Restrict user to only a specific Dashboard? (4233074)

Is it possible to create a user with only the blackout privileges? I do not want to give the Foglight admin rights for this account, just giving the users permission to do the blackout scheduling?
 

Foglight Security Administration does not provide the ability to restrict a user to a particular dashboard.

A Foglight administrator may wish to configure the browser interface for a given group of users so that only selected dashboards are available. Foglight has predefined roles, such as Operator and Dashboard User, but it also allows the creation of special roles that may be assigned to a group of users. These special roles provide the mechanism for restricting users to a selected set of dashboards.

• See the Foglight Administration Guide for information on the roles required to access various Foglight views. 

Security Controls and Roles

Security in Foglight is managed by creating a group, assigning roles to the group, and then assigning users to the group. New instances of all three, groups, roles, and users, can be created to suit particular needs. A collection of default groups and roles have been defined, which were designed to cover standard situations.

What are the built-in roles?

Foglight already has a collection of built-in roles that cover standard cases. For more information refer to Foglight roles description (4309688).

A New Role can be created by a Foglight administrator to define restricted access to certain parts of the Foglight user interface. You can create as many new roles as you wish and you can assign these roles to the new groups that you create to hold them, after which you create new users and assign them to the new groups as desired.

What are the built-in groups?

The built-in groups are:

• Cartridge Developers
• Foglight Administrators
• Foglight Operators
• Foglight Security Administrators

Which VMWare roles exist?

The following roles are included with the Cartridge for VMware to control access to the VMware dashboards and reports:

• VMware Administrator
  This role provides full access to all components of the cartridge, views and reports.
• VMware Operator User
  This role restricts the user to the VMware Environment and VMware Explorer dashboards only, except the Administration tab, and NetFlow Setting and Cisco Setting dialog boxes. Attempts to navigate to these elements result in the following message: Sorry. The view is not authorized.
• VMware Automation User
  Users with this role can access the VMware Explorer Administration tab. This tab provides quick access to common administrative tasks that include server shutdown, virtual machine creation, resource allocation, and others.
  Note: Executing VMware administration tasks, such as rebooting an ESX host or a VM, require specific VMware permissions.
• VMware QuickView User
  This role restricts the user to the VMware Environment    dashboard only. Attempts to navigate to the VMware Explorer result in the following    message: You are not authorized to access view “VMware Explorer”.
• VMware Report User
  This role grants access to the cartridge reports only. None of the VMware views are accessible if this is the user’s only role. To work with reports, the user additionally requires the Reports Manager role. For more information about roles, users, and security, see the Administration and Configuration

Which dashboards can a user access?

There are two interpretations to this question. First, is the user able to access a view under any circumstances at all, and second, are there pages that the user could access if the appropriate links existed?

Allowed Roles
As a Foglight user, if one of your roles matchers one of the allowed roles assigned to the dashboard, you are, at least in principle, able to view it. If the view is a dashboard, it shows in the Dashboards list in the navigation pane. Clicking on the link launches the page. The links that the page contains are accessible as long as these pages do not have any allowed roles set. If they do, the allowed roles must match one of the user's roles for the page to be accessed.

Relevant Roles
If the view has been assigned relevant roles and there is no match in the user's assigned roles, that view will not appear as a choice in the navigation panel. If a link (path) were available, the user could navigate to it, but if the link is not available the view remains hidden. For a user to see a page in which relevant roles have been set, there must be a match between the user's roles and the page's relevant roles, or the user must be able to navigate to the page from one that the user does have permission to access.

At the Navigation Panel level:

• *Homes--*All dashboards except Welcome to Foglight have either allowed roles or relevant roles (or both) set. If the user's roles do not match one of these, the choice won't be visible. Note: If a relevant role, which is not one of the user's roles, is set on a page and all roles are allowed, the page is accessible in principle, but there is no way to get to it. Thus, the page is effectively hidden unless there is a drill-down path from some page to this one.
• *Dashboards--*Many of the views have relevant roles set (Operator, Advanced Operator). If the user's roles do not match those set on the views, the entry will not be listed. If this is true for all the views in a node, the node itself will not show. 

Which portals and queries can a user access?

To create a Portal you need to be able to access the Create Dashboard function. The built-in roles that permit access to the Create Dashboard function are Dashboard User, Operator, Advanced Operator, Dashboard Designer, and Cartridge Developer. A user having any one of these roles has access to the Configuration > Data tab as well. The Data tab allows access to Foglight objects via root queries. Root queries return objects that match the query parameters and the objects are presented in a view best suited to the objects' types. Thus, to entirely restrict access to Portals and the root queries that populate the Data tab, you must ensure that the restricted user does not have any of the roles that permit access.

If you want to allow access to selected portals and root queries, the same considerations regarding views apply. That is, besides having access to Create Dashboards and the Data tab, one of the user's assigned roles must match one of the portal's or query's roles. In general, this requires creating at least one new role and adding it to the portal or query as well as to the user.

How are drilldown views restricted?

Assuming that a user has access to a top level page, the links on that page are also available for use. However, allowed roles still have to match. If they don't the user gets a message, "You are not authorized view ."

How do I begin to create a restricted user?

Every user has by default a role called Console User. This gives permission to log in to the Foglight user interface, but nothing else. You must create a role specifically for the group of users in the restricted class.

Assess your needs. If you decide that your security requirements are such that you must lock down certain types of users to a defined set of pages, you will need to create special dashboards and define roles accordingly.

Example: Restrict a user to the Hosts table view

• Note: You must have access to the Definitions node and the Administration node to complete this procedure. 

Overview:

• Create a role specifically for the group of users who are to be granted access to selected dashboards
• Create a group for the users who are to be granted access to selected dashboards
• Create users who are to be granted access to selected dashboards and add them to the group
• Assign the newly-created role to the target dashboard and to any of its drilldown pages that you want to access. 

Create a specialized role:

1. In the navigation pane, go to Dashboards > Administration > Users and Security > Manage Roles.
   The Manage Roles page opens.
2. Click Create Role.
   The Create Role dialog opens.
3. Type a name, such as Host Access, and click Create.
   A new role called Host Access is created. 

Create a group for the specialzed role:

1. In the Users & Security node, click Manage Groups.
   The Manage Groups page opens.
2. Click Create Group.
   The Create Group dialog opens.
3. Type a name, such as Host Group, and click Create.
   A new group called Host Group is created. 

Create a user for the specialzed group:

1. In the Users & Security node, click Manage Users.
   The Manage Users page opens.
2. Click Create User.
   The Create User dialog opens.
3. Type a name, such as Host User.
   Normally, the name you choose here is the login name for the person who is going to be restricted to the selected set of views, which in this case is Hosts Table.
4. Assign a password for this user. Type it in to both the Password and Confirm Password fields.
   A new user called Host User is created. 

Assign groups to the new user:

1. Still on the Manage Users page, ensure that the row for Host User is highlighted and click Edit Groups.
   The Edit Groups dialog opens.
2. Click on the red bar next to Host Group to change it to a green cross, and then click Save. 

Assign roles to the new user:

1. In the Users & Security node, click Manage Groups.
2. Select the Host Group row and click Edit Roles.
3. Assign both Console User and Host Access to Host Group.
   Green crosses next to these names signify that they have been selected.
   The role of Console User is necessary to permit access to the Foglight console.
4. Click Save to save the settings and close the dialog. 

Assign the newly-created role to the desired dashboard:

1. Log in to Foglight as a user with permissions to edit dashboards.
2. Open the dashboard that is to be the home page for the user with restricted access, which in this case is Hosts Table.
3. In the right-hand action panel, click Properties.
4. Click Edit Basic Properties under Actions.
   The Edit View Properties dialog opens.
5. Click the Edit icon for Relevant Role(s).
   A popup appears with checkboxes for all the defined roles.
6. Click the Edit icon for Allowed Role(s).
   A popup appears with checkboxes for all the defined roles
7. Select Host Access, and then click Apply.

Test the assignments:

• Sign in as Host User and test the settings. You should see that this user's access has been restricted to Hosts Table and the pages that flow from it.
• Access to the drilldown pages is not guaranteed. You may find that certain ones are inaccessible, but you can always make them accessible by adding the Host Access role to the Allowed Roles for that page. In this example, the drilldown pages and popups for host metrics are accessible, but the table of alarms is not. Instead, a message stating that You are not authorized to access view "Alarm List As Popup - Alarm List" appears inside the table.
• Since the message gives you the name of the view, you can decide to make it accessible by editing it and adding the Host Access role.