• State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 15 subscribers
  • Views 878 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Granular account permissions?..

sum_giais

Hey Thwack folks,

Is it possible to provide a user group and/or user with access to edit / manage their teams nodes, however still be able to see (but not edit) nodes that are not theirs?

Not sure if that fine-grained access is possible within SolarWinds Orion. I'm sure I can setup the restrictions but have always wondered if there's perhaps some unique / interesting way to do this that I'm missing? Perhaps using account limitations? Not sure at all...

Thanks all!

Parents
  • 0

    The way I've done it is by using Account Limitations, especially if you use AD groups or usergroups:

    -Create a Group with the nodes/queries necessary

    -Create/add the user or usergroups

    -Use the "Account Limitations" section under the Edit Account page for the user or group

    This was effective for me by saying "Hey, anything that begins with this name or has this machine type is a radio setup that the IT team doesn't need to worry about, but the (insert medical services group) folks need to see and manage this." We would also build views around those groups and change the default views of the group to help.

  • 0 in reply to pherendeen

    The problem is that this means the Nodes are not viewable to those accounts with the account restriction. I have a similar issue in my environment in that the users want to be able to view the entire environment, but I don't want to give any of them Edit Nodes rights to Nodes they don't look after. The way I got around this is that everyone has a Read-Only account by default, and we use AD Account Elevation. So there is a RW Account higher in the AD Group roles which has Account Limitations and Edit Node access. The users have an online portal where they can request access to the elevated AD Role (For a set amount of time and with an approved change request) which means the account will then change to only be able to View their devices but they will have edit access. When they are done with the change the elevated role is removed and they go back to having View access to everything.

Reply
  • 0 in reply to pherendeen

    The problem is that this means the Nodes are not viewable to those accounts with the account restriction. I have a similar issue in my environment in that the users want to be able to view the entire environment, but I don't want to give any of them Edit Nodes rights to Nodes they don't look after. The way I got around this is that everyone has a Read-Only account by default, and we use AD Account Elevation. So there is a RW Account higher in the AD Group roles which has Account Limitations and Edit Node access. The users have an online portal where they can request access to the elevated AD Role (For a set amount of time and with an approved change request) which means the account will then change to only be able to View their devices but they will have edit access. When they are done with the change the elevated role is removed and they go back to having View access to everything.

Children

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.