Setup User Specific Groups in USM

Document ID : KB000047850
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction

Setting up UMP / USM User Specific Groups
  1. Open Infrastructure Manager -> Security -> Manage Access Control List...
  2. Check the existing Access Control List entries for anything that matches your desired permissions for your users. You will most likely want to create several custom ACL?s for users of various responsibilities. The permissions associated with an ACL directly determine the abilities of users associated with that ACL. User-added image

NOTE:
You MUST DISABLE the permission ?Restrict View To User Assets? in all ACL?s that you plan to use! If it is enabled, it will prevent users from seeing their robots. Also make sure to select the checkbox next to ?Make ACL permissions available for Account/Contacts?.
  1. Groups are defined by the Origin field which can be assigned at the hub level (applied to all robots connected to that hub) or at the Controller level (overrides any hub origin?s) for specific robots. To set up the foundation for your Origin?s you?ll need to go through each hub and assign it an origin. You can also do this for any robots that need to override their hub defined origin.
?????????????? FOR HUBS AND ALL ATTACHED ROBOTS:
  1. Right click and configure the hub probe for each hub you want to set.
  2. Click Settings in the lower right hand corner of the General tab.
  3. Click over to the General tab of the Hub->Advanced Settings panel.
  4. Set the origin text field to what you would like that hub and all of its robots to be reflected as. You will use this origin ID when creating groups in USM. All robots with the same origin will be in the same USM group.
  5. Hit OK, then Apply, then OK.
FOR SPECIFIC ROBOTS (OVERRIDES HUB ORIGINS):
  1. Right click and configure the controller probe for the robot you want to set.
  2. Click over to the Advanced sub-tab of the Setup tab.
  3. Set the Data origin field to the origin name that you want that robot to be a Group member of.
  4. Click Apply, then OK.
You will need to do this for all hubs and any robots that you want to define special groups for.

You will use one unique Origin name for each Group. Therefore, if you want one Hub and all of its robots to be under a specific group, you can simply assign that specific Hub a unique origin name. We will discuss how to use that Origin to assign groups later in the guide.

NOTE:
The Origin names will not map back to UMP until QoS data is sent from each robot/hub that is affected by an Origin name change. As long as your robots are submitting QoS data, they will eventually update in UMP, though it can take quite some time. You can force this process by installing a probe like CDM with an interval of 1 minute for at least one QoS measurement on every robot.
  1. Log?in to UMP as administrator -> go to Accounts.
  2. Create a new Account by clicking the green Plus sign. This creates a new Account Group that contains logins for all users from a specific account.User-added image
All users under this Account will all share the same custom Group views in USM. Each specific login can be assigned a unique ACL (these are shown and described in Step 1) allowing them various permissions within UMP. While you are creating this group, select one of your defined Origins under the ownership pane. (NOTE: This may take a while to populate!!!)
User-added image
  1. Once you have created a new Account with a specific Origin Ownership, you can create users within that Account. To do so, click the Green plus icon at the bottom of the AccountAdmin portlet.User-added image
Fill out the Login ID and E-Mail fields at a minimum, select an ACL, then hit the save icon to the far left of the row. At this point you will need to set a password for the User.
User-added image
NOTE:
At this point you have an Account filled with at least one user who owns a specific Origin. This ownership of the Origin gives them the necessary permissions to see robots/hubs that are assigned that Origin. Now you will need to make USM groups that populate based on that Origin.
  1. As administrator, go to the Home page in UMP. Hover your mouse over Groups in the left hand column and then click the white plus (+) icon.
  2. Change the group type depending on your needs. A static group type will not update if the Filter that you Apply changes. A dynamic group type will update the contained robots depending on which robots meet the filter applied. A container is just a blank generic container (typically not used). If you plan on not adding to many additional robots per group, you can select Static. If you add a robot in the future, you?ll need to edit the group and re-apply the filter. In this scenario, we can select Dynamic for the time being.
  3. Create a filter based on origin - this will automatically populate the Members section.
NOTE:
It is VERY important to create the filter FIRST, before selecting an Account to attach the group to. Due to delays in Origin assignments, if you attempt to assign an Account first, and it does not have any visible robots YET, then it will fail to populate correctly.
  1. Select an Account that the group will be attached to. Remember ? each account has permissions to specific Origins, the Account selected for this group should have permission to the same Origin that the group will be used for.
NOTE: If you selected a Static group type, you would need to place a check mark next to each desired robot that matched the applied filter.
  1. Open Infrastructure Manager -> Security -> Manage Access Control List?
  2. For each ACL that is being used by Users in the Accounts that are attached to the USM groups, you?ll need to do the following:
    1. Highlight the ACL
    2. Click Set Dashboard Access?
    3. In the Dynamic Views origin Ownership pane, select any of the origin?s that you plan to, or already setup Dynamic groups with.
    4. Click OK.
NOTE: If an ACL is only used by one Account, you can also click Set Account Link? and select the specific account to link the ACL to. This will prevent unauthorized use of the ACL.

At this point you can login with any of your newly created users, and they will only see those groups for which you attached their Account inside the group.




Procedure