About System Administration

Overview

This page reviews system administration for the GroundWork Monitor portal including user accounts, access and permissions, and portal page management.

CONTENTS

RELATED RESOURCES

WAS THIS PAGE HELPFUL?

1.0 About System Administration

Basic Administration
This documentation is intended to guide Administrators for things like adding new staff, changing passwords, adding custom pages, portlets and permissions. For advanced administration, please contact GroundWork Support.
Best Practice
Back up JBoss prior to making administration changes.
Authentication vs. Authorization
  • Authorization refers to rules which determine who is allowed to do what (e.g., userA is authorized to create and delete dashboards, while userB is only authorized to read).
  • Authentication is the process of ascertaining that somebody really is who he claims to be.
  • The two concepts are completely independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.
  • In terms of Web apps, basically, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control to allow the user to edit, delete or create content.

The default identity store for GroundWork Monitor is DB. For example, all users, groups, roles, and memberships are persisted in the jboss-idm database. It is recommended to use APIs to access this database when needed along with the help of GroundWork Support.

GroundWork delegates the authentication module to Java Open Single Sign On (JOSSO). JOSSO consists of two main components namely JOSSO Gateway and JOSSO Agent. JOSSO Gateway is an application running on Tomcat (port 8888) on a separate JVM. The GroundWork portal is running on JBoss (port 8080) on a separate JVM. The login page is served by the JOSSO Gateway module. JOSSO Gateway is configured in josso-gateway-config.xml to talk to DB or LDAP. Once JOSSO performs the authentication, the system relays it to JBoss to perform the authorization part. For GroundWork Monitor, a successful login leads to a landing page. Before JBoss shows the landing page, it checks if the user has privilege to access the page as well as the nodes.

2.0 GroundWork Monitor Portal Structure

In the JBoss portal, a node is a collection of one or more pages. A node itself can have a page. For example, Dashboards is a node, where Summary, Grafana, Enterprise View are pages for that node.

Figure: Nodes and pages
Nodes and pages

The Dashboards node itself duplicates portlets from the Summary page and has its own page, this is the landing page for the stock GroundWork Monitor Enterprise 7.x.x.

Figure: Dashboards as node with Summary portlets
Dashboards as node with Summary portlets

A portal group is a logical collection of users. This concept is new in GroundWork Monitor 7.x as it is inherited from JBoss Portal Platform (JPP6). Group Management is available to Portal Administrators and GroundWork Administrators and is under Group > Organization > User and Group Management > Group Management. Since GroundWork Monitor 7.0, a user should be associated to a portal group and a membership. A membership describes MSP restrictions, actions and dashboard restrictions. In the JBoss portal, a role and a membership has to be defined to restrict any portal object (node, pages, portlet, container).

This image shows how an access permissions page looks like for a portal object.

Figure: Access permissions
Access permissions

The image below illustrates the diference between a node, subnode and a page. Configuration is a node with Services as one of the underlying pages, Maintenance is a Configuration sub-node with Device Cleanup as one of the underlying pages.

Figure: Nodes, sub-nodes, pages
Nodes sub-nodes and pages

A user can belong to any membership ?and a combination of a portal group and membership defines the privileges for a portal object.

The portal is very flexible in terms of defining privileges for a role or group. The image below shows a sample portal layout with a container, portlet and a page. A container is a canvas to place one or more portlets. A page can have one or more portlets or containers. Permissions can be set at many levels; a page level or container level or portlet level or application level.

Figure: Permission components
Permission components

3.0 Users, Groups, Roles, Memberships

A fresh GroundWork Monitor installation includes default system users, groups, roles, and memberships.

A system account is made up of a user which part of a group and is associated with a group ID (role) and a membership. A group ID (role) allows the user specific portal access and permissions, while a membership defines the priveleges relating to what can be done when access is obtained. A group is a logical collection of users.

Let's take a look at the one of the default accounts:

  • User: user
  • Group: Users
  • Role: GWUser
  • Membership: gw-portal-user

    Figure: Default system account user
    Default system account

With further inspection, using the table below, the user account has role access to only Dashboards, Status, and Views portal pages, and membership privileges to link to Status from all Dashboards, is restricted to using the Actions portlet in Status, and has access to all host and server groups. Regarding the application level, each GroundWork integrated PHP/Perl apps such as monarch, cacti, nagvis, nagios, BSM, weathermap, nedi has its application level permissions. These apps have their own web.xml file which has params as displayed below. This permission states that only roles named GWAdmin or GWOperator has access to the application page. Since we IFrame the application in the portal, this application level prevents anonymous access to the application URL.

<init-param>
<param-name>AUTHORIZED_ROLES</param-name>
<param-value>GWAdmin,GWOperator</param-value>
</init-param>

GroundWork Administrator admin/admin can control the various membership permissions and restrictions. A Portal Administrator root/root can control the portal pages that are accessible to this user. It is important to note new users by default, will be created within the Users group, with a GWUser role, assigned the gw-portal-user membership, and will have permissions to all host groups and service groups.

This table shows the GroundWork Monitor default system accounts including users, groups/roles and memberships and access priviledges for each. Additionally, there is a ro-dashboard membership used for read-only dashboard access and a msp-sample membership associated with the group MSP Users which can be used for multiple service providers.


Table: Default System Accounts

USERS user
operator admin root
GROUPS Users
Operators
GroundWork Administrators
Portal Administrators
ROLES /GWUser /GWOperator
/GWAdmin
/GWRoot
MEMBERSHIPS gw-portal-user
gw-monitoring-operator gw-monitoring-administrator gw-portal-administrator
ROLE ACCESS        
Dashboards Accessible Accessible
Accessible
Accessible
Event Console   Accessible
Accessible
Accessible
Status Accessible
Accessible
Accessible
Accessible
Views Accessible
Accessible
Accessible
Accessible
Reports   Accessible
Accessible
Accessible
Auto Discovery     Accessible
Accessible
Configuration     Accessible
Accessible
Business     Accessible
Accessible
GroundWork Administration     Accessible
Accessible
Advanced     Accessible
Accessible
User Administration     Accessible
Accessible
Portal Administration       Accessible
MEMBERSHIP PERMISSIONS        
Disable links to status
viewer from all dashboards
       
Enable Actions Portlet   Accessible
Accessible
Accessible
Cacti Accessible
Accessible
Accessible
Accessible
Nagios   Accessible
Accessible
Accessible
Nagvis Accessible
Accessible
Accessible
Accessible
BSM-Admin   Accessible
Accessible
Accessible
BSM-User   Accessible
Accessible
Accessible
BIRT-Reports   Accessible
Accessible
Accessible
Performance   Accessible
Accessible
Accessible
Performance-Reports   Accessible
Accessible
Accessible
Monarch   Accessible
Accessible
Accessible
NeDi   Accessible
Accessible
Accessible
Cloud Hub   Accessible
Accessible
Accessible
Grafana
Accessible
Accessible
Accessible
Accessible
Allow access to all
Host Groups and Service Groups
Accessible
Accessible
Accessible
Accessible

Labels

system system Delete
administration administration Delete
users users Delete
groups groups Delete
roles roles Delete
memberships memberships Delete
access access Delete
permissions permissions Delete
portal portal Delete
portlets portlets Delete
pages pages Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.