Role-Based Access Controls

Introduction

Role-Based Access Control (RBAC) is a collection of features to restrict the operations a user can perform on specific devices within OpsRamp. Features that enable RBAC are:

  1. Users and user groups

  2. Devices and device groups

  3. Credentials

  4. Permissions and permissions sets

  5. Roles

Scenarios

Device Level Permissions

Scenario An organization has separate administration teams to manage servers and likewise, a separate team to manage network devices. The server administrator group wants users in the server team to be able to view all devices but manage and administer only server devices. Similarly, the network administrator wants users in the network team to be able to view all the devices but manage and administer only network devices.

Solution Assign manage role to server administrator and network administrator groups on all devices within their groups. Similarly, assign view role to server administrator and network administrator groups on all the devices pertaining to another group.

Credential Level Permissions

Scenario An organization has regular users and administrators that each need to log into a server and launch consoles within OpsRamp, using different credentials, regular users credentials with lower privilege than administrator credentials.

Solution Assign both the users in the organization with different credential sets, like administrator and regular user, where the administrator will be able to perform administrative activities, and the regular user will be having fewer privileges than the administrator.

Core Concepts

User And User Group

User

  1. Anybody with an account to access OpsRamp is a user.

  2. A user can be of two types – partner or client level.

  3. A user can be granted different levels of permissions to different devices on different activities in OpsRamp.

User group

  1. A user group is a set of users.

  2. A user group can be granted different permissions to different device groups.

  3. A user group can be at partner or client level.

  4. The user inherits role from parent user group(s).

Instructions for creating a user

  1. Login to OpsRamp.

  2. Click All Clients and select the the Client.

  3. On the drop-down menu, click Setup. Account Management panel appears.

  4. On the Account Management panel, click Users.

  5. Click Add button.

  6. Provide User Details, by selecting the option Partner User or Client User.

  7. Assign Roles to user.

  8. Assign Groups to the user.

Instructions for creating a user group.

  1. On the Account Management panel, click User Groups.

  2. Click Add button.

  3. Provide User Group Details, by selecting the option Partner User Group or Client User Group.

    Note: Email field is mandatory if the user group to be considered as a distribution list. This distribution list can be viewed while selecting the users for escalating alerts.

  4. Select users to add to the user group from the available user list and click Save.

Device And Device Group

Device

  1. Any element managed by OpsRamp is a device, like a Windows server or a network device.

  2. A user can be granted a role on a device.

Device group

  1. A device group is a set of devices.

  2. A user can be granted a role on a device group.

Credential

A credential is username and password operation to log into a device.

Permission Set

A set of permissions that allow a user or a user group(s) to perform a specific operation or a set of operations, on specific or all devices. Examples of permissions:

  1. View devices

  2. Manage devices

  3. Create credential sets

  4. Launch consoles

Instructions for creating permission sets

  1. Login to OpsRamp.

  2. On the drop-down menu, click Setup.

  3. On the Account Management panel, click Permission Sets.

  4. Click Create.

  5. Create a new permission set by selecting the option Partner or Client and then provide permission set description and the values.

Permission Values See Permission Values.

Role

  1. Defines permission sets to user and user group on devices and device groups.

  2. A user or a user group can be assigned to more than one role.

Instructions for creating a role

  1. Login to OpsRamp.

  2. On the drop-down menu, click Setup.

  3. On the Account Management panel, click Roles.

  4. Click Add button, create a new role by selecting the option partner or client.

  5. Provide Role Details.

  6. Provide User Group Details.

  7. Provide Device Group Details.

  8. Assign Credential Sets.

  9. Assign Permission Sets.

Role Inheritance From User Group

  1. A user inherits roles from user groups to which the user belongs.

  2. If a user belongs to multiple user groups, the user is automatically assigned the union of roles assigned to each parent user group. For example, in scenario 1: if a user belongs to both user groups server administrator and network administrator, then the user can manage both server and network devices.

Role Propagation From Device Group To Devices

  1. A user assigned a role to a device group is automatically assigned the same role on all device within the device group. For example, in scenario 1: if a new server is added to the server devices group, users in the server administrator user group will automatically have manage permission on the new server.

  2. If a device belongs to multiple device groups, then a user is automatically assigned the union of roles that the user assigned to each device group to which the device belongs. For example, in scenario 1: if a new device is added to both the server group and network group, then server administrators can view and manage the new device. This is because server administrators can manage devices in the server group. Likewise, network administrators can also manage the new device because new device also a part of the network group.

Super Administrator Role

  1. OpsRamp allows a special role to be created for a partner or client user to have all permissions to all devices – this role automatically encompasses all current devices and any new devices that are added.

  2. Any user assigned to this role can perform any operation on any device.

  3. A partner user with the super administrator role has all permissions to all devices across all clients within the partner.

  4. A client user with the super administrator role has all permissions to all devices within the client only.

Default Partner Super Administrator Role

  1. By default, when a new partner is created, a designated partner user is assigned the super administrator role. This role is called the ITOP VAR Administrator. This role is not editable by any partner users.

  2. The partner super administrator can, in turn, assign the super administrator role to other partner users.

Partner Defined Client Roles

  1. A partner can define roles for use by clients. Client users can see such partner defined roles, but these roles are not editable by client users.

  2. As a best practice, a partner can define a client super administrator role and assign this role to a designated client user.

  3. A client super administrator, can in turn define client specific roles. Such client defined roles are visible only within the client.

PreviousMonitoringNextNotifications

Last updated

Was this helpful?