Multi-tenant configuration

The Multi-tenancy module provides the following features:

  • Access to specific tabs (e.g. Dashboard, Maps, Status, Alarms, Admin)
  • Ability to apply permissions to User Groups per flow exportering Interface or per device
  • Set permissions to see dashboards and even the ability to manipulate or copy a dashboard
  • Access to administrative functions

The Multi-tenancy module is useful to companies who need to give customers a unique login and restrict what they see. Restrictions can be set on specific devices and or interfaces.

Usergroup permissions

Users are assigned to usergroups. Usergroups are granted permissions. Users inherit permissions from all the usergroups they are a member of. This functionality also serves as the basis for the enterprise focused multi-tenancy functionanlity.

  • New User Groups: Is used to create a new usergroup that individual users can be assigned to. Give the group a name and apply a template from another Usergroup that has similar permissions to the new user group. After creating an account, find the new usergroup on the left and click it to modify.

    Click here for a special note regarding Scrutinizer usergroups and LDAP security groups.

  • Administrators: This is the admin account and cannot be deleted. Users can be assigned to this group and inherit all of its permissions.

  • Guest: This is the default guest account which cannot be deleted. Users can be assigned to this group and will have limited permissions.

Important

Permissions for an individual user account will be inherited from all usergroups it is a member of. To view all the usergroups a user account is a member of, visit Admin tab > Security > Users and click on a user account. Then open the Group Membership tab.

Members

Select the user accounts that will need to have access to this usergroup. A user can be a member of multiple usergroups and inherit all applicable permissions.

Features

Permissions control features the usergroup should have access to within Scrutinizer. Permissions can restrict product features entirely for a usergroup or specific features can be accessed based on your usergroup membership.

Features include:

  • Which tab the members of the usergroup should be able to see,
  • Administrative permissions the usergroup should have access to,
  • Advanced features like acknowledging alarms, scheduling reports, adding/deleting users etc.

Clicking the Configure link in the Features column will provide a click and drag modal to adjust usergroup permissions. Inside that modal, on the left will two radio buttons with Predefined and Advanced labels. The following section describes the difference between the two modes, as you must chose one or the other per group.

Predefined roles vs advanced features

The features modal allows Usergroups to use predefined roles or manually specifiying features. A Usergroup must use either the Predefined Feature sets or the Advanced features that can be manually configured.

Important

You cannot configure manual permissions for a predefined set.

  • Advanced - Manually configure all permissions available. Use Advanced to create custom feature sets.
  • Predefined roles - Feature sets for common persona’s like “ReportUser” or “DashboardAdministrator”
Predefined role Underlying permissions
AlarmsAdministrator
  • ackBBEvent - acknowledge events on Alarms tab bulletin boards
  • alarmSettings - configure alarm notifications
  • almDelete - permanently delete alarms
  • LogalotPrefs - configure global alarms settings
  • NotificationManager - manage alarm notifications
  • PolicyManager - manage alarm policies
AlarmsUser
  • alarmsTab - access the Alarms tab
DashboardAdministrator
  • dashboardAdmin - manage all dashboards created by any user
DashboardUser
  • createDashTabs - create new dashboards
  • myViewTab - access the Dashboards tab
MapsAdministrator
  • mappingGroupConfiguration - create and edit maps/groups
  • mappingObjectConfiguration - create and edit mapping objects
MapsUser
  • adminTab - access the Admin tab
  • allLogalotReports - access all Logalot reports
  • mapsTab - access the Maps tab
  • reportFilters - update the filters used in Status tab reports
  • statusTab - access the Status tab
ReportingAdministrator
  • ApplicationGroups - configure application groups
  • asnames - configure AS names
  • deleteReport - delete saved reports regardless of owner
  • HostNames - edit host name information
  • protocolExclusions - edit which protocols are discarded from flow reports
  • reportSettings - edit reporting engine configuration options
  • tos - edit TOS configuration
  • viptelaSettings - edit Viptela settings
  • wkp - edit WKP configuration
ReportingPowerUser
  • reportFolders - manage saved report folders
  • ReportDesigner - design new custom report types
  • saveReport - name and save flow reports
  • scheduledReports - create, edit, and delete scheduled email reports
  • srCreate - schedule a saved report to be emailed on a regular basis
ReportingUser
  • runReport - run flow reports
SystemAdministrator
  • 3rdPartyIntegration - create, edit, and delete third-party integration links
  • auditing - access the Auditing report containing logs of Scrutinizer user actions
  • auth - manage external authentication tokens
  • Authentication - manage external authentication types
  • authLdapServers - manage LDAP server configuration used for Scrutinizer authentication
  • awsSettings - edit AWS configuration
  • changeUserPasswords - change the passwords of other users without needing their credentials
  • createUsers - create new local Scrutinizer user accounts
  • CrossCheck - view and edit CrossCheck configuration, which determines device up/down status
  • DataHistory - configure settings that control how long Scrutinizer stores data of different granularities
  • deleteUsers - delete local Scrutinizer user accounts
  • DeviceDetails - edit device interface details
  • EmailNotifications - configure the mailserver Scrutinizer will use to send reports and emails
  • fa_mgmt_link - configure Flow Analytics thresholds and settings
  • faExclusions - configure Flow Analytics exclusions
  • FlowAnalyticsSettings - edit global Flow Analytics settings
  • IPGroups - configure Scrutinizer IP Groups
  • language - create and edit language localization settings
  • licensing - configure Scrutinizer product licensing and features
  • MACAddresses - configure device MAC address information
  • ManageCollectors - manage the devices collecting flow data for Scrutinizer
  • ManageExporters - manage the devices exporting flow data to Scrutinizer
  • proxySettings - configure proxy server settings in Scrutinizer
  • radiusConf - manage RADIUS server configuration used for Scrutinizer authentication
  • sf_asa_acls - configure ASA ACL descriptions
  • SNMPCredentials - manage SNMP credentials used to poll device information
  • sso - add, delete, and edit Identity Provider configuration for Scrutinizer’s Single Sign-On Integration
  • syslogNotifications - edit Syslog server configuration
  • SystemPreferences - manage administrative access to global Scrutinizer preferences
  • tacacsConf - manage TACACS+ server configuration used for Scrutinizer authentication
  • userAccounts - access the Users view on the Admin Tab, listing ALL users instead of only the current one
  • usergroups - manage Scrutinizer usergroups
  • viewUserIdentity - view identity and access information relevant to GDPR restrictions
  • Vitals - view the Scrutinizer server vitals reports
  • Device status is used to grant permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission.
  • Interface statistics grants permission to see the statistics of an interface.
  • Groups are used to grant permission to see a group (i.e. map). Devices (i.e. flow exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics.
  • Saved reports allows to select the saved reports/ filters that the usergroup will need to have access to run.
  • Dashboard gadgets selects the gadgets that the usergroup will need to be able to add to dashboards.
  • Third-party links controls the vendor third-party integrations that the usergroup will be able to integrate with.
  • Bulletin boards manages the Bulletin boards that the usergroup will need to be able to access in the Alarms tab.