Do you use SSO and require group membership? And does it also assign permissions?

Question

Hi,
We have SSO setup between LM and Azure.&nbsp; It's currently just wide open that anyone with an AD/Entra account can log into LM and get default Read-Only rights.&nbsp; However, I was asked to see about restricting access so that everyone would have to be in a certain LM Group in AD in order for them to get permissions.
I think I can figure that part out but I'm also wondering about assigning roles to people based on their AD group.&nbsp; In LM we have various Roles setup so people only have Edit rights to groups that they manage.&nbsp; Network Team has edit rights to the Network Equipment group, Database team has edit rights to the Database Servers group, etc.
I was originally thinking I'd use SSO just to grant base access and then I'd assign people to roles within LM that would set their permissions.&nbsp; Then I thought maybe I could create LM groups in AD for each team and have those grant access and handle the Roles people get assigned to.&nbsp; Just curious how many people utilize the role assigned from SSO thing and how well it works or if people just handle that within LM.
Thanks.

jangaraj · Answer

I would say authentication and authorization based on central role management (like AD) is the standard in the enteprise environment. User has roles/groups assigned in the AD and then all systems work with user AD roles/groups obtained during SSO (SAML, OIDC).

I can imagine that small user base can be managed manually within LM. But it will be pain/nightmare for bigger companies. I have around 70 "teams" and authorization is based on AD roles/groups. Everything is managed via code (Terrafom TF - which is not the strongest point of LM). TF detects current teams (they are not flat structure, but they have own level of organizations) and based on that creates for each team: LM role, LM dashboard/resource/report/website group. Of course each team has write access only to own team dashboard/resource/report/website group and read everywhere + write to "test" dashboard/resource/report/website group where teams can work together eventually.

stevebamford · Answer

We use AD for SSO and it works well with the permissions assigned to the role. The advantage here is once someone is assigned the appropriate role in AD there is no need to do any management within LogicMonitor other than tuning permissions within that role. I would always keep a fallback username and password should there ever be any issues with your SSO integration.

Migrating to AD Role based access control will reduce your administrative overhead once deployed. We set up the roles on deployment and other than adding new teams we have not had to worry about anything.

kelemvor · Answer

We currently have SSO working but there's no restrictions on it.&nbsp; I found how we can restrict it to one group, but I'm not sure on using the groups in Azure to correlate to Roles in LM.
I was referred to this article, but I've never done this before so I'm not sure if I have to do everything on this page or not.&nbsp; Could anyone offer any guidance?
https://www.logicmonitor.com/support/single-sign-on
I think what we'd want to do is have Entra groups like LogicMonitor_NetworkTeam, LogicMonitor_DatabaseTeam, etc and then have those link with the Network Role and Database Role that we already have in LM which sets which resources they can view vs which they can manage.
I just don't want to break anything as I muddle my way through the above link, assuming it's correct.
Thanks!

Forum Discussion

Do you use SSO and require group membership? And does it also assign permissions?

3 Replies

Recent Discussions

No Link To Start Chat

Windows logs in LMlogs

Are Auto-Balance groups supposed to balance automatically?

🚀 Introducing the ✨AI Assistant for LogicMonitor: Your New Support/Troubleshooting Companion!

New support bot