1 of 1 people found this helpful
A couple things worth checking.
- Do they have an individual account in Orion in addition to the group membership? Individual accounts will override the group permissions.
- Do they belong to multiple groups? If they do, the one with the higher order ranking will take precedence over any lower groups.
When the user is logged in, it should show the group that it is pulling the permissions from on the top right of the screen next to their username.
How is the user logging in? I've noticed when users use FQDN\USERNAME instead of SHORT-DOMAIN\USERNAME that they don't necessarily get the right permissions. I think this is a bug.
Loop1 Systems: SolarWinds Training and Professional Services
The employee in question is only in one group, no individual account in Orion.
I'll have to verify which format (FQDN\USERNAME or SHORT-DOMAIN\USERNAME) they are using .. but for what it's worth, you can also login using USERNAME@SHORT-DOMAIN.
Had a call from support and wasn't thrilled with what the tech told me. His understanding was that using AD groups were not "dynamic", meaning that when you first create a group some process pulls in all the members of the AD group once. His suggestion was to delete group and recreate.
We have multiple modules and we assign different permissions to for those modules, so I explained that wasn't a very practical option and that the perception isn't that users were just imported once. We would expect this to be dynamic in that as someone logs in, Solarwinds checks to see if what group a member is in and apply the appropriate permissions. As I've been researching this, I found multiple users that no longer exist when I look at permissions in certain areas. These users are not in any security groups.
They had me send some diagnostic information and said they would get back to me. Haven't heard anything back yet.
The permissions are not additive (I do think this is a shame).
The order of the groups within Solarwinds is important. To work out the 'home' group of the user, Solarwinds will work its way down from the top though the available groups in Solarwinds. The first group it finds, that the user is a member of, will be its group for permissions sake. Also this group will appear on the top of of the users screen.
1 of 1 people found this helpful
Got more information from support yesterday.
When a user logs in, Solarwinds checks to see if the user is defined as a local user or is in any AD group you have defined. If it finds a match, the userid gets added to the database with the permissions found.
There is not an automated method for removing users who no longer exists as a local user or in your AD groups.
You can delete them (manually) by using the Database Manager on your Orion Server.
We found multiple users listed in our database that haven't worked here for years. In my opinion, that's a poor design, there should be some kind of automated clean-up tool (or at least a report you could run that would list "orphaned" users, those who aren't defined as a local user or in an AD group), so you aren't having to look up every user listed in the database.
We have to talk to the IPAM group still, problem with read-only for the one user still isn't resolved.