Hello again,
We have Orion NPM and IPAM and are considering getting some additional modules (i.e. NTA, NCM, IPSLA). After several years of administering the Orion console, I was happy to see that the developers enhanced the account creation by allowing us to add Active Directory groups to Orion. This is very nice and I hope we can take advantage of it, so we no longer need individual accounts for each of our Orion users. However, there is something that puzzles me about this new feature, so I have questions as to how this is working for the rest of you.
Here is the deal. The way I see it, I may need to request for the AD group to create at least 9 groups in AD. The groups are somethink like:
Orion_NPM_IPAM_Full_Admin
Orion_NodeMgmt_IPAM_Admn
Orion_NodeMgmt_IPAM_PwrUsr
Orion_NodeMgmt_IPAM_Oper
Orion_NodeMgmt_IPAM_ReadOnly
Orion_No_NPMRights_IPAM_Admn
Orion_No_NPMRights_IPAM_PwrUsr
Orion_No_NPMRights_IPAM_Oper
Orion_No_NPMRights_IPAM_ReadOnly
Then, depending on what rights are needed by each of our users, I would add his/her respective AD account to the correct AD group. Here is my problem, though. I think the above is quite a bit of administration and will not really minimize my workload as much as I hoped. This, since instead of creating individual accounts in Orion, I will be adding (or removing) accounts for each of the above listed AD groups. I can only think that the list of AD groups will increase as we purchase and deploy the other Orion modules and applications.
The problem, the way I see it, is that people in my firm need varying rights, even within the same teams. So, my original idea of granting rights on already present AD groups will not work. Or at least, I cannot see how it work work.
Do any of you have to deal with issues like these? If so, have you been able to identify a simpler yet efficient way when dealing with AD groups?
