A Foglight administrator may wish to configure the browser interface for a given group of users so that only selected dashboards are available. Foglight has predefined roles, such as Operator and Dashboard User, but it also allows the creation of special roles that may be assigned to a group of users. These special roles provide the mechanism for restricting users to a selected set of dashboards.
- See the Foglight Administration Guide for information on the roles required to access various Foglight views.
Security Controls and Roles
Security in Foglight is managed by creating a group, assigning roles to the group, and then assigning users to the group. New instances of all three, groups, roles, and users, can be created to suit particular needs. A collection of default groups and roles have been defined, which were designed to cover standard situations.
What are the built-in roles?
Foglight already has a collection of built-in roles that cover standard cases. These are:
- General Access
This is an internal role. It is not for end users
This is the base level role for monitoring in Foglight. Users with this role have access to the core dashboard set plus the ability to create new dashboards. This role is likely the best default for new users.
The Operator role allows access to these core dashboards: Hosts, Agents, Alarms, Services, Report Browser, and to these functions: Create_Dashboard, Create_Report, Configuration => User_Preferences, Configuration => Feeds, Configuration>Data.
- Advanced Operator
This role builds on the Operator role by adding the ability to access build-oriented dashboards like the Service Builder, Application Builder and Report Builder. An Advanced Operator is someone who is likely to create new services, application, reports, and other entities inside Foglight.
The Advanced Operator role allows access to these core dashboards: Hosts, Agents, Alarms, Services, Report Browser, this Advanced dashboard: Service Builder, and to these functions: Create_Dashboard, Create_Report, Configuration => User_Preferences, Configuration => Feeds, Configuration>Data.
- Dashboard Designer
This role is for anyone who is engaged in the creation of dashboards using the advanced dashboard tooling.
The Dashboard Designer role allows access to these functions: Create_Dashboard, Create_Report, Configuration => User_Preferences, Configuration => Feeds, Configuration => Data, and Access to all Dashboards Tools: Configuration => Definitions, Configuration => Data_Sources, Foglight => Schema_Browser.
- Dashboard User
This role is the same as Console User, only with the addition of permissions that allow creation of dashboards and manipulation of the dashboard environment. This role should be used as the base for any directed user set, where a directed use is one who has access to a small set of dashboards but can also create new dashboards.
The Dashboard User role allows access to these functions: Create_Dashboard, Create_Report, Configuration => User_Preferences, Configuration => Feeds, Configuration => Data
- Cartridge Developer
This role extends the Dashboard Designer role by allowing the user to modify core dashboards. This is likely an internal-only role used by Quest personnel and trained third parties.
The Cartridge Developer role allows access to these functions: Create_Dashboard, Create_Report, Configuration => User_Preferences, Configuration => Feeds, Configuration => Data, and Access to all Dashboards Tools: Configuration => Definitions, Configuration => Data_Sources, Foglight => Schema_Browser.
This role is for anyone who will be making changes to the operating characteristics of Foglight. An Administrator can manipulate agents, rules, derived metrics, registry variables, cartridges, types, scripts and so on. The only thing the Administrator can't do is edit the Users & Security.
The Administrator role allows access to these functions: Admin dashboards and Foglight Server dashboards, and access to hidden Admin URLs and the JMX-Console.
Users with this role are able to edit users, groups and role settings in the Administration UI. Basically provides access to all dashboards under "Users & Security" in the Administration Module.
The Security role allows editing of Users and Security.
- New Role
A role created by a Foglight administrator to define restricted access to certain parts of the Foglight user interface. You can create as many new roles as you wish and you can assign these roles to the new groups that you create to hold them, after which you create new users and assign them to the new groups as desired.
What are the built-in groups?
The built-in groups are:
- Cartridge Developers
- Foglight Administrators
- Foglight Operators
- Foglight Security Administrators
Which VMWare roles exist?
The following roles are included with the Cartridge for VMware to control access to the VMware dashboards and reports:
- VMware Administrator
This role provides full access to all components of the cartridge, views and reports.
- VMware Operator User
This role restricts the user to the VMware Environment and VMware Explorer dashboards only, except the Administration tab, and NetFlow Setting and Cisco Setting dialog boxes. Attempts to navigate to these elements result in the following message: Sorry. The view is not authorized.
- VMware Automation User
Users with this role can access the VMware Explorer Administration tab. This tab provides quick access to common administrative tasks that include server shutdown, virtual machine creation, resource allocation, and others.
Note: Executing VMware administration tasks, such as rebooting an ESX host or a VM, require specific VMware permissions.
- VMware QuickView User
This role restricts the user to the VMware Environment dashboard only. Attempts to navigate to the VMware Explorer result in the following message: You are not authorized to access view “VMware Explorer”.
- VMware Report User
This role grants access to the cartridge reports only. None of the VMware views are accessible if this is the user’s only role. To work with reports, the user additionally requires the Reports Manager role. For more information about roles, users, and security, see the Administration and Configuration
Which dashboards can a user access?
There are two interpretations to this question. First, is the user able to access a view under any circumstances at all, and second, are there pages that the user could access if the appropriate links existed?
As a Foglight user, if one of your roles matchers one of the allowed roles assigned to the dashboard, you are, at least in principle, able to view it. If the view is a dashboard, it shows in the Dashboards list in the navigation pane. Clicking on the link launches the page. The links that the page contains are accessible as long as these pages do not have any allowed roles set. If they do, the allowed roles must match one of the user's roles for the page to be accessed.
If the view has been assigned relevant roles and there is no match in the user's assigned roles, that view will not appear as a choice in the navigation panel. If a link (path) were available, the user could navigate to it, but if the link is not available the view remains hidden. For a user to see a page in which relevant roles have been set, there must be a match between the user's roles and the page's relevant roles, or the user must be able to navigate to the page from one that the user does have permission to access.
At the Navigation Panel level:
- *Homes--*All dashboards except Welcome to Foglight have either allowed roles or relevant roles (or both) set. If the user's roles do not match one of these, the choice won't be visible. Note: If a relevant role, which is not one of the user's roles, is set on a page and all roles are allowed, the page is accessible in principle, but there is no way to get to it. Thus, the page is effectively hidden unless there is a drill-down path from some page to this one.
- *Dashboards--*Many of the views have relevant roles set (Operator, Advanced Operator). If the user's roles do not match those set on the views, the entry will not be listed. If this is true for all the views in a node, the node itself will not show.
Which portals and queries can a user access?
To create a Portal you need to be able to access the Create Dashboard function. The built-in roles that permit access to the Create Dashboard function are Dashboard User, Operator, Advanced Operator, Dashboard Designer, and Cartridge Developer. A user having any one of these roles has access to the Configuration > Data tab as well. The Data tab allows access to Foglight objects via root queries. Root queries return objects that match the query parameters and the objects are presented in a view best suited to the objects' types. Thus, to entirely restrict access to Portals and the root queries that populate the Data tab, you must ensure that the restricted user does not have any of the roles that permit access.
If you want to allow access to selected portals and root queries, the same considerations regarding views apply. That is, besides having access to Create Dashboards and the Data tab, one of the user's assigned roles must match one of the portal's or query's roles. In general, this requires creating at least one new role and adding it to the portal or query as well as to the user.
How are drilldown views restricted?
Assuming that a user has access to a top level page, the links on that page are also available for use. However, allowed roles still have to match. If they don't the user gets a message, "You are not authorized view ."
How do I begin to create a restricted user?
Every user has by default a role called Console User. This gives permission to log in to the Foglight user interface, but nothing else. You must create a role specifically for the group of users in the restricted class.
Assess your needs. If you decide that your security requirements are such that you must lock down certain types of users to a defined set of pages, you will need to create special dashboards and define roles accordingly.
Example: Restrict a user to the Hosts table view
- Note: You must have access to the Definitions node and the Administration node to complete this procedure.
- Create a role specifically for the group of users who are to be granted access to selected dashboards
- Create a group for the users who are to be granted access to selected dashboards
- Create users who are to be granted access to selected dashboards and add them to the group
- Assign the newly-created role to the target dashboard and to any of its drilldown pages that you want to access.
Create a specialized role:
- In the navigation pane, go to Dashboards > Administration > Users and Security > Manage Roles.
The Manage Roles page opens.
- Click Create Role.
The Create Role dialog opens.
- Type a name, such as Host Access, and click Create.
A new role called Host Access is created.
Create a group for the specialzed role:
- In the Users & Security node, click Manage Groups.
The Manage Groups page opens.
- Click Create Group.
The Create Group dialog opens.
- Type a name, such as Host Group, and click Create.
A new group called Host Group is created.
Create a user for the specialzed group:
- In the Users & Security node, click Manage Users.
The Manage Users page opens.
- Click Create User.
The Create User dialog opens.
- Type a name, such as Host User.
Normally, the name you choose here is the login name for the person who is going to be restricted to the selected set of views, which in this case is Hosts Table.
- Assign a password for this user. Type it in to both the Password and Confirm Password fields.
A new user called Host User is created.
Assign groups to the new user:
- Still on the Manage Users page, ensure that the row for Host User is highlighted and click Edit Groups.
The Edit Groups dialog opens.
- Click on the red bar next to Host Group to change it to a green cross, and then click Save.
Assign roles to the new user:
- In the Users & Security node, click Manage Groups.
- Select the Host Group row and click Edit Roles.
- Assign both Console User and Host Access to Host Group.
Green crosses next to these names signify that they have been selected.
The role of Console User is necessary to permit access to the Foglight console.
- Click Save to save the settings and close the dialog.
Assign the newly-created role to the desired dashboard:
- Log in to Foglight as a user with permissions to edit dashboards.
- Open the dashboard that is to be the home page for the user with restricted access, which in this case is Hosts Table.
- In the right-hand action panel, click Properties.
- Click Edit Basic Properties under Actions.
The Edit View Properties dialog opens.
- Click the Edit icon for Relevant Role(s).
A popup appears with checkboxes for all the defined roles.
- Click the Edit icon for Allowed Role(s).
A popup appears with checkboxes for all the defined roles
- Select Host Access, and then click Apply.
These settings cause Host Access to be the only dashboard listed in the navigation pane.
Test the assignments:
- Sign in as Host User and test the settings. You should see that this user's access has been restricted to Hosts Table and the pages that flow from it.
- Access to the drilldown pages is not guaranteed. You may find that certain ones are inaccessible, but you can always make them accessible by adding the Host Access role to the Allowed Roles for that page. In this example, the drilldown pages and popups for host metrics are accessible, but the table of alarms is not. Instead, a message stating that You are not authorized to access view "Alarm List As Popup - Alarm List" appears inside the table.
- Since the message gives you the name of the view, you can decide to make it accessible by editing it and adding the Host Access role.