3.2. Users

Each user is, when created, assigned to a specific domain and the user and his or her user rights will be inherited down to any subdomain.

The information stored about a user, can be categorized into three groups. It is either basic information about the user (e.g. name and rights), paths, or preferences.

The basic properties for a user are:

• Login name: The name the user must use to log in to the system.

• Real name: The users real name. Only used as a help for the administrator.

• Password: The password the user must use to log in to the system.

Apart from these basic properties, the user has as set of capabilities, which determine which actions the user are allowed to undertake within SysOrb.

• View information: This capability allows the user to view the results of the performed checks, all public generated reports, and public views.

  Default value: On

  Note: If this capability isn't selected, the user will not be able to login to the user interface.

• Edit and delete oneself: Allows the user to edit his or her own information, including his or her password, and to delete the user account. This does not allow the user to edit his own capabilities.

  It also gives the user the right to add and edit his own views and alert paths.

  Default value: On

• Downtime, acknowledge and reset scores: Enabling this allows the the user to set downtime, acknowledge alerts and reset scores on both nodes and checks, but not otherwise change any node or check settings.

  Default value: Off

• Execute AgentActions: This capability allows the user to start an AgentAction on a node.

  Default value: Off

• Create, edit and delete other users: Lets the user administer other user accounts, changing their password, name etc.

  A user with this capability can also create new users, but without the "Set capabilities" capability, the created users will only have the rights to "View information", and to "Edit and delete oneself".

  Furthermore, this capability together with the capability to "Edit and delete oneself", will allow the user to edit and view other users Views (as the user could simply delete the other user, and take ownership of his views anyway). Without the capability to "Edit and delete oneself", other users private views can be seen, but not edited.

  In combination with the capbaility to "Create, edit, delete and generate reports", this capability allows the user to view and edit the private reports of other users.

  However, the user is only allowed to edit a private view or report, if the owner of the view or report is from the same domain or a subdomain of the users domain. This means that e.g. if a user from the Root domain creates a private report in the Customer.A domain, then a user with all capabilities enabled, will not be able to edit this report. This can only happen if the view or report has "Public edit" enabled.

  Default value: Off

• Create, edit and delete domains: Allows the user to edit or add new subdomains to his or her Origin Domain. It also allows the user to create or edit QuickLinks and Report headers/footers in his Origin Domain and all subdomains to this.

  If the user is located in the root domain, it also allows him/her to import MIB-files into the SysOrb Server.

  Default value: Off

• Create, edit and delete nodes: Lets the user configure nodes in his or her Origin Domain and all the subdomains. It also allows the user to edit and configure NodeClasses created in the Origin domain or one of its subdomains.

  This option also allows the user to acknowledge alerts, reset scores, and configure downtime, but only for nodes.

  Default value: Off

• Create, edit and delete checks: Allows the user to configure what checks should run on the different nodes in the accessible domains. The user is also allowed to create and edit NodeViews on all accessible nodes.

  Lastly, it allows the user to acknowledge alerts, reset scores and configure downtime for checks.

  Default value: Off

• Create, edit and delete groups: Lets the user administer groups and assign alert paths to these in the accessible domains.

  Default value: Off

• Create, edit, delete and generate reports: Lets the user create templates for reports and generate reports from them.

  Without this option, the user is not allowed to generate or edit reports, even if they have "Public Editable" set.

  Default value: Off

• Set capabilities (superuser): Lets the user change anything in the domain and its subdomains. This is effectively a way of giving the user full administrative rights in a domain.

  Default value: Off

  Note: No amount of capabilities can allow a user to access higher level domains. It is therefore perfectly safe to give customers logins with administrative privileges in their own domain.

  Security warning: Enabling this capability for a user in the root domain will allow that user to give himself Server setup capability, which will allow him to run arbitrary shell commands on the SysOrb server.

• Setup grid configuration (superuser): Allows the user to create stations, links, mount points and exports.

  Note: This capability only affects users in the root domain

• Setup SysOrb Server (superuser): This capability only affects SysOrb users in the root domain. When this is enabled the user will be able to setup some server-wide parameters of the SysOrb server, currently only which Custom AlertPaths will be available, and what command to execute.

  Default value: Off

  Security warning: Enabling this capability effectively allows the user to execute abitrary shell commands on the SysOrb server (through Custom AlertPaths).

When adding new users to a domain you especially need to be careful with the Allow user to set capabilities user right as this will allow the user to change anything in the domain and its subdomains. The Allow user to view information can in most cases be left at its default setting of On as this user right is what allows the user to actually read the information stored by the SysOrb Network Monitoring System.