Letting non-admin users make and manage their own dynamic groups
We’ve got an environment that is maturing into a space where our SMEs are now wanting to take some ownership of their device organization and alert tuning. Part of that has butted up against dynamic group membership, but unfortunately (understandably), that can only be done by people who can manage all groups, since obviously you could just make a dynamic group under a group to which you have access whose AppliesTo is just “true()” and thus gain access to every device in the org.
We have been considering ways to facilitate access to these SMEs so that they can manage their own device groups, without giving them too much power with which they could accidentally delete or silence a bunch of devices they don’t own by a mistake in their AppliesTo logic. We’d really prefer not to just give these SMEs blanket Manage access, but we’d also like to avoid having a paradigm where they have to come to us to have every single dynamic group created for them.
We’ve been considering Terraform, granting each team access to their own static group and letting them make subgroups inside of it, and adding what is effectively an AppliesTo prepend that is “belongsToThisTeam() &&” + “whatever their AppliesTo is.” This, unfortunately, would require them to know about and remember to use whatever custom module we’d build to add that prepend. Furthermore the way parent groups are set up, we’d have little to no way to restrict them to putting their new groups under the ones to which they rightfully have access.
Has anyone else come up on these hurdles and figured out a way, or done some thinking on how to facilitate dynamic group management for specific teams without giving them the keys to the kingdom?
- Anonymous11 months ago
This seems like it would be a natural evolution of LM towards using actual multi-tenancy. The FR i submitted looks like this (in case you want to copy/paste).
Inheritance of additional appliesto clause
I would like to specify a property on a parent group called mandatoryAppliesTo and have that appliesto "AND"ed to every appliesto of every dynamic group under the group containing the property.
This would simplify our current appliesto and make our standard dynamic group definitions under each customer folder identical, with the parent folder adding to each dynamic group under the customer to ensure only that customer's devices are included.
This also gives us the ability to delegate dynamic group management under customers to non administrators while ensuring they don't accidentally cross tenant boundaries.More details and discussion can be found here: https://community.logicmonitor.com/product-discussions-22/letting-non-admin-users-make-and-manage-their-own-dynamic-groups-4073?postid=14899