Once clicked, this button will display the ‘New Role’ configuration window:
There are six tabs within the ‘New Role’ window:
Role: Assign a name and description to the Role. If Multi-tenancy is enabled, it will be displayed here.
BSM: Define the access control and visibility for Business Service Monitoring, i.e. can Users within this Role add Business Services or Components, and also which Business Services can they see when logged in.
Status Access: Defines what Users who are assigned this Role can do within Opsview Monitor when logged in; e.g. can they view dashboards, create dashboards, send notifications, etc.
Status Objects: Defines which objects the Users within this Role can see, including Host Groups, Service Groups and Hashtags.
Configuration: Defines which objects and sections the Users within this Role can configure, e.g. can they access the ‘Hashtags’ section of Settings.
Administration: The administrative options are defined within this tab, such as determining if Users within this Role can reload Opsview.
First, give the Role a name and an informative description within the ‘Role’ tab, as shown below:
Note: We can ignore the ‘Multi-tenancy’ line as we are creating a ‘standard’ Role.
Next, click on the ‘BSM’ tab:
If the ‘BSM’ checkbox (“Allows ability to view BSM analysis screens”) is not checked, then the rest of the options will be hidden. The ‘Authorised for Business Services’ section is where you can determine which Business Services the User can view (via dashboards), and which ones they can both view and edit. In our example, we are not going to configure any access for editing and viewing BSM items.
You can control which Business Services are available for a Role from a “top down” or from a “bottom up” approach.
Top Down Choose the specific business service in the Authorised for Business Services field. If you select View All, then all Business Services will be available including any new Business Services created in the future. Access to the Business Service will allow visibility of all components of the Business Service.
Bottom Up Components will be automatically selected based on your existing status object permissions (based on Host Group / Service Group intersection or Hashtags). Note: The 'intersection' is explained in detail within the 'Status Objects' tab.
Permission for components are automatically granted based on the existing status object definitions. If VIEWALL is specified, then all components are visible. Otherwise, it is based on the Host Group/Service Group intersection and Hashtags. You need to see all hosts for the component to be visible.
Note: If the component consists of 20 Service Checks, then the User will need to have permission to all 20 Service Checks in order for the component to be visible.
If you select the “Grant permissions to Business Services” checkbox, then the Business Services associated with all your components will be visible.
Next, click on the ‘Status Access’ tab:
Within this tab you can configure what access rights Users of this Role have, i.e. can they create and edit dashboards, can they view Flow data, can they send notifications, and so on. In this tab, we need to check ‘VIEWSOME’ (“Allows viewing of status information for some objects”), where ‘some objects’ are the items they are allowed to view as per the ‘Status Objects’ tab.
We should also check: NAVOPTIONS, RRDGRAPHS, TESTSOME, DOWNTIMESOME, and ACTIONSOME.
Next, click the ‘Status Objects’ tab:
Within Status Objects, you will need to set the combination of Host Groups and Service Groups; for example, if we want to restrict Users to view only ‘Application – Opsview’ service checks that are on hosts within ‘Monitoring Servers’ Host Group, then we would select the above.
Alternatively, we can tag those Hosts and Service Checks with a Hashtag, i.e. “opsview-servers”, and then select that within ‘Authorised for Hashtags’.
Next, click on the ‘Configuration’ tab:
Within the Configuration tab, you can define the Host Groups that Users can edit (and thus the hosts within). You can also define other items Users can configure within the monitoring software, i.e can they edit the hosts they have access to view, can they edit other Users, and so forth.
Finally, click on the ‘Administrator’ tab:
This tab controls administrator access such as granting Users access to RELOAD (i.e. apply the changes), save new passwords or view reporting.
Once you have configured the above six tabs, click ‘Submit Changes’ and your new Role will be created:
We can now apply this new Role to a test User, as below:
Note the Role is set to ‘Opsview Servers’. After saving the new User and completing a reload, you can now log in with the new User and see that the permissions have been correctly applied: