I've just completed upgrading our Orion system to NPM 12.1 and NCM 7.6, along with other related modules to their latest versions (SAM 6.4, IPAM, etc.). One of the new enhancements the Network Engineers were looking forward to is the ability to push out Cisco IOS images/firmware to devices... something that has been lacking for years in terms of automated assistance and a welcome addition.
However, I see in order to allow this capability the Network Engineers, who are Administrators under NCM but not NPM/Orion as a whole, must be now?! - This is a HUGE operational security flaw!! There should be no reason in order to do a task like this that they now get full administrative access to the overall system - e.g. Just need to push firmware files?, well now you can also change the admin password for the entire system, create/modify accounts, and modify everything else unrelated to what your privileges really should be too.
It's disappointing to see still that in the latest versions of the SolarWinds' products that granularity in security settings, when it comes to overall administration of the various products comprising the Orion system which have become more platform integrated, continues to be lacking and the mindset remains "that every IT person must be a full admin to everything in their company - servers, network gear, applications, security devices, etc.; so they can just be full admins of Orion too". This is not the case in medium/larger environments where there is a division in responsibility & span of control. i.e. A server person shouldn't necessarily be able to effect a router, and a network person shouldn't necessarily be able to effect a server. While limitations in Orion can help with that, as a full admin, you can remove such limitations.
As a result, I'm looking for a workaround or fix, so that a group and/or individuals who need full NCM capability including firmware operations can do that while not needing to be full administrators of Orion itself; whereby they could potentially affect the rest of the system, the account security/privileges of others, or other devices outside of their authorization.
If you know of some workaround or fix, I'd appreciate hearing from you.
To SolarWinds specifically and respectfully - Please consider the implications on overall security that something like this change has and work towards a better security/privilege design holistically, that doesn't effectively require "everyone" to be full admins in order to perform a function in one area/product.