Adding New User Roles
In large enterprises, the IT staff have clearly demarcated roles and responsibilities. The help desk staffs are responsible for handling user complaints and their main concern when a user calls about a problem is to determine whether the user call pertains to a problem that the other operations staff is already working on. The domain experts and service managers are responsible for the early detection, diagnosis and fixing of problems with the networks, servers, applications, and services they control. While the domain experts are interested in the detailed performance metrics relating to the IT infrastructure, the executive managers are interested in high-level service level reports that detail if the IT infrastructure is meeting the service expectation of their users. To support these varying requirements of the IT operations staff, eG Enterprise supports different user roles. The user roles define the rights and responsibilities that any user of the eG Enterprise system has. Each user in the eG Enterprise system is assigned a user role.
By default, the Enterprise deployment of eG embeds two users namely, admin and supermonitor. The admin user reserves the administrative rights to the monitored environment, and also receives an unrestricted view of the monitored environment. Only users with the privileges of the admin user can add new users or new roles to the eG Enterprise system. The supermonitor user cannot perform administrative tasks, but is authorized to monitor the performance of the entire environment.
Similarl to default users, a set of default roles are also available for use in the eG Enterprise system. These default roles are different for different deployments of eG Enterprise - i.e., by default, a few additional roles are available only for the Enterprise deployment of eG, as compared to the SaaS deployment.
Roles also vary with entity type. By default, the SaaS deployment of eG Enterprise system supports the following entity types:
Organization: An MSP for instance, can configure each of their customers as tenant Organizations in the eG Enterprise system. Likewise, a Cloud Service Provider can configure every cloud consumer as a tenant Organization. In the case of our example, we will be configuring a banking customer of an MSP as a tenant Organization.
- Organizational Unit: Smaller user groups within an organization can be created as Organizational units - eg., departments within an organization, support groups within a technical support cell, the different branches of an enterprise. In the case of our example, we will be configuring the Retail Banking department within the banking organization as an Organizational Unit. An Organizational Unit can contain more Organizational Units or individual Users.
User: These are individual users who can belong to an Organization or an Organizational Unit. In the case of our example, we will be configuring one member of the Retail Banking Organizational Unit of the banking Organization as a User.
In contrast, the Enterprise deployment supports only the Organizational Unit and User entities. By default, a Default Organization pre-exists to which new organizational units and/or users can be added.
Let us first look at the default user roles. To view the default roles, do the following:
From the User Management tile, select the Roles menu option. Figure 1 will then appear.
As can be inferred from Figure 1, the pre-defined roles tab page of the user roles page opens by default. This tab page displays the default roles pre-defined by the eG Enterprise system. These are as follows:
OrgAdmin: This role allows an entity to administer and monitor a limited set of infrastructure elements alone. In other words, any entity who is assigned this role will be allowed access to the eG admin interface, so they can download and install agents for monitoring those components that have been explicitly assigned to them by the administrator, discover and manage such components, and configure tests, thresholds, and alarm policies for these components. The role also enables the entity to build new segments, services, groups, and zones for monitoring using the assigned components. The entity can also login to the eG monitoring console to understand the performance and problems pertaining to the components, services, segments, and zones that are part of their specific monitoring scope. The role also allows the entity access to the Configuration Management interface, but does not authorize them to create, modify, or delete additional users/entities/roles.
- OrgAdminNoConfig: This role enables an entity to perform all activities that an OrgAdmin can, but does not allow the entity access to the Configuration Management interface.
- OrgAdminWithUserMgmt: In addition to OrgAdmin privileges, this role also enables the entity to perform user management by adding, modifying, and deleting users/roles/entities.
- OrgAdminWithUserMgmtNoConfig: An entity who is assigned this role is allowed all privileges of an OrgAdminWithUserMgmt, except the right to access the Configuration Management interface.
- Admin: This role can only be assigned to the Entity type, User. Users who are assigned administrative rights become the super-users of the system. Such users can choose what hardware and application servers are to be monitored by the system, where the agents should be executed to monitor the hosted environment, what tests these agents should run, how often these tests should be executed, and can view the status of the entire monitored infrastructure. The administrative user also has the rights to add, delete, and modify user roles and individual user profiles. The default admin user is assigned the Admin role only.
- Monitor: This role can only be assigned to the Entity type, User. If the eG license enables the eG Reporter and Configuration Management capabilities, then Monitor users will have access to the monitoring, reporting, and configuration management consoles of eG Enterprise. In these consoles, the monitor user can view the details pertaining to only those components/segments/services/zones/service groups that have been explicitly assigned to him/her. Each monitor user is associated with an email address to which alarms pertaining to the assigned elements will be forwarded. The user’s profile also includes information regarding his/her alarm preferences - whether alarms have to be forwarded in text or HTML mode, whether a complete list of alarms has to be generated each time a new alarm is added, or whether the new alarm alone should be sent via email, etc. Each monitor user is associated with a subscription period. eG Enterprise allows the monitor users to access the system until this period only.
- Supermonitor: This role can only be assigned to the Entity type, User. A Supermonitor user has an unrestricted view of the monitored infrastructure. He/she can receive alarms pertaining to the whole infrastructure that has been configured by the administrative user. The default supermonitor user is assigned the Supermonitor role only. A Supermonitor user is allowed access to the reporting and configuration management modules as well, provided the eG license enables the eG Reporter and Configuration Management capabilities.
- SupermonitorNoConfig: This role can only be assigned to the Entity type, User.This role can only be assigned to the Entity type, User. Users with SupermonitorNoConfig privileges will have unrestricted access to the monitoring and reporting consoles only - such users will not be able to access the configuration management console, even if the eG license enables this capability.
AlarmViewer: This role can only be assigned to the Entity type, User. This role is ideal for help desk personnel. The users vested with AlarmViewer permissions can login to the monitor interface, and perform the following functions:
- View the details of alarms associated with the specific components and services assigned to them
- Provide feedback on fixes for the alarms
View feedback history
Like Monitor users, users with this role can only monitor the components assigned to them.
- SuperAlarmViewer: This role can only be assigned to the Entity type, User. Users with the SuperAlarmViewer role have all the privileges of the AlarmViewer role. In addition, users with the SuperAlarmViewer role have access to all the components being monitored.
- ServerAdmin: This role can only be assigned to the Entity type, User. The users who have been assigned the ServerAdmin role have all the administrative rights of an Admin user, except the right to user management. Similarly, like a Supermonitor user, a ServerAdmin user can monitor the complete environment, and even change his/her profile.
- MonitorNoConfig: This role can only be assigned to the Entity type, User. The users who have been assigned the MonitorNoConfig role will have access to the eG monitoring and reporting interfaces only, and not the eG Configuration Management interface.
- MonitorWithLimitedAdmin: This role can only be assigned to the Entity type, User. Administrators can create additional users with administrative privileges to configure the monitoring for the components that are assigned to them. These users can configure tests, thresholds, alarm policies and maintenance policies for the components in their purview. The MonitorWithLimitedAdmin role included in eG Enterprise can be used to create such users. This capability allows delegated administration, which is a key requirement for many enterprises and service providers.
- MonitorWithLimitedAdminNoConfig: This role can only be assigned to the Entity type, User. This role can only be assigned to the Entity type, User. Users with MonitorwithLimitedAdminNoConfig privileges will have unrestricted access to the components assigned to them. This includes administrative access to configure tests, thresholds, alarm policies and maintenance policies for the components assigned to them. Though these users are provided with access to monitoring and reporting consoles, they are denied access to configuration management console, even if the eG license enables this capability.
If too many roles are listed in this page, you can quickly search for a particular role using the Search text box in this page. Specify the whole/part of the role name to search for in the Search text box. All role names that embed the specified string will then appear in this page (see Figure 2).
To view the details of a default role, click on the button corresponding to that role. Figure 3 will then appear displaying the rights and privileges of that role.
Figure 3 : Viewing the details of a role
Roles that have already been assigned to specific users are highlighted by a ‘+’ symbol preceding the role names. If you want to view the users who have been assigned a role, click on the ‘+’ button that pre-fixes the role. This will expand the role to reveal the users (see Figure 4).
- Clicking on a user name in Figure 4 will lead you to the modify user page, using which you can modify the profile of that user.
If you want to view at one shot, which users have been assigned which roles, just click the Show all users button next to the Search text box in Figure 4. To hide the users list that accompanies all roles, click on the Hide all users button next to the Search text box in Figure 5.
To add a new user for a role, just click the Add User icon corresponding to that role in Figure 5. This will lead you to the add user page, where you will find the chosen role automatically displayed against the User role list. You can then proceed to create a new user who is assigned that role.
To add a new role on the other hand, follow the steps below:<![CDATA[ ]]>
First, switch to the user defined roles tab page by clicking on it. If any custom roles pre-exist, they will be listed in that appears. If no custom roles exist, then a message to that effect will be displayed here. To create a new role, click the Add New Role button in Figure 6.
Figure 6 : The User Defined Roles tab page indicating that no custom roles pre-exist
Figure 7 will then appear.
- In Figure 7, provide a name for the role against Role name.
- Next, indicate whether Limited or Complete Components access is to be granted to the new role. Selecting the Limited option restricts the new role's access to specific components/segments/services/zones that have been configured in the infrastructure. This is ideal for MSP environments, which cater to the hosting requirements of multiple customers. By assigning a role that allows only Limited component access to each of its customers, the MSP can ensure that every customer has access to only those infrastructure elements that are specific to his/her hosted environment.
- Typically, if a user has access to the Admin and Monitor modules, by default, when the user logs in he/she would have access to the Admin module. Likewise, if a user has access to the Monitor and Reporter modules, the Monitor module would be the default module when the user logs in. This default behavior can be altered by selecting an option from the Module to be viewed on login list. For instance, in Figure 7 above, the user role Executive has been granted both monitoring and reporting rights - i.e., a user who is assigned the Executive role will be able to access both the Monitor and the Reporter modules. By default, the Module to be viewed on login for this role is set to Default; this implies that the Monitor module will be the default module for the Executive user upon login. However, you might have granted extensive report-generation rights to the Executive role and limited monitoring rights, and hence, might prefer to set Reporter as the default module. In such a case, to grant the Executive role primary access to the Reporter module and not the Monitor module, select the Reporter option from the Module to be viewed on login list.
In any monitored environment typically, administrators alone have the right to make configuration changes using the eG administrative interface. Monitor users on the other hand have no access to the administration console. In SaaS deployments such as MSP environments particularly, multiple MSP customers - i.e, tenants - may use the same eG Enterprise manager for their monitoring. These customers would require 'self-service' capabilities - i.e., they will need the ability to install and configure the eG agents their environment requires, track agent status as and when needed, manage the components in their environment, group components based on the needs of their infrastructure, and configure the monitoring of these components by way of configuring tests, defining thresholds, and setting maintenance policies. Additionally, some customers may also need the ability to create additional tenants for their environment and audit the activities of these tenants. To address such requirements, eG Enterprise includes the capability to configure users with limited administration rights. For instance, a separate role can be created to allow monitor users with just the permissions to configure tests that should be executed on their servers, or to change the thresholds that can be applied for monitoring their servers. This is why, as soon as the Limited option is chosen, all the check boxes except the User Management, Component Management, Segment Configuration, Service Configuration, Zone Configuration, Group Configuration, Agent Test Configuration, Agent Threshold Configuration, and Maintenance Policy Configuration , External/Remote Agent Configuration, and Audits check boxes, are grayed out in the Admin section of Figure 7. This implies that you can only assign the following administrative rights to that user role:
- Managing the limited set of components that is explicitly assigned to them;
- Configure segments, services, groups and zones (as needed) using only the components in their monitoring scope;
- Configuring tests pertaining to the components assigned to them
- Configuring the thresholds related to the components under their monitoring purview
- Suppressing the alerts related to the components assigned to them by configuring maintenance policies
- Configuring additional external/remote agents for the components in their environment;
- Configuring additional users/roles for their monitoring needs;
- Auditing the activities of these users
On the other hand, if the Complete option is chosen, it implies that the user role has access to all the monitored elements in the infrastructure, and can be granted any administrative/monitoring privilege as the administrator deems fit.
- If administrative privileges need to be assigned to the new role, then select the privileges from the admin section. To assign all the admin privileges to a role, select Select All. As stated earlier, if the Limited Components access option is chosen, then except the Agent Test Config, Agent Threshold Config, and Maintenance Policy Config check boxes in this section, all other check boxes will be disabled.
- To provide the new role with access to all the features of the eG monitor interface, select the Select All check box in the Monitor section. To grant specific monitoring rights to the role, select the individual monitor modules from the monitor section.
- If the eG license enables the eG Reporter, then a Reporter section will appear in Figure 7. If the new role has access rights to all the Reporter modules, then click on the Select All check box in the Reporter section. To restrict access to specific reporter modules, select the required modules from the Reporter section.
- Similarly, if the eG license enables Configuration Management, then a Configuration section will appear in Figure 8. If the new role has access rights to all the Configuration Management modules, then click on the Select All checkbox in the Configuration section. To restrict access to specific modules, select the required modules from the Configuration section.
Finally, click the Update button. Figure 1 will then appear, displaying the newly added role.
Figure 8 : The newly created role being displayed in the list of roles
Note that while the PRE-DEFINED ROLES can neither be deleted nor modified, the user-defined role that was newly added can be modified by clicking on the Modify icon (i.e., the ‘pencil’ icon) corresponding to that role in Figure 1. To delete a particular role, use the Delete icon (i.e., the ‘trash can’ icon) against that role in Figure 8. However, note that if any of the user-configured roles has been assigned to any new user registered with the eG Enterprise system, then such roles cannot be deleted; therefore the Delete icon corresponding to such roles will be disabled. You can even create a new user for a role instantly, by clicking on the Add User icon corresponding to that role. This will lead you to the add user page, where you will find the chosen role automatically displayed against the User role list. You can then proceed to create a new user who is assigned that role.
User-defined roles can only be associated with the entity type, User. In other words, these custom roles will not be available to the Organization or Organizational Unit entities.