I'm new to the NPM product, so apologies if I'm over looking how to properly lock a view limitation down. I'm getting highly concerned about my decision to purchase this product after my own problems with security loop holes, and similar posts on the forum.... But anyway, hopefully someone can steer me in the right direction here, as I haven't had any luck with sales and engineering folks.
I'm using this product in a multi-tenant environment, and want clients to log in and view their interface utilization basically and nothing else. Sounds easy, but I've spent the better part of a week scratching my head wondering what the heck I'm doing wrong.
So in my journey this is the progress and observations I've made:
After a lot of searching I figured out how to remove the bread crumb feature all together, which was a headache in itself. I found a post that said to do this finally:
"There is a setting called "DisableBreadCrumbs" in the inetpub\SolarWinds\web.config file. Just set the value to true."
Oh wait... Then I realized that as a limited user with view limitation set to a single interface, I can copy and paste any URL into the title bar and see everything an admin can!! Granted I can't click on nodes or other interfaces and get specific details, I can however still see a ton of data from top tens, alerts, group views, etc that to me is a deal breaker. I can't have clients be able to see other client names, and details about our network topology, firewalls, and maps, etc...
So even if I go and figure out how to disable the mouse-over feature (I have to edit some .js file?), any knowledgeable, and nosy, client can basically copy and paste:
.... etc. But you get the idea, any of those pages happily shows the locked down user all the data!
I just tried to paste the URL for IPAM:
I can now browse every subnet I have configured (over 300 IPs) with the locked down user.... Great!
I have unchecked all the settings in the account limitation to "none" ...