9 Replies Latest reply on Oct 30, 2018 4:18 AM by bleearg13

    Orion NPM 12.2 Search - any way to disable it?

    bleearg13

      So, true to Solarwinds fashion, security took a back seat to flashiness. While the new search feature is great for our staff, we have dozens of Solarwinds accounts that have incredibly limited permissions that should only be able to see specific things. When these accounts use the new search feature to search for something generic like 'cisco', guess what? Every single one of our Cisco devices and basic information about them appears in the results. While they don't have access to view these nodes if they click on them, it's infuriating that they show up at all and that view/account limitations aren't taken into consideration when designing things like this.

       

      I've taken to simply deleting the entire ui/search directory on my additional web server installation, which of course causes errors when trying to search, which in turn I am sure is going to generate tickets from our customers insinuating that society is on the brink of collapse because this one feature doesn't work and how do we fix it and their company pays us absolutely 0 dollars for this courtesy login we provide them and therefore are entitled to some sort of compensation.

        • Re: Orion NPM 12.2 Search - any way to disable it?
          dbriden

          Did you ever get a solution to this as we are in the same situation as you found yourself in?

           

          Deleting the search directory is not an option.

           

          Thanks

          • Re: Orion NPM 12.2 Search - any way to disable it?
            rschroeder

            I'm in favor of this. Have you created a Feature Request for it?  I'd vote for it.

              • Re: Orion NPM 12.2 Search - any way to disable it?
                bleearg13

                I honestly don't think that honoring basic information security principles should be a Feature Request. This is a bug and needs to be fixed. I have not opened a ticket on it because frankly, the SW support is still, after several years, incredibly frustrating to deal with, assuming you can get an initial response from them within a week. We just stopped using Orion for customer-facing NMS functionality. Still use it internally, but we don't allow customers access.

              • Re: Orion NPM 12.2 Search - any way to disable it?
                David Smith

                Not sure if that was a bug, but checking on NPM12.3 and account limitations are honoured in the search.

                1 of 1 people found this helpful
                  • Re: Orion NPM 12.2 Search - any way to disable it?
                    bleearg13

                    I'm sorry to say that this not at all true, at least not with my installation of 12.3. I have an account limitation that is set up to only be able to see a single interface. They have no access to any other views or any devices.

                     

                    If I use the search function to search for anything, let's say something vague like "Juniper" or "Cisco", the search returns the results of dozens of devices that the account does NOT have access to. In these results, I can see the device name, the IP, the type of device it is and its status. I can hover over top of a device and see even more information: response time, cpu, percent memory and the first 5 custom properties on the device. I admit that I cannot click on anything because I don't have access to the device themselves, which, yay? I guess?

                     

                    This kind of disregard for the security of a network is just ridiculous. If a function like this can provide all this information to a non-privileged user, an admin should be able to disable it on a per-account basis.

                     

                    We stopped using Orion for customer-facing NMS purposes for this reason alone.

                      • Re: Orion NPM 12.2 Search - any way to disable it?
                        David Smith

                        I think this sounds more like a flaw in the interface only account limitation. I’ve seen this before where because your not restricting to any particular Node then by default the account can view any Node,  but if you don’t mind I’ll test it in my lab tomorrow and come back to you

                          • Re: Orion NPM 12.2 Search - any way to disable it?
                            bleearg13

                            Thanks, but it is not limited to just interface-only type views (see @dbriden response below, for example). Again, this "feature" should be allowed to be disabled entirely on a per-account basis. Not everyone in the Orion system needs to be able to search the entire system.

                             

                            As an aside, this is far from the only thing that SW fails at in keeping information in the system secure. The mouseover pop-ups are another issue - they're incredibly handy for full users of the system to get quick info, but in a view that restricts someone to just a single interface, the pop-up still occurs when hovering over a node and cannot be disabled. Maps are another thing - any user with any level of access is able to just browse to the 'All Maps' page and view every map you have on the system! I've been complaining about this for probably a decade now and SW has yet to fix it.

                      • Re: Orion NPM 12.2 Search - any way to disable it?
                        dbriden

                        My issue with NPM 12.3 is the global search is displaying information regarding virtual machines, clusters and datastores even though the account is limited to a single Cisco Node. Again clicking on them (or hovering over) display more information that I care to disclose and again clicking on them gives a restricted page error which doesn't look good to customers.   It doesn't show any physical nodes so it looks like Virtualisation Mananger is not honouring the account limitation in my case.  As a  work around I have disabled the global search under https://<orion-server>Orion/Admin/AdvancedConfiguration/Global.aspx by disabling SwSearch.  This just hides the global search.  For the accounts that need to search I have added a custom menu item that points to /ui/search in the url.  For the accounts that have the limitations set and don't need to search I have not added this to their menu.  This doesn't  solve the issue but hides it. Strongly agreed that the global search needs to honour account limitations or be disabled on an account by account basis.