Solved

vmWare vCenter Server - permissions


Userlevel 4
Badge +6

Hi,

We have the MSP version of LM. We have a vCenter dashboard in a customer group, which is a duplicate of the default vCenter dashboard.

When I login (I am an LM admin) I can see all the widgets okay. When the customer logs in, they can only see some of the widgets. But ‘see the widgets’, I mean they all show but some of them say ‘Group not found’ for the customer only. We are accessing exactly the same dashboard.

If I add the customer login to any standard LM permission (admin, manager, read-only) it all works ok for them. But doing this gives them access to other customer dashboards and resources.

I have the vcenter.* properties added to their vCenter Server resource.

Not sure what else to try.

My login:

Customer login:

 

icon

Best answer by Mike Moniz 6 February 2024, 17:58

View original

11 replies

Userlevel 4
Badge +6

Should have been more specific on the properties. I’m not using ALL of the vcenter ones.

vcenter.user
vcenter.pass
vcenter.hostname

 

Userlevel 6
Badge +11

Sounds like you need to look at the role permissions you provided to this user. The dashboards will only show data the user has access to via the role’s resource, website and maps sections. The dashboard will “filter” out data the user doesn’t have access to directly. I suggest first making sure the user can view the data you want to show in the resource, website and/or map pages.

Userlevel 4
Badge +6

Thanks.

The way we have it structured is every customer gets their own top level ‘folder’. Let’s say this one is GOOGLE.

GOOGLE will have a Dashboard group
GOOGLE will have a Resource group

All resources for GOOGLE get added to GOOGLE resource group
All dashboards for GOOGLE get created in the GOOGLE dashboard group

GOOGLE get a Role called GOOGLE Users
Customer Roles are places in a ‘Customer’ role group
GOOGLE Role has ‘Manage private’, ‘View GOOGLE’ dashboard group under ‘Dashboards’
GOOGLE Role has ‘Allowed to manage Resource Dashboards’, ‘Allowed to view Map Tabs’, ‘View GOOGLE resource group’ (and all children Resource Groups) under ‘Resources’

Then for users, we create them and assign them only to their Role. So…

Joe.Bloggs@google.co.uk is assigned to GOOGLE Role.

This customer vCenter Server / vSphere is definitely inside the GOOGLE resource group

Customer users don’t get ‘Manage’ permissions in the Role. But as a test, I gave this one Manager for everything and it still doesn’t work. It’s only if I make the user directly added to one of the built in LM groups.

Userlevel 6
Badge +11

All resources for GOOGLE get added to GOOGLE resource group

GOOGLE get a Role called GOOGLE Users

GOOGLE Role has ‘Allowed to manage Resource Dashboards’, ‘Allowed to view Map Tabs’, ‘View GOOGLE resource group’ (and all children Resource Groups) under ‘Resources’

Joe.Bloggs@google.co.uk is assigned to GOOGLE Role.

This customer vCenter Server / vSphere is definitely inside the GOOGLE resource group

 

That setup sounds correct and pretty typical. Are these customer groups static or dynamic? Can a user with that role view the vmware data on the Resource page specifically? May need to temporarily allow the user to view the page if you turned that off (that setting is per-user and not in the role).

 

Userlevel 4
Badge +6

What do you mean by ‘Are these customer groups static or dynamic’? Users/roles/role groups are static.

We have a static ‘All devices’ group as a direct child of the customer main group, which is where all devices get added to. For some apps like AD, we then have a dynamic group (custom query: hasCategory(“MicrosoftDomainController”)) along side ‘All devices’ (not inside it as a child).

Good shout on seeing the data directly on the Resource page. I think you mean Resources > relevant Resource Group > relevant device:

 

Userlevel 4
Badge +6

PS: There is currently only 1 vCenter added, so my login for example won’t be getting those widgets via another vCenter (that this customer doesn’t have access to)

Userlevel 4
Badge +6

Another thing… for vCenter alerts Widget, customer sees Green tick. My login see’s the actual alerts, and there are errors and warnings.

Userlevel 6
Badge +11

Sorry, I meant if the customer’s groups which contain the devices on the resources page were static, and sounds like they are.

Since the user can review the graphs and data of the vmware device on the resources page, it doesn’t sound like a role issue. I would try taking one of those graphs from the resource page, clicking on the down arrow and “add to dashboard” to place it on that customer dashboard unmodified. See if that then shows up. If it does, then it might just be the settings on those specific widgets with issues. LM widgets can get picky on how the groups are entered in. Sometimes you need to end with with a “/” or “/*”. If you are attempting to use tokens (like ##defaultResourceGroup##), you may want to enter in groups directly just to rule out an issue with that.

You want also want to reach out to support which can look at your specific setup.

Userlevel 4
Badge +6

Ahhh… I just added that first one from the resource (Top 10 Clusters by CPU Utilization (1 day) to the same customer dashboard, and that works. I then tweaked the new widget to look like the one in my OP and it still works.

However, I noticed the new one, for Graph Data, is All > devicename.domainname > VMware Cluster Performance (VMware_vCenter_ClusterPerformance) > All > UsedCPUPercent whereas the original one is ##defaultResourceGroup## > All > VMware Cluster Performance (VMware_vCenter_ClusterPerformance) > All > UsedCPUPercent

Userlevel 6
Badge +11

What is your defaultResourceGroup token set to (if anything)? You can check it for the dashboard itself in the upper-right down arrow > Manage. It will have a section for tokens. You would want it to point to be your customer folder (from the resource page), and at the dashboard group level and let it be inherited by the customer dashboard(s).

Tokens are like variables/properties that you can assign to the dashboard or dashboard group letting you more easily template dashboards, cloning them across multiple customers for example.

https://www.logicmonitor.com/support/dashboards-and-widgets/managing-dashboards/how-are-dashboards-created#tokens

 

Userlevel 4
Badge +6

Yeah I’ve just been playing with that. It was <ourcompanymspname>/Devices by Type/VMware vCenters.

Changed it to the customer folder and bingo.

I do understand tokens and most of the other stuff, just didn’t think to look there for the problem. Still need to learn some of the other functions like some specific dynamic resource group queries.

Thanks for your help.

Reply