Basic Concepts
Roles
A role defines a set of privileges. A user can be assigned to one or multiple roles, and the effective privileges are the combination of privileges of all assigned roles.
For example, given two roles:
- Role A - can create dashboards
- Role B - can view all hosts
If the user John is assigned both Role A and Role B, then John can create dashboards and view all hosts.
Privileges
A privilege specifies a resource and the operations allowed upon it (e.g. viewing datasources). The following table lists all resources and operations:
| Resource | Operations | Notes |
|---|---|---|
| Dashboards | Manage - can add/view/delete/edit all dashboards and widgets View - can view specific dashboards |
An user always can view all his own private dashboards. Privileges only affect public dashboards' visibility to the user. |
| Datasources | Manage- can add/view/delete/edit the definition of all datasources, eventsources, batchjobs, OID mappings, and user-defined functions (everything under Datasource Tab) View - can see objects on the datasource tab, but not edit them. |
This resource controls access to all items on the datasource tab - it is not possible to allow access to specific datasources only. |
| Hosts | Manage - Can add/view/delete/edit all groups and hosts. Ack - Can view hosts and acknowledge alerts under specific first-level groups. These users can also create Scheduled Downtime for these hosts. View - Can view hosts under specific first-level groups. |
Host resources are granted at first level groups only. It is not possible to grant View or Ack privileges to only hosts in a second level group. |
| Remote Sessions | Users can be given the ability to run Remote Sessions (subject to the host's authentication controls) over ssh or RDP to all hosts, hosts in specific groups, or no hosts. | |
| Reports | Manage - can create/view/delete/edit all folders and reports View - can view report definitions and generate reports under specific folders |
The controlled object for report view access is the folder. Access is granted/denied to report folders, which includes access to all contained reports. |
| Settings | Manage - can view/create/delete/edit all controls under Setting Tab (such as accounts, alert rules, escalation chains, etc.) View - can view all controls under Setting Tab. |
The role can view/manage either all settings or none of them. There is no ability to control access to only some alert rules, for example. |
View existing roles
To view existing roles, go to Settings Tab -> Accounts.
The Roles form lists all existing roles:
Default Roles
The default roles for new accounts, which may be edited/deleted to suit, are:
| Role | Privileges |
|---|---|
| administrator | Can manage dashboards Can manage hosts and groups Can manage datasources Can manage settings |
| ackonly | Can view datasources Can view all hosts and acknowledge alerts |
| readonly | Can view all public dashboards Can view all hosts Can view datasources Can view all reports Can view settings |
Add a Role
To add a role, go to Settings Tab -> Accounts, then click "Add" button on the top of the Roles form. An "Add a role" dialog will pop up, which allows you to define the privileges for every resource class:
Edit a Role
To edit a role, from Settings Tab -> Accounts, click the edit icon along for the role you wish to edit. An "Edit Role" dialog will pop up:
Delete a Role
To delete a role, goto Settings Tab -> Accounts, then click the delete icon along for the role to delete.
Note: you can't delete a role that is currently assigned to users.