Forum Discussion

mnagel's avatar
Icon for Professor rankProfessor
5 years ago

unable to create non-security groups to for client delegation

We thought we came up with a trick to deal with letting our clients manage maintenance on many different devices.  The idea was, create a group they can manage and let them add those devices to the group, then schedule maintenance and update as needed.  Alas, RBAC prevents this, primarily because it lacks the ability to distinguish using groups for grouping from using groups for security.  Because the users don't have manage on the devices (intentionally), they cannot add them to a group.  If we could allow them to add to a non-security group, it would potentially fix this.  I'm sure other options to be added by LM might work, perhaps better. This one was already somewhat concerning as granting manage to the maintenance group meant they could potentially delete the group by accident.  I understand why this is broken under today's semantics, but we need a group mechanism that works as intended for this or a suitable alternative.

5 Replies

  • Anonymous's avatar

    I'm sure dynamic groups will fit into the final answer, but i'm not seeing it yet. And i'm trying really hard to not mention the API. 

    Perhaps a property source that reads from a google sheet to tag the items that should be in the users' group?

  • I think dynamic groups would be fine if there was a way to easily add devices in an ad-hoc manner like you can with static groups.  I think using a Google sheet is too Rube Goldberg to present to our customers as a solution.


  • Thinking about this more, what is needed is a facility to define saved searches along with the ability to apply actions (like SDT) to those searches (or to multiple items in general).  OSS tools like Thruk do this very well (though I don't recall it supported saved searches last time I used it, but you could reference a search as a permalink IIRC).  In my experience with LM to date, nuts and bolts operational issues like this that impact everyone get too little attention as the more sexy things like Kubernetes and cloud monitoring seem to draw all the development resources.  I really would like to see some more focus on nuts and bolts issues.

  • Anonymous's avatar
    On 5/2/2020 at 3:50 PM, mnagel said:

    a facility to define saved searches along with the ability to apply actions (like SDT) to those searches (or to multiple items in general)

    You can "save a search", that's what a dynamic group does. And you can do SDT at the group level. Depending on the action desired, most things can be done on the group level. I always recommend additional group structure for management purposes that is separate from group structure for permissions and also separate from group structure for reporting. 

    I think the real issue here is permissions. If you gave that role permission to manage the target group, they could add devices to the group by navigating to the group, selecting manage, and in the "devices & collector" section, hitting the plus sign. The problem is that this allows the users to also delete that group and full RW to devices in the group. RBAC just needs to be more granular than "view, ack, manage, remote", perhaps with the ability to specify custom permission sets based on the four built in ones (like other tools already on the market).

  • Yes, that would help.  Still not same as saved searches as we can never delegate creation of dynamic groups to users and dynamic groups can only be defined for resources, not for websites or collectors.  Allowing creation of taxonomic groups (not related to security) would help as well as long as RBAC could allow managing members without granting special resource access or allow manipulation of the group itself.  It is just one of the nuts and bolts issues that create walls for us all the time. Like UI lists randomly lacking search functions or not being able to avoid alerts for clustered resource instances (e.g., HA interface pairs) without coding each case in the DS (or in some cases use of API to auto-ACK partner instances leveraging properties).