I attempted to leverage the new SAM Admin role in order to allow some app team members to create/modify their own application component monitors. However, in researching the capabilities of the role, I found that it went beyond what the account limitations I set up on it. Details outlined below.
- I created an Orion-local account, made it a SAM Admin and limited it to a single node.
- Node = Server A
- I created a generic Windows SNMP service check
- I assigned that check to two nodes
- Server A
- Server B
- I assigned that check to two nodes
- I confirmed that the SAM Admin account could only assign monitors to Server A
- When I deleted the generic Windows SNMP service check template, it deleted it completely even from the node that the SAM Admin account should have been restricted from modifying
Since i cannot protect the existing production templates from potential inadvertent deletion, i cannot use this role. Is there any way to avoid the above scenario or will I have to forego using the SAM Admin role entirely?