Permissions Model in Orion for Members of Active Directory Groups

Have a question about how permissions applied to AD groups are interpreted.

For Example:

- Group A Admins (Admins of Group A Nodes/Applications/etc.)

- Group B Admins (Admins of Group B Nodes/Applications/etc.)

I want to limit the nodes that a user can view/manage based on the AD group that they are a member of. This includes when a user is a member of multiple groups.

I have tried using account limitations.

- Limiting Group A Admins to a single group, Group A.

- Limiting Group B Admins to a single group, Group B.

I was hoping this would be cumulative. Allowing a user that is a member of Group A Admins and Group B Admins Active Directory groups to view/manage both groups in Orion. But, this does not seem to be the effect. When a user that is members of multiple groups logs in they are treated as a member of one of the groups instead of all.

Is it possible to accumulate permissions based on membership of multiple AD groups?
If not, how have others implemented this approach to granting access in an environment where some users manage one system, while other users manage several, and there is overlap in the nodes users manage.

Find more posts tagged with

orion

orion npm

Accepted answers

All comments

clubjuggle

1. No, permissions are not cumulative. I suppose that's because permission settings can be contradictory, but I can't be sure of that. There would be a lot of "do what I mean" here.

2. We have AD groups that are used specifically for the Solarwinds platform, and assign those groups permissions with AD. There's a default level of access that everyone in IT has, and that access level is assigned to the general IT group (not a custom group).