Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

AD Integration shortcoming

What rights does Deltona have when he logs onto the Orion Web Console using passthrough auth?

Is there any privilege fallback built in to Orion in this case? What if the user is accidentally added to the other group as well.

Say Deltona should only have read only rights, what should be done in Orion, not on the AD. This scenario should be considered as is. In other words, as designed.

No errors have been made when creating the user in the group(s).

The way i see it is you wouldn't be able to control or hinder Deltona from logging in even if you create his account as a standalone Windows AD account in Orion and change his access rights.

AD_Integration_Groups_And_User_Rights.png

Find more posts tagged with

Accepted answers

All comments

Deltona

Bump!

netlogix

From what I have seen it is an ordered operation, like a network access list. As soon as a match occurs, it gets that access. So if a user is part of the first group then he gets all the right given to the first group. But it first checks if a specific user is added directly, then orion never checks any group membership. (Though I have seen something like group caching, but if you click the top right "log out", your bread crumbs go away and you are re-evaluated).

if you created deltona as a direct user set it as read only, he should be read-only (you might need to run this sql "delete FROM [WebUserSettings] where AccountID = 'deltona' " or log out to clear up bread crumbs).

I am not sure what happens if you disable the user, but I suspect he would have no access.

Deltona

Hi there,

Meh, this makes it more complex, especially considering there are no individual AD users but only AD groups. There should be a built in fallback feature that controls this behaviour automatically without the need to intervene. Whether console admin or read only user, it should just work. I can't ask someone who is supposed to have read only rights to log out and log in again manually.

It would be best if the user privileges fall back to read only if something like this happens.

Can we get some PM/Dev involvement in this please?

netlogix

you can add individual users, you do it in the individual users tab instead of the groups tab.

Deltona

Hi again,

Sure you can add individual users but what if AD integration is enabled and the AD group in which the user is found has been added to Orion. Once the user logs on to the domain and opens Orion's URL in the browser, he'll log in directly.

I canot remove the AD group as there are tons of other users in that group that need to login to Orion.

I canot remove the user in question from one of either groups.

Lastly, I canot tell that single user to log out every time he logs in directly to the console, then log in again with his individual account.

I can't see this working. Am I missing something?

netlogix

If you add the users individual AD user, it takes preference over and AD group and still does the auto logon.

As I stated above, you can also run "delete FROM [WebUserSettings] where AccountID = '<USERNAME>'" to force them to log off. Heck, you could truncate the entire table and all user preferences will be reset to default - you could do that every night.

It's no different than many other implementations, if a user logged on to a PC while in an administrator group, then you remove them from the admin group, that user would still have admin rights until he logged off and back on.

Deltona

Go it,

Thanks!