Multi-tenant configuration

The Multi-tenancy module provides the following features:

  • Access to specific tabs (e.g. Dashboard, Maps, Status, Alarms, Admin)

  • Ability to apply permissions to User Groups per flow exportering Interface or per device

  • Set permissions to see dashboards and even the ability to manipulate or copy a dashboard

  • Access to administrative functions

The Multi-tenancy module is useful to companies who need to give customers a unique login and restrict what they see. Restrictions can be set on specific devices and or interfaces.

Usergroup permissions

Users are assigned to usergroups. Usergroups are granted permissions. Users inherit permissions from all the usergroups they are a member of. This functionality also serves as the basis for the enterprise focused multi-tenancy functionality.

  • New User Groups: Is used to create a new usergroup that individual users can be assigned to. Give the group a name and apply a template from another Usergroup that has similar permissions to the new user group. After creating an account, find the new usergroup on the left and click it to modify.

    Click here for a special note regarding Scrutinizer usergroups and LDAP security groups.

  • Administrators: This is the admin account and cannot be deleted. Users can be assigned to this group and inherit all of its permissions.

  • Guest: This is the default guest account which cannot be deleted. Users can be assigned to this group and will have limited permissions.

Important

Permissions for an individual user account will be inherited from all usergroups it is a member of. To view all the usergroups a user account is a member of, visit Admin tab > Security > Users and click on a user account. Then open the Group Membership tab.

Members

Select the user accounts that will need to have access to this usergroup. A user can be a member of multiple usergroups and inherit all applicable permissions.

Features

Permissions control features the usergroup should have access to within Scrutinizer. Permissions can restrict product features entirely for a usergroup or specific features can be accessed based on your usergroup membership.

Features include:

  • Which tab the members of the usergroup should be able to see,

  • Administrative permissions the usergroup should have access to,

  • Advanced features like acknowledging alarms, scheduling reports, adding/deleting users etc.

Clicking the Configure link in the Features column will provide a click and drag modal to adjust usergroup permissions. Inside that modal, on the left will two radio buttons with Predefined and Advanced labels. The following section describes the difference between the two modes, as you must chose one or the other per group.

Predefined roles vs advanced features

The features modal allows Usergroups to use predefined roles or manually specifiying features. A Usergroup must use either the Predefined Feature sets or the Advanced features that can be manually configured.

Important

You cannot configure manual permissions for a predefined set.

  • Advanced - Manually configure all permissions available. Use Advanced to create custom feature sets.

  • Predefined roles - Feature sets for common persona’s like “ReportUser” or “DashboardAdministrator”

Predefined role

Underlying permissions

AlarmsAdministrator

ackBBEvent
alarmSettings
almDelete
LogalotPrefs
NotificationManager
PolicyManager

AlarmsUser

alarmsTab

DashboardAdministrator

dashboardAdmin

DashboardUser

createDashTabs
myViewTab

MapsAdministrator

mappingGroupConfiguration
mappingObjectConfiguration

MapsUser

adminTab
allLogalotReports
mapsTab
reportFilters
statusTab

ReportingAdministrator

ApplicationGroups
asnames
deleteReport
HostNames
protocolExclusions
reportSettings
tos
viptelaSettings
wkp

ReportingPowerUser

reportFolders
ReportDesigner
saveReport
scheduledReports
srCreate

ReportingUser

runReport

SystemAdministrator

3rdPartyIntegration
auditing
auth
Authentication
authLdapServers
awsSettings
changeUserPasswords
createUsers
CrossCheck
DataHistory
deleteUsers
DeviceDetails
EmailNotifications
fa_mgmt_link
faExclusions
feedbackForm
FlowAnalyticsSettings
IPGroups
language
licensing
MACAddresses
ManageCollectors
ManageExporters
proxySettings
radiusConf
sf_asa_acls
SNMPCredentials
sso
syslogNotifications
SystemPreferences
tacacsConf
userAccounts
usergroups
viewUserIdentity
Vitals

  • Device status is used to grant permission to see the status of the device (i.e. Flow exporter). Device icons appear blue in maps if the Device Group permission is granted without this permission.

  • Interface statistics grants permission to see the statistics of an interface.

  • Groups are used to grant permission to see a group (i.e. map). Devices (i.e. flow exporters) appear blue and interfaces black unless permission is granted in Device Status and Interface Statistics.

  • Saved reports allows to select the saved reports/ filters that the usergroup will need to have access to run.

  • Dashboard gadgets selects the gadgets that the usergroup will need to be able to add to dashboards.

  • Third-party links controls the vendor third-party integrations that the usergroup will be able to integrate with.

  • Bulletin boards manages the Bulletin boards that the usergroup will need to be able to access in the Alarms tab.