In this release we are very pleased to present a new workflow designed to simplify the process of adding and managing user accounts within the product. We understand that EOC can play a critical role in a distributed deployment of Orion, and with the addition of proper pass-through authentication, can dramatically alleviate the administrative overhead of managing accounts, or prevent users from receiving inappropriate privileges when being directed to a remote instance.
Proper pass-through authentication has been a highly requested feature, and the problems this presented are clearly evident in some of the example threads:
We feel confident this latest release can address those concerns while providing a better overall experience.
Manage Site Wizard
The major changes implemented in this release are really a part of the Manage Site workflow. This wizard is available either through Discovery Central, the Orion Site Status Widget, or through Settings > All Settings > Manage SolarWinds Sites.
Select Add SolarWinds Site and walk through the wizard. Noticeable differences will be minimal until you get to the final stage of the wizard, so we will skip to that part. The image below illustrates the final step in the add site wizard prior to the 2019.4 release which limited you to adding a Default Site Account for authentication purposes. This part of the process was typically the catalyst for a number of issues mentioned in the aforementioned Thwack Posts as well as added confusion.
Hopefully providing a bit of clarity around the intentions of this final step, we have made some changes. Rather than specifying a default SolarWinds Account, you are now presented with options to choose your preferred method of authenticating from EOC to the remote sites. What this means is that when a user interacts or drills down to a certain entity within EOC, they are automatically redirected to the remote instance responsible for monitoring that node. This step specifies the authentication mechanism for your users from EOC to each site.
If we quickly review your options from bottom to top, the option to use custom credentials for each individual user means that when adding a user to EOC you are specifying credentials for each and every site a user has access to through the Manage Accounts menu under settings. This may be a preferred option for those of you wanting the ultimate control over how this EOC user would access multiple separate sites. Remember, that permissions and limitations are applied to each EOC user based on the account settings at each remote instance. Many of you have password expirations in your organization and this could lead to an administrative nightmare if that occurs at a regular cadence, forcing the Admin of EOC to either grant access to manage accounts or know everyone's password.
Let's say the majority of your users accessing remote sites from EOC would have similar privileges. Use a default EOC user Account would be a method in which to create one account for a large group of users. This is again fairly limiting and could put you in a place where you may run into the issues mentioned above.
Pass-through Authentication, on the other hand, can simplify this process immensely. The Enterprise Operations Console will now work as you would expect with any Orion, Active Directory, Active Directory Group, or even SAML account. As an EOC administrator, the most important step is to ensure that the corresponding Windows Group, SAML Group, or individual accounts are set up at the remote instance. Then, add that user or group account to EOC and you are off and running. It's that simple!
In prior versions of EOC, group based permissions really were not synced with the remote instance and forced administrators to add individual users. This can of course be time consuming for something you expect to be in an enterprise level product. Fortunately, this has been taken care of so no more having to work with individual users to grant them access to a settings page so that they can constantly setup or reset their passwords. For those of you leveraging 2FA through CAC this will function similar to how you currently access remote sites, and when a user selects an event or object in EOC, the appropriate username will follow along with the relevant permissions and limitations.
It is highly recommended that any remote sites connected to EOC are also running 2019.4 so this works as seamlessly as possible.
Status Summary Widget
As a small bonus, we have also made a few adjustments to the Custom Tile Widget. As minor as they may seem, sometimes these small changes can make a world of difference. The widget has now been properly renamed to the Status Summary Widget. This should clearly indicate the purpose of the widget and remove any confusion about why it was called Custom Tile from the days of EOC 2.0. Within the Advanced Entity Filter, things have been properly alphabetized to ensure you are able to quickly and easily find the property you are looking for. Finally, sometimes you want to be able to leverage as much screen real estate as possible, and in order to do so, we decided to provide an option where you could hide the Active Alerts section of the widget. Some have found it quite beneficial to create a condensed scoreboard of status in their environments.
We hope you find these changes helpful and share your feedback. If there are any questions or thoughts on what you would like to see in a future release, please be sure to add in the comments below!