• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 38 subscribers
  • Views 391 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Separate "Unmanage" rights from the rest of "Node Management"?

ouberlord

Hello,

As our usage of Orion has expanded we have began to press up against some of its limitations.  One of which that is increasingly becoming a sticking point is the inability to grant users just the ability to unmanage nodes without granting them full node management rights.  Does anyone know of a means (via some sort of extension, hack, or otherwise) that this can be achieved?

We really need the ability to not only grant certain users the ability to only unmanage/remanage nodes, but also the ability to restrict that right to specific nodes.  For example, we may want to have a SQL server admin only unmanage our SQL servers, and grant that to him/her without giving them full node management rights.

Is there any way that this can be accomplished?

  • 0

    There is currently no way to do this, unfortunately, but it has been requested by many users.  See this feature request, http://thwack.solarwinds.com/ideas/1246, and add your voice to it. 

    Thanks,

    Chrystal Taylor

    http://www.loop1systems.com

  • 0

    You could create your own web page that uses the Orion SDK to list nodes and then let users update JUST those fields.

    I haven't written it YET, but it's on my radar for my team in the next 3-6 months.

  • 0 in reply to adatole

    There is some potential there, thanks for the suggestion.  In our usage case we have groups of people that need to see all nodes, but only unmanage/remanage particular subset(s).  I was thinking along the lines of using two groups to give access, one group to have "read-only" access and a second to give node management rights, but then on it use account limitations to only see the nodes particular to that group.  However these permissions don't cascade in the web interface (it would seem deny always trumps allow), so I would assume they similarly do not when using SWIS.

    While the SDK would seem to address some of the issue, it would still seem that I would need to wrap it with a completely custom authorization layer separate from anything that is maintained via Orion, and that is something I really want to avoid.

  • 0 in reply to ouberlord

    What you are proposing certainly works for me. One thing to keep in mind:

    If you are using groups, and you have the same account in two groups, whichever group is higher (physically higher on the listing. You can move them up and down) is the rights you will get. SO it's not always "deny", it's just always "whatever I find you in first.

    Another way to look at it in terms of which account "wins" is:

    • An individual Windows AD account
    • An AD security group account that shows up as row 4 on the list
    • And AD security group account that shows up as row 10 on the list.

    Hope that helps.

  • 0 in reply to adatole

    Is there any way to still let more than one group apply?  In my prodding with it this afternoon I set up a test group, OrionTest, that is account limited to a handful of nodes, but has node management access.  Another group, OrionUsers, has no account limitations set up but also lacks node management.  It was my hope that this would result in users who are a members of both groups being able to see all nodes, but only have node management rights to the nodes listed under the account limitations of OrionTest.  However, it appears that once a user is matched to any group the check stops there, so members of both groups only get whatever is set up with OrionTest.

  • 0 in reply to ouberlord

    Sorry for the delay in replying. The short answer is "no".

    Solarwinds rights as assigned to AD groups are mutually exclusive, not additive or (subtractive - whatever the real word is). ie: the rights from groupA and groupB don't "combine" in some alchemical way to provide a new set of permissions that merge the two.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.