1 Reply Latest reply on Jan 23, 2015 2:07 PM by aLTeReGo

    SAM 6.2 RC - Clarify User Account Permissions

    deny

      I want to know more about what the following user permissions actually mean because it's not completely clear.  It seems like permissions and user/group customization is all in the same screen (Orion/Admin/Accounts/EditAccount.aspx).  Maybe User Account Management can be separated into User/Group Permissions and User/Group Settings?


      It is very important that the right amount of access is delegated within the application since the SAM service account is effectively an Administrator on the Servers that are being added.  At the moment it is difficult to easily distinguish whether SAM users have access to make changes to the Server versus the Only the Ability to monitor the server.  Some pre-configured templates would make this out-the-box-even-more-awesome

       

      QUESTIONS

       

      1. Allow Administrator Rights

      • Question - Does this effectively override all permissions below this option because you are now the highest level admin within SAM?  For example, I can grant Administrator Rights to Fred, and now Fred can go in and elevate all of his permissions that were not previously granted by default - eg: Allow Node Management Rights, Enable Virtual Machine Power Management.  If this is the case, then perhaps all of the permissions below should be enabled and grey'd out.  If I assign Admin rights at the top, then I shouldn't have to configure every sub feature...


      2. SAM User Role

      • Bug - When I set this to Admin the Allow IIS Action Rights value goes blank.
      • Question - Can you provide an example of how this might be used and what the effect is?

       

      3. Allow Account to Clear Events, Acknowledge Alerts and Syslogs

      • Question - Is this the SAM event log?  Or is this the Windows Event Log?
        • Re: SAM 6.2 RC - Clarify User Account Permissions
          aLTeReGo

          deny wrote:

           

           

          1. Allow Administrator Rights

          • Question - Does this effectively override all permissions below this option because you are now the highest level admin within SAM?  For example, I can grant Administrator Rights to Fred, and now Fred can go in and elevate all of his permissions that were not previously granted by default - eg: Allow Node Management Rights, Enable Virtual Machine Power Management.  If this is the case, then perhaps all of the permissions below should be enabled and grey'd out.  If I assign Admin rights at the top, then I shouldn't have to configure every sub feature...

          Orion Admin's have the ability to Add/Delete/Modify user accounts. That's essentially the primary permission here. You can of course create an Orion "Admin" account's not allowed to say, customize views or unmanage objects. That user could however edit their own user account and grant themselves those permissions.

          2. SAM User Role

          • Bug - When I set this to Admin the Allow IIS Action Rights value goes blank.
          • Question - Can you provide an example of how this might be used and what the effect is?

           

           

          The "SAM" Admin role allows users to create new application templates, edit existing application templates, assign/remove templates to nodes etc. This role is commonly given to the systems administrators who do not have account/node creation/modification rights. They are simply allowed to configure the monitoring of their applications.

           

          3. Allow Account to Clear Events, Acknowledge Alerts and Syslogs

          • Question - Is this the SAM event log?  Or is this the Windows Event Log?

          This is related to Events, Alerts and Syslog messages in Orion. This is unrelated to the Windows Event Log, unless you have alerts related to the Windows Event Log. This permission is for clearing or clearing events [Home -> Events], acknowledging alerts [Home -> Alerts] or clearing Syslog Messages [Home -> Syslog]