Chat now with support
Chat with Support

Foglight 5.9.5 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight Disclaimer
Security features for APM appliances Usage feedback Appendix: FISMA compliance

Service accounts

Foglight® manages login credentials for the following service and user accounts:

Foglight Users—Foglight supports both internal and external users. Internal users are defined within Foglight while external users are mapped from one of the LDAP-compatible directory services supported by Foglight (Active Directory®, Oracle® Directory Server Enterprise Edition, and OpenLDAP®).
LDAP Directory—For Foglight to access an LDAP directory, the customer needs to provide LDAP service-account credentials (user name and password for an account with read access to the directory).
Foglight Management Server Database Repository—Foglight supports using specific versions of MySQLTM, Oracle®, and Microsoft® SQL Server® databases for its storage repository. The login credentials for a database administrator account are specified during Foglight installation. For customers who do not provide a database administrator account, the creation of the external database may be delayed, as the database will require manual configuration.

Agent credentials

When installing Foglight® cartridge agents it is typically necessary to enter credentials for the user accounts that are on the monitored resources, including the host and database. These credentials are entered through the agent configuration properties via the Foglight Administration Console and give an agent access to applications or operating systems on the monitored hosts.

The Management Server includes a central credential service that manages cartridge agent credentials. A lockbox contains a set of credentials and keys for their encryption and decryption. Releasing a lockbox to a credential client enables the client to release the credentials to the agent instances managed by that client, thereby granting the agent instances access to the monitored system. For more information, see Controlling remote system access with credentials.

Each Foglight cartridge may mark specific properties (for example, user names and passwords) of its agents as being sensitive. Such properties are given additional protection as described later in this document.

Foglight users and groups

There are two types of users in Foglight: internal and external users. Internal users are created using the Foglight® Administration Console. External users are mapped from one of the LDAP-compatible directory services supported by Foglight. All Foglight users are authenticated upon login, based on their user names and passwords.

Foglight includes one default internal user (foglight) with administrative access, and four default internal groups (Cartridge Developers, Foglight Administrators, Foglight Operators, and Foglight Security Administrators), none of which cannot be deleted.

Role-based access control

Foglight® security model is based on a role-based access control system (RBAC).

Permission

Permissions grant users a certain level of access to a configuration item, enabling them to perform specific actions using Foglight. These permissions do not apply to monitored information.

A different set of permissions can be configured for each role or user who has been granted access to a configuration item.

Role

The default roles included with Foglight dictate the actions that users can perform with Foglight features or components. Foglight System Administrators can also create custom roles.

Roles are assigned to groups. Users in a group have the roles that are assigned to that group. Roles can also be associated with specific configuration items.

User

A user has a username and a password and can belong to one or more groups.

A user logging in to Foglight is authorized to perform a certain set of actions based on the roles that have been assigned to the user’s groups.

Group

A group can contain one or more users or other groups. Roles are assigned to users through groups.

You can assign roles and add users to groups.

A configuration item such as a rule or registry variable.

Access to configuration items can be assigned to specific users or to roles. Each configuration item is initially owned by its creator.

Roles dictate the actions that a user can perform. There are two types of roles in Foglight: default roles (called built-in roles), and custom roles (called internal roles).

Foglight defines a configuration item as an item that is created and/or managed in the Administration Console, such as a rule, registry variable, derived metric, or schedule. Access to individual configuration items can be restricted to specific users or roles. In addition, the level of access that each user or role has to that configuration item can be controlled through permissions.

A permission represents a set of actions that can be performed with regard to that configuration item.

Users who have the Foglight Security Administrator role can use the Foglight Administration dashboard to manage users, groups, roles, permissions, and configuration items.

The Groups view of the User Management dashboard contains a table that lists all of the groups that have been created in Foglight or imported from an LDAP-compatible directory service, as well as the users and the roles that have been assigned to them.

Related Documents