much as possible in a self service fashion (with appropriate training and audit logs), but at the same time we want to protect the health of the overall IT network.

Is there a way to configure Orion so that everyone can see all elements of the network (IE no view limitations), but they are only able to manage their own servers/applications?

So, for example:

One of our units would be able to see the switch infrastructure (and statistics for it), but would not be able to use any of the node management options.

That same unit would be able to see some of our ERP servers (and the applications on it) but not be able to reboot or adjust the servers/applications.

But when it came to VMs that they requested and the apps on them, they WOULD have node management access, and the ability to modify the node or reboot it.

I've been through some of the beginner Solarwinds Academy courses (though alerting & reporting), but I'm not sure if what I'm looking for is possible. However, I am planning two controls that could help:

We're going to assign every node/application a "responsible party" custom property that will be set to a team or unit.

we're also going to leverage AD Groups for access, account limitations, and the like.

If push comes to shove, we can use account limitations to make sure certain groups can only see their own servers and applications. But I really, REALLY want the whole infrastructure to be visible, to help in reducing finger pointing and assist everyone in finding the root cause faster.

tony.johnson

Hello Tony,

1st off, Great Question and example of multi-tenancy use cases in Orion!  This is an area of particular interest to me and I am keen to understand your requirements in more detail to help improve the Multi-Tenant specific administration gaps in Orion.

Node administration rights are an All or Nothing user-level setting. If a user has Manage Nodes Rights they will have the ability to perform actions on all nodes for which they have visibility.

In a scenario whereby you have no user-level limitations defined, the user can remove Any and All nodes. If the node has an assigned application monitor, this will also be removed if the node is deleted.

If the user has Manage Nodes rights, and also have a view limitation defined, they will be able to add nodes and will only see those defined by the view limitation.

Server & Application Monitor specific features do allow for more granular control over Node Management Actions such as Real-Time Event Viewer, Process Explorer, Service Control Manager, and node reboot actions. Again this is a per-user level setting which prevents the ability to control it on a per device basis.

As Marc has suggested, a possible workaround may be to have a shared Read-Only account without any limitations, and secondary individual accounts that have the appropriate management rights and user limitations configured.