Delegation and control over probes/probe access control

Document ID : KB000034021
Last Modified Date : 14/02/2018
Show Technical Document Details
Probes and Access Control (ACLs and permissions)

The first thing to understand is user 'type':
1- User Administration->'Real NimBUS users' : can login to IM and do Infrastructure Management.

2- 'LDAP-linked users': same as real NimBUS users but they are authenticated against LDAP.

3- 'Account-Contact' users: cannot manage Nimsoft infrastructure and cannot login to IM. These types of users belong to an Account and can only view data for that account based on Origin of the data selected.

When you need a finer level of filtering for users, you must associate ACLs along with the desired filters, to an NMS/NimBUS user(s) not an NMS Account->Contact(s).

ACLs are like 'roles,' e.g., Administrator, Operator, Guest, CustomerAdmin, etc., that are associated with specific permissions. Nimsoft provides out-of-the-box ACLs/roles such as administrator, Operator, Superuser, etc., and you can also define your own and associate specific permissions to the ACL. User-defined ACLs contain a set of permissions that can be enabled/disabled to suit the given role and access control required.

Here are a few permissions that relate to controlling access to probes in particular:

'Basic Management' permission
Enables the user to configure, restart, and move probes in the Infrastructure Manager. These options are made available by right-clicking a probe.

If you remove 'Basic Management' permission that takes away the right to stop and restart probes.

'Probe Configuration' permission

Probe configuration tool management is for users using the Infrastructure Manager (IM), which dictates whether or not a user can actually launch the probe configuration (GUI/Raw Configure) to make configuration changes.

For instance, if the Probe configuration permission is deselected and the user logs in, the user cannot configure any probes. They can only do a few very limited actions such as rt-click to 'View log.' This is similar to read access in general.

Note that deselecting the 'Probe Configuration' permission does NOT limit who can add, edit, or delete hosts from a probe.

Execution levels 1, 2 and 3 only apply to the nexec probe so they are not useful in terms of controlling probe access.

***Note overall that the Nimsoft Security Model is product-specific security oriented and somewhat limited/not that granular in terms of control over probes, e.g., who can read or write, and configure. Controlling access to probe in IM, UMP, or the web based admin console is all handled differently at this point in time and therefore security policy/principles are not exactly the same across those modules.

Please refer to the ACL permissions described in detail regarding what you can control. This link below explains pre-defined Access Control List (ACL) templates and their permissions:

http://docs.nimsoft.com/prodhelp/en_US/Monitor/7.5/NimsoftMonitorGettingStartedGuide/index.htm?toc.htm?2223365.html?zoom_highlight=security+permissions+acl

See also:

http://docs.nimsoft.com/prodhelp/en_US/Monitor/InfrastructureManager/index.htm?toc.htm?1987125.html?zoom_highlight=setting+permissions+acl

You cannot limit specific access to a probe or probes for one or more users and you cannot prevent specific users from configuring individual probes. In Infrastructure Manager it is possible to limit this on a per-ACL basis to some degree using Infrastructure 'filters' but note that these do not apply to UMP or the web-based Admin Console.

Note also that there are many Ideas (Feature Requests) entered for read-only access to probes and more granular control in general for probe permissions so please do not hesitate to enter one as well with all of the requirements you need or think would be an improvement and helpful to you as an Administrator. Login to the Customer Portal and click on the Ideas Tab to enter it. The more Ideas logged and promoted for a particular feature request, the better chance it has to make it into the product.