This article is applicable to Entuity v21.0 upwards.
- For ENA v18.0, please see this article.
- For Entuity 19.0, please see this article.
- For Entuity v20.0, please see this article.
System user groups and user profiles
To edit the members of a user group
To edit the groups to which a user belongs
To specify the user settings of members of a user group
User group tool permissions, report permissions and task permissions
List of available permissions To set report permissions To set task permissions
To specify which servers a user group can see (grant server access)
Recommended best practices for setting up user groups and user permissions across multiple servers
Introduction:
User groups are means to determine the permission level of individual user accounts. You can associate individual user accounts with one or more user groups, and in doing so can meet the varied requirements of different types of users.
User groups need to be set up for all authentication types (internal and external) on all servers:
- in LDAP authentication, user groups are required for mapping LDAP groups to Entuity groups.
- in RSSO and SAMLv2 authentication, a matching Entuity user group name must exist on RSSO and SAMLv2.
System user groups and user profiles:
There are two predefined system user groups:
- Administrators.
- this group allows users full access to Entuity's functionality.
- you cannot delete the Administrators group, and it must always have at least one member.
- All Users.
- all user profiles belong to the All Users group.
There are two predefined user profiles:
- admin - a member of both Administrators and All Users.
- user - a member of All Users.
To create a user group:
By default, all users are excluded from a group when it is first created. You will need to add users to a group to populate it via either Edit Members (below) or Edit Groups (under the Users tab).
- From the Main Menu, click Administration.
- Click Account Management.
- In multi-server environments, select the server or server configuration set for which you want to create the user group via the dropdown selection box in the top left. Note, it is possible, from a central server, to add a user group to a remote server that is running a pre-v21.0 version of Entuity.
- Under the Groups tab, click Add Group at the top of the page (or via the Overflow Menu or right-click Context Menu).
- The Add Group form will open on the right, in which you need only enter a Group Name.
- Click Done in the top right to save the group, otherwise click Cancel. Once saved, the group is then created.
To edit the members of a user group:
- Select the server or configuration set that has the user group, and navigate to the Groups tab of the Account Management page.
- Select the group that you wish to edit and click Edit Members at the top of the page (or via the Overflow Menu or right-click Context Menu).
- The Edit Members form will open on the right.
- Tick the users who you want to belong to this group. Click Done in the top right to save your changes, otherwise click Cancel.
To edit the groups to which a user belongs:
Please see this section for help on editing the groups to which a user belongs
To specify the user settings of members of a user group:
You can specify the user settings for all users within a selected user group or groups, which is the group-level equivalent of specifying individual user settings.
- Select the server or configuration set that has the user group, and navigate to the Groups tab of the Account Management page.
- Select the group for which you wish to specify or edit user settings, and click User Settings via the Overflow Menu or right-click Context Menu.
- The User Settings form will open on the right of the page.
- For the Timeout, Account locking and Password Expiry Days fields, you can choose from the following:
- Use Global - use the global settings as specified above.
- Override - override the global settings and specify your own.
- Disabled - disable this option.
- Expire account on - if desired, specify a date and time at which the users' accounts will be locked.
- Force password change on next login - specify whether to force the users to change their passwords the next time they log in.
- Unlock a locked account now - specify whether to unlock the users' accounts now, if the accounts are locked.
- Click Done to save your changes, otherwise click Cancel.
User group tool permissions, report permissions and task permissions:
You can assign permissions to individual users by giving permissions to the user groups that they are members of, i.e. it is through membership of user groups that users gain their permissions. This is done by taking the union of the permissions for all groups of which the user is a member. For example, if a user belongs to two user groups, with one permitting access to a function and the other denying access, the user will have access to that function.
Note, members of the Administrators user group have full access to all Entuity tools, reports, tasks and reports. They also have access to all objects managed by Entuity.
User permissions in Entuity are divided into three categories:
- Tool permissions
- Report permissions
- Task permissions
To set tool permissions:
- Select the server or configuration set that has the user group, and navigate to the Groups tab of the Account Management page.
- Select the group for which you wish to edit tool permissions and click Tool Permissions at the top of the page (or via the Overflow Menu or right-click Context Menu).
- The Edit Tool Permissions form will open on the right of the page. Tick the boxes for each tool to which you want the user group's members to have access, and click Done in the top right to save your changes, otherwise click Cancel.
List of available permissions:
The available tool permissions are as follows:
Administrator tools - permissions allowing access to functionality available through the UI.
Tool | Description |
---|---|
Credential Administration | allows users to see and access the Asset Credential Management page, and create and edit credential sets. |
Dashboard Management | access to dashboard management functionality, including duplicating and editing dashboards and creating custom dashboards. |
Data Export | access to data export functionality. |
Entuity Health |
access to the system information functionality: |
Event Administration |
access to Event Administration functionality. |
Event Notification Administration |
access to event notification administration functionality. |
Event Suppression |
allows users to manage event suppressions (this is a different mechanism to suppressions defined through Event Administration). |
ICMP Monitor |
access to ICMP Monitor functionality. |
IP SLA Administration |
access to Cisco IP SLA functionality. |
Incident Editing |
access to incident edit functionality. |
License Administration |
allows users to add new licenses via the Install New License functionality on the License Health page. |
Maintenance |
allows users to view and edit maintenance schedules. |
Multi-Server Administration |
access to multi-server configuration functionality. |
Object Editing |
access to object edit functionality. |
SurePath Administration |
allows users to see and access SurePath administration pages, and create, edit and delete paths. |
Topology Group Administration |
allows access to the Topology Group Management page and multi-server topology functionality. |
User Defined Polling |
access to User Defined Polling functionality. |
View Audit Log |
access to the Entuity Audit Log. |
Webhook Administration |
allows users manage (create, edit and delete) custom webhooks. |
Inventory - permissions allow access to Asset Management page, Auto Discovery, and Inventory snapshots.
Tool | Description |
---|---|
Auto Discovery Administration | allows users to run Auto Discovery (also requires Inventory Administration permission). |
Inventory Administration | access to functionality available through Managed Assets. |
Inventory Snapshots Administration | allows users to take snapshots of the selected View's inventory, which are used with the Inventory Change report. |
Managed Port Administration | allows users to unmanage ports on a device, and to manage previously unmanaged ports. |
- permissions allowing access to functionality that is enabled via right-click context menus and user preferences. These options will depend upon the integrations and modules that are activated.
Tool | Description |
---|---|
Hide Configuration Tasks | enable to hide the the top-level 'Configuration Management' option from the context menu. This is useful if you have not enabled any other configuration management permissions for the user group, which would result in the 'Configuration Management' context menu option opening to an empty list. |
Hide Preferences | enable to hide the user's Preferences option in the Main Menu. This is useful to ensure user preferences remain as specified by administrators. |
Show Remedy | access to custom menus that are available with the Entuity Remedy AR System Integration. |
Show User Menus | access to customized context menus. |
Reports - permissions allowing access to reporting functionality.
Tool | Description |
---|---|
Flex Reports | allows users to build Flex Reports. |
Report Builder (Requires Reports) | allows users to build new reports via the Report Builder (this also requires the Reports permission). |
Reports | allows access to Reports. |
Style Management | allows access to reporting style templates. |
Tools - permissions allowing access to Entuity tools.
Tool | Description |
---|---|
Annotation Manager | access to annotating managed objects. |
Application Monitor | access to application monitor functionality. |
Configuration Management Administration | access to configuration management functionality. |
Configuration Management Firmware | access to adding firmware to repository, starting and stopping firmware updates, and editing firmware update schedules. |
Configuration Monitor Administration |
access to editing configuration monitor settings, and annotating and favoriting device configurations. This allows you to:
A user with this permission also automatically has access to the functionality enabled by the Configuration Monitor View Config, Configuration Monitor Check Config, and Configuration Monitor Download Config permissions (see below). Retrieved configuration details are associated with their device, so access permissions are granted based on that View membership. Retrieved configuration details are associated with their device, so access permissions are granted based on that View membership. |
Configuration Monitor Check Config |
access to checking and retrieving configuration files for a device. |
Configuration Monitor Download Config |
access to downloading either the running or startup configuration for a device. |
Configuration Monitor View Config |
access to viewing and comparing configuration file changes for a device. |
Flow Management |
access to IFA and configuration. |
Flow Viewing |
access to dashboards to view flow contents. |
IP Address Management |
access to the IP Address Management page and adding, modifying, and deleting IP networks and DHCP servers, and running scans. |
Log Files |
access to the Log Files page and the ability to download logs. |
MIB Browser |
access to the MIB Browser. |
Remote Terminal |
access to remote terminal. |
Ticker |
access to the ticker functionality. |
Trace Route |
access to trace route from the Entuity server. |
View Administration - permissions to manage Views.
Tool | Description |
---|---|
Create Views | allows users to create Views. |
Edit View Filters | access to create, edit and delete View filters. |
Geographical Map | allows users to use Geographical Map functionality. |
Service Administration | access to services functionality. |
Share Views | allows users to share Views they own with members of selected user groups. |
To set report permissions:
You can specify the default permission setting for each individual report in each report category, and provide permission settings for individual categories and/or reports. All report categories and reports will take the default value unless you specify otherwise.
If you want to grant members of a user group access to a report, you must also grant them the Reports Tool Permission (and if you want members to be able to create their own reports, you must grant them the Report Builder Tool permission). Flex Report permissions are also handled through Tool Permissions.
Important note - if you have multiple users with different requirements (e.g. if you are an MSP with multiple customers), it is important that you create user groups on a per-user basis. This will ensure that different users/customers do not have access to reports that they should not be able to access. Please see the Example workflow section below for further help on this.
- Select the server or configuration set that has the user group, and navigate to the Groups tab of the Account Management page.
- Select the group for which you wish to edit report permissions and click Report Permissions via the Overflow Menu or the right-click Context Menu.
- The Edit Report Permission form will open on the right of the page.
- Permission for 'Default' - specify the default permission level across all reports, selecting from one of the following:
- No Access - prevents members of the user group accessing the report (unless they are members of another group with this permission).
- View Only - members of the user group can view generated reports.
- View and Run - members of the user group can run and view generated reports.
- View, Run and Schedule - members of the user group can schedule, run and view generated reports.
- View, Run, Schedule and Edit - members of the user group can schedule, run, view and edit generated reports.
- All reports are set to the default value. You can drill down into each report category and specify the permission levels at a category or report level. From Entuity v21.0 P03 upwards, you can use the filter to narrow down the list and more easily select the report category or reports you are looking for. For example:
- for Inventory Reports:
- for the IP Phone Lookup report:
- for Inventory Reports:
- Click Done in the top right to save your changes, otherwise click Cancel.
Example workflow:
- You are the Entuity admin for an MSP, and you want to set up appropriate user accounts for three customers: Potter, Weasley and Malfoy.
- Create three user groups: 'Potters', 'Weasleys' and 'Malfoys'. Create appropriate users for each group.
- Create top-level Views relevant for each group, called 'Potter', 'Weasley' and 'Malfoy', and grant read access to the appropriate user groups, and ensure they are populated with the devices visible to the appropriate customers.
- Create three new custom report folders for each customer, called 'Potter's Reports', 'Weasley's Reports' and 'Malfoy's Reports'. Give each folder the report permission View, Run and Schedule for the appropriate user group. Create a number of custom reports in each folder that are specific to that customer (e.g. Potter Report 1, Potter Report 2, Potter Report 3, etc). Each customer does not have access to any other report folder (system folder or custom folder).
- At this point, each customer will only be able to see one report folder on their Reports page:
- Potters will only see Potter's Reports, which contains Potter Report 1, Potter Report 2, Potter Report 3.
- Weasleys will only see Weasley's Reports, which contains Weasley Report 1, Weasley Report 2, Weasley Report 3.
- Malfoys will only see Malfoy's Reports, which contains Malfoy Report 1, Malfoy Report 2, Malfoy Report 3.
- If you grant each user group the Report Builder Tool Permission, then they will be able to create their own custom reports with that folder. However, because they only have the View, Run and Schedule report permission on that folder, they cannot edit any of the custom reports (Potter Report 1, etc) within that folder.
- You then want to grant access to all system reports to the Potter customer, but only some system reports to Weasley and Malfoy:
- Select the Potters user group, and go through each system report folder and grant the View, Run and Schedule permission. Members of the Potters user group will then see all these report folders, and will be able to view, run and schedule every report in these folders (including any new reports that might be added to those folders in future patches and upgrades).
- Select the Weasleys user group, and go through individual system report folders and grant the View, Run and Schedule permissions on the appropriate folders or individual reports. Do the same for appropriate folders/reports for the Malfoys user group. Members of the Weasleys and Malfoys will only be able to see the folders in which they have permission to at least one report. They will not automatically get access to any new reports added in future patches and upgrades.
- Important note - it is crucial that you do not grant global default report permissions to any of the user groups, because this would then allow them access to all system reports and the other customers' report folders. E.g., if you granted global default report permissions to the Malfoys user group, then Malfoy will have access to all system reports, Potter reports and Weasley reports.
- When Harry (a member of the Potters user group) logs in and navigates to the Reports page, he will see any system report folders the Potters user group was granted access to, along with the Potter's Reports folder.
- If Harry goes to the report options for any of these reports to which he has access, and then saves the report options, they will only be visible to him. He can share these options with other users in the Potters user group or another user group to which he belongs, via the Share button when editing the report.
Important note regarding adding multiple customers to the same user group:
The Entuity admin must not use the same user groups containing users from more than one customer to grant different levels of access to Entuity features.
For example, if you create an 'Event Admin' user group with access to other functionality (such as Event Notification Administration and Event Suppression), and make some users from the Potters user group and the Malfoy user group members of it, then any of those users in the Event Admin user group would be able to grant access to the reports and folders they have created to the Event Admin user group. This would inadvertantly provide access to reports for customers from another customer.
e.g.:
- You create the Event Admin user group for other functionality.
- You add users from Potters and Malfoys.
- Harry, a Potter user, would be able to grant access to Potter's Reports to the Event Admin user group.
- This means that Draco, a Malfoy user who is also in the Event Admin user group, will then have access to Potter's Reports.
Therefore, to avoid customers inadvertantly accessing other customers' reports, Entuity recommends that user groups such as 'Event Admin' must be created on a per-customer basis.
To set task permissions:
Task permissions enable to you control access to Configuration Management tasks, on a per-task basis. By default, all tasks are set to the default permission, which can be edited.
Note, users without the Configuration Management or Configuration Monitor Tool Permissions can be given specific tasks they are allowed to run, and those tasks will show in context menus.
- Select the server or configuration set that has the user group, and navigate to the Groups tab of the Account Management page.
- Select the group for which you wish to edit report permissions and click Task Permissions via the Overflow Menu or the right-click Context Menu.
- The Edit Task Permission form will open on the right of the page.
- Permission for 'Default' - specify the default permission level across all tasks, selecting from one of the following:
- No Access - prevents members of the user group accessing the task (unless they are members of another group with this permission).
- Run - members of the user group can run and view tasks.
- Run and Schedule - members of the user group can schedule, run and view tasks.
Note, users without the Configuration Management or Configuration Monitor Tool Permissions can be given specific tasks they are allowed to run, and those tasks will show in context menus.
- All tasks are set to the default value. You can specify values for each individual task, and (from Entuity v21.0 P03 upwards) you can use the filter to more easily find the task(s) you are searching for. For example:
- for Add SNMP community string:
- for Port down:
- for Add SNMP community string:
To remove a user group:
You can only delete custom user groups. You cannot delete the predefined system user groups, which are Administrators and All Users.
When deleting a user group, Entuity also deletes the membership of user accounts to that group, but does not delete the individual user accounts themselves.
- Select the server or configuration set that has the user group you want to remove, and navigate to the Groups tab of the Account Management page.
- Select the user group you wish to remove and click Remove Group at the top of the page (or via the Overflow Menu or the right-click Context Menu).
- A removal confirmation window will open. Click Yes to confirm the removal, otherwise click No.
Whilst you cannot remove your own account, you can remove yourself from the Administrators Group. If you do so, be aware that you cannot re-add yourself to that group.
To specify which servers a user group can see (grant server access):
You can specify the servers that the members of a user group can see. When specified, members of the user group will be restricted to seeing data only from the specified servers.
Important note regarding access to data on consolidation servers:
In order to grant user groups access to specific servers via the Grant Server Access functionality, you will also need to grant those user groups access to the consolidation server. Note that data on the consolidation server will therefore become available to those user groups.
To specify which servers a user group can see:
- Navigate to the Groups tab on the Account Management page and select a server on which the user group can be found. Note that this functionality is only available when a server is selected, not a configuration set.
- Select the user group that you wish to edit, and then click Grant Server Access via the Overflow Menu or right-click Context Menu.
- The Grant Server Access form will open on the right of the page.
- Specify whether to grant access to all servers using the Include All Servers switch. If set to No, you can tick the Allowed Servers below.
Recommended best practices for setting up user groups and user permissions across multiple servers:
Entuity recommends mirroring configuration across all servers as far as possible. This would require you to create the same user groups on each server, and then add the same permissions to each group on each server. Account Administration can be undertaken through the UI via the steps above, or via Entuity's RESTfulAPI functionality.
However, there are circumstances where you might want to have different permissions per server, for example in the case of MSPs who might want to keep access between customer servers separate. In this case, you will need to go to the individual server and change the permissions there, e.g. turning off permissions for Customer B on Customer A’s server.
RESTful API:
Please see the following for help and information on managing user groups via Entuity RESTful API:
- List general information about user groups.
- Delete a specified user group.
- List and modify the set of tools accessible to a user group.
- Config sets - user group membership:
- Modify user membership of a specified user group on a specified config set.
- Add users to a specified user group on a specified config set.
- Delete a user from a specified user group on a specified config set.
Comments
0 comments
Please sign in to leave a comment.