Roles

Overview

The configuration, addition and deletion of Roles is done via the Users and Roles section of the Configuration menu. Once within Users and Roles, click on the Roles tab:

Roles tab

In this view, you can choose to:

Filtering columns

Adding a Role

To add a new Role, click on the Add New button.

The New Role configuration window is displayed:

New Role

There are six tabs within the ‘New Role’ window:

Role tab

Assigns a name and description to the Role. If Multi-tenancy is enabled, it will be displayed here.

New Role tab

BSM tab

Defines the access control and visibility for Business Service Monitoring, i.e. can users within this Role add Business Services or Components, and also which Business Services can they see when logged in.

BSM tab

If the ‘Allows ability to view BSM analysis screens (BSM)’ checkbox is not checked, then the rest of the options will be hidden.

Authorised for Business Services

This section is where you can determine which Business Services the user can view (via dashboards), and which ones they can both view and edit. In our example, we are not going to configure any access for editing and viewing BSM items.

Authorised for Business Services

You can control which Business Services are available for a Role from a ’top down’ or from a ‘bottom up’ approach.

Top Down

Choose the specific business service in the Authorised for Business Services field. If you select View All, then all Business Services will be available including any new Business Services created in the future. Access to the Business Service will allow visibility of all components of the Business Service.

Bottom Up

Components will be automatically selected based on your existing status object permissions (based on Host Group / Service Group intersection or Hashtags). The ‘intersection’ is explained in detail within the ‘Status Objects’ tab.

Permissions for components are automatically granted based on the existing status object definitions. If VIEWALL is specified, then all components are visible. Otherwise, it is based on the Host Group/Service Group intersection and Hashtags. You need to see all hosts for the component to be visible.

If the component consists of 20 Service Checks, then the user will need to have permission to all 20 Service Checks in order for the component to be visible.

If you select the ‘Grant permissions to Business Services’ checkbox, then the Business Services associated with all your components will be visible.

Status Access

Defines what users assigned this Role can do within Opsview Cloud when logged in; e.g. can they view dashboards, create dashboards, and send notifications.

Status Access tab

Within this tab you can configure what access rights users of this Role have, for example can they create and edit dashboards, view Flow data, send notifications, and so on. In this tab, we need to check ‘VIEWSOME’ (‘Allows viewing of status information for some objects’), where ‘some objects’ are the items they are allowed to view as per the Status Objects tab.

We should also check, NAVOPTIONS, RRDGRAPHS, TESTSOME, DOWNTIMESOME, and ACTIONSOME.

Status Objects

Defines which objects the users within this Role can see, including Host Groups, Service Groups, and Hashtags.

Status Objects tab

Within Status Objects, you will need to set the combination of Host Groups and Service Groups to restrict access as required.

Alternatively, we can tag those Hosts and Service Checks with a Hashtag, for example ‘opsview-servers’, and then select that within ‘Authorised for Hashtags’.

Configuration

Defines which objects and sections the users within this Role can configure, e.g. can they access the Hashtags section of the Configuration menu.

Configuration tab

Within the Configuration tab, you can define the Host Groups that users can edit (and thus the hosts within). You can also define other items users can configure within the monitoring software, i.e. can they edit the hosts they have access to view, can they edit other users, and so forth.

The Monitoring Clusters section defines which Monitoring Clusters (and Monitoring Collectors) will be visible for the role when making configuration changes.

Administration

The administrative permissions are defined within this tab, and determine if users within this Role can Apply global save new passwords or view reporting.

Administration tab

Once you have configured the above six tabs, click ‘Submit Changes’ and your new Role will be created:

Roles Notifications

We can now apply this new Role to a test user, as below:

Edit a role

The Role is set to ‘Opsview Servers’. After saving the new user and completing an Apply Changes (from the Configuration menu), you can now log in with the new user and see that the permissions have been correctly applied.

Current role definitions

Key

  • (AC) — if you make changes to a role, you must Apply Changes via the Configuration menu before the changes take effect.
  • (AO) — the administrator should be the only person with this permission, as Opsview needs to list every item for configuration.

These are the access levels:

Users may need to refresh their web page in the browser for their permissions to take effect.

Note

ADMINACCESS does not allow access to everything. Currently, it is used for administrator access, but as more granular access points are added, the items within ADMINACCESS will decrease (but upgrade scripts will ensure that new access points are split appropriately).

Note

CONFIGUREREMOTECLUSTERS and REMOTELYMANAGEDCLUSTERS are reserved for a future feature.

On initial systems, these roles will exist:

Public

Note

Only RRD graphs and Viewport access make sense to be public)

Authenticated User

Admin role

Remote Collector Manager

View all, change some

View some, change some

View all, change none

View some, change none

Selection of objects

For access levels which refer to some, this is the selection of objects based on the role.

The selection consists of the union of the following:

This allows you to ‘slice’ the services that you can see on a host.

We recommend that you use service groups to match your team function or areas of responsibility (for example: Windows, Unix, Database, Network, Monitoring). You can use the host group hierarchy however you choose: some implementations are based on locations while others are based on priority (production, test, development).

When Opsview sets up notifications, you will receive the relevant host alerts for the services you have access to. If you do not want host notifications, you can disable them at the contact’s notification profile.

Note

A contact must have at least 1 service on a host to be within the subset. This means that selecting All host groups, but only, say, the Database Service Group, would mean that a Contact can see only Hosts with database services. Hosts without any database services would not be in this subset.

Troubleshooting

All my administrators do not have CONFIGURESAVE

If you have locked out all administrators by removing CONFIGURESAVE, you can add it back to your role by running the following in the opsview database:

mysql> insert into roles_access values (10,13);

This will add CONFIGURESAVE to the ‘Administrator’ role (whose id is usually 10).

["Opsview"] ["User Guide"]

Was this topic helpful?