Neophyte
ProfessorWe utilize our identify management system (Okta) to provision users into the portal. Our automation creates the client's role and sets that role's specific permissions. When the client then logs in via Okta, it Just In Time (JIT) provisions the user, pushing their groups with them. This then places them in their specific and proper Role.
Groups, really are just a way of visually breaking up users in LogicMonitor. We have an out of band automation that runs daily, that places all client users into a specific group, all employees in another and then all API only in their own and lastly the Impersonation Accounts into their own.
As for impersonation, this has been a thing we have asked for, for a long time. The way around it for us was to automate creation of an account, that is added into the client's role. Then as needed the CSM can login as if they are the client. We prevent client's from creating private dashboards, but they can create dashboards in their specific folder, so there isn't much left that a CSM can't see other then user specific settings.
