Multi-tenant configuration#

The Multi-tenancy module provides the following features:

  • Access to specific tabs (e.g. Dashboard, Maps, Status, Alarms, Admin)

  • Ability to apply permissions to user groups per flow exporting interface or per device

  • Set permissions to see dashboards and even the ability to manipulate or copy a dashboard

  • Access to administrative functions

The Multi-tenancy module is useful to companies who need to give customers a unique login and restrict what they see. Restrictions can be set on specific devices and or interfaces.

User group permissions#

Users are assigned to user groups. User groups are granted permissions. Users inherit permissions from all the user groups they are a member of. This functionality also serves as the basis for the enterprise focused multi-tenancy functionality.

  • New User Groups: Is used to create a new user group that individual users can be assigned to. Give the group a name and apply a template from another user group that has similar permissions to the new user group. After creating an account, find the new user group on the left and click it to modify.

    Click here for a special note regarding Scrutinizer user groups and LDAP security groups.

  • Administrators: This is the admin account and cannot be deleted. Users can be assigned to this group and inherit all of its permissions.

  • Guest: This is the default guest account which cannot be deleted. Users can be assigned to this group and will have limited permissions.

Important

Permissions for an individual user account will be inherited from all user groups it is a member of. To view all the user groups a user account is a member of, visit Admin > Security > Users and click on a user account. Then open the Group Membership tab.

Members

Select the user accounts that will need to have access to this user group. A user can be a member of multiple user groups and inherit all applicable permissions.

Features

Permissions control features the user group should have access to within Scrutinizer. Permissions can restrict product features entirely for a user group or specific features can be accessed based on your user group membership.

Features include:

  • Which tab the members of the user group should be able to see,

  • Administrative permissions the user group should have access to,

  • Advanced features like acknowledging alarms, scheduling reports, adding/deleting users etc.

Clicking the Configure link in the Features column will provide a click and drag modal to adjust user group permissions. Inside that modal, on the left will two radio buttons with Predefined and Advanced labels. The following section describes the difference between the two modes, as you must chose one or the other per group.

Predefined roles vs advanced features#

The features modal allows user groups to use predefined roles or manually specifiying features. A user group must use either the predefined feature sets or the advanced features that can be manually configured.

Important

You cannot configure manual permissions for a predefined set.

  • Advanced - Manually configure all permissions available. Use Advanced to create custom feature sets.

  • Predefined roles - Feature sets for common persona’s like “ReportUser” or “DashboardAdministrator”

Predefined role

Underlying permissions

AlarmsAdministrator

ackBBEvent

alarmSettings

almDelete

LogalotPrefs

NotificationManager

PolicyManager

PolicyManager

AlarmsUser

alarmsTab

DashboardAdministrator

dashboardAdmin

DashboardUser

createDashTabs

myViewTab

MapsAdministrator

mappingGroupConfiguration

mappingObjectConfiguration

MapsUser

adminTab

allLogalotReports

mapsTab

reportFilters

statusTab

ReportingAdministrator

ApplicationGroups

asnames

deleteReport

HostNames

protocolExclusions

reportSettings

tos

viptelaSettings

wkp

ReportingPowerUser

reportFolders

ReportDesigner

saveReport

scheduledReports

srCreate

ReportingUser

runReport

SystemAdministrator

3rdPartyIntegration

auditing

auth

Authentication

authLdapServers

awsSettings

changeUserPasswords

createUsers

DataHistory

deleteUsers

DeviceDetails

EmailNotifications

fa_mgmt_link

faExclusions

feedbackForm

FlowAnalyticsSettings

IPGroups

language

licensing

MACAddresses

ManageCollectors

ManageExporters

proxySettings

radiusConf

sf_asa_acls

SNMPCredentials

sso

syslogNotifications

SystemPreferences

tacacsConf

userAccounts

usergroups

viewUserIdentity

Vitals

  • Device status is used to grant permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission.

  • Interface statistics grants permission to see the statistics of an interface.

  • Groups are used to grant permission to see a group (i.e. map). Devices (i.e. flow exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics.

  • Saved reports allows to select the saved reports/ filters that the user group will need to have access to run.

  • Dashboard gadgets selects the gadgets that the user group will need to be able to add to dashboards.

  • Third-party links controls the vendor third-party integrations that the user group will be able to integrate with.

  • Bulletin boards manages the bulletin boards that the user group will need to be able to access in the Alarms tab.