I attempted to leverage the new SAM Admin role in order to allow some app team members to create/modify their own application component monitors. However, in researching the capabilities of the role, I found that it went beyond what the account limitations I set up on it. Details outlined below. I created an Orion-local account, made it a SAM Admin and limited it to a single node. Node = Server A I created a generic Windows SNMP service check I assigned that check to two nodes Server A Server B I confirmed that the SAM Admin account could only assign monitors to Server A When I deleted the generic Windows SNMP service check template, it deleted it completely even from the node that the SAM Admin account should have been restricted from modifying Since i cannot protect the existing production templates from potential inadvertent deletion, i cannot use this role. Is there any way to avoid the above scenario or will I have to forego using the SAM Admin role entirely?

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SAM Admin role ignores account limitations

Detroiter over 11 years ago

I attempted to leverage the new SAM Admin role in order to allow some app team members to create/modify their own application component monitors. However, in researching the capabilities of the role, I found that it went beyond what the account limitations I set up on it. Details outlined below.

I created an Orion-local account, made it a SAM Admin and limited it to a single node.
- Node = Server A
I created a generic Windows SNMP service check
- I assigned that check to two nodes
  - Server A
  - Server B
I confirmed that the SAM Admin account could only assign monitors to Server A
When I deleted the generic Windows SNMP service check template, it deleted it completely even from the node that the SAM Admin account should have been restricted from modifying

Since i cannot protect the existing production templates from potential inadvertent deletion, i cannot use this role. Is there any way to avoid the above scenario or will I have to forego using the SAM Admin role entirely?

0 aLTeReGo over 11 years ago

The SAM Admin role fully adheres to account limitations by limiting users based on node or application. It doesn't however prevent users from viewing, accessing or modifying the list of available templates. This is because account limitations can't be made to template, only to assigned applications, nodes, etc. I recommend posting this to the SAM Ideas/Feature Request section of Thwack.
If your overarching concern is that Orion Admin users may make changes to a template they're not supposed to and possibly break how that application is monitored, you can block all inheritance of the application from its original template which should help mitigate this condition.
Cancel
Vote Up 0 Vote Down

Cancel