Difference between revisions of "Permissions"
From Veloopti Help
m (→Owner) |
m |
||
| Line 1: | Line 1: | ||
| + | |||
| + | |||
== Overview == | == Overview == | ||
| + | A central design point of Veloopti security is that no user has permission to perform any operation unless they have been specifically granted it. The purpose of granting a permission is to enable a user to perform a specific action. Permissions either extend globally to the whole of Veloopti, or locally to a single application. Each application has total control of its own permissions and they do not interfere with another application. | ||
| + | |||
| + | == Design considerations == | ||
| + | A central design point of Veloopti permissions is to empower the owner of an application to have everything they need to monitor their application. They should be able to write and deploy any monitoring for their application without being interfered by another application. | ||
| + | |||
| + | |||
| + | |||
| + | == Roles and permissions == | ||
| + | Permissions are bundled together and can appear in one or more roles. | ||
| + | |||
| + | |||
| + | Global permissions and application permissions | ||
| + | Global permissions reach to the entire Veloopti organisation and can extend into every application. Application permissions exist only in the application. | ||
== Global permissions == | == Global permissions == | ||
| Line 9: | Line 24: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Install | | Install | ||
| − | | | + | | The user can install an agent on a server by providing their username and password. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| − | | | + | | Upgrade |
| − | | | + | | The user can initiate an agent to upgrade |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| − | | | + | | Restart |
| − | | | + | | The users can stop an start the Veloopti agent |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| − | | | + | | Create installation token |
| − | | | + | | The user can create an installation token that can be used to install an agent that does not require a username and password. |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|- | |- | ||
|} | |} | ||
| Line 39: | Line 46: | ||
{| | {| | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| − | | | + | | List all |
| − | | | + | | The user is able to view the complete list of applications in the application list view. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View all | | View all | ||
| − | | | + | | The user is able to enter all applications in the application list view. This gives the user a read only view of the Dashboards, users and nodes in the application. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Create and Rename | | Create and Rename | ||
| − | | | + | | The user can create a new application and rename an existing one |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Change application owner | | Change application owner | ||
| − | | | + | | User can change an application owner to another user. |
| + | NOTE: This permission allows the user to assume full rights over any application. As the Owner of an application is the only user that is able to delete an application that means that this permission is also the "Delete Application" permission. | ||
|- | |- | ||
|} | |} | ||
| Line 64: | Line 72: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View all | | View all | ||
| − | | | + | | The user can view all events for all applications |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage all | | Manage all | ||
| − | | | + | | The user can change the status and set the event to closed |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View internal Veloopti events | | View internal Veloopti events | ||
| − | | | + | | User can view events that have been created internally by server agents. These can be used to help diagnosing agent issues. |
|- | |- | ||
|} | |} | ||
| Line 83: | Line 91: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Audit Logs | | View Audit Logs | ||
| − | | | + | | The user can view the logs that are created any time a change is made in Veloopti |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Notification Logs | | View Notification Logs | ||
| − | | | + | | The user can view the logs that are created any time a notification is sent. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Security Logs | | View Security Logs | ||
| − | | | + | | The user can view logs that are created any time a user does something in Veloopti. This included logon and logout activities. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Billing Logs | | View Billing Logs | ||
| − | | | + | | The user can view the logs that relate to billing |
|- | |- | ||
|} | |} | ||
| Line 106: | Line 114: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View all | | View all | ||
| − | | | + | | The user can view all nodes in the node list. They also can view the node properties. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Deploy policies | | Deploy policies | ||
| − | | | + | | The user can deploy all application policies to servers whether they have access to the application or not. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Add Node to Applications | | Add Node to Applications | ||
| − | | | + | | The user can add a node to any application in the organisation. |
| + | NOTE: The user does not need to have permission to view the application to add it. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Relabel Nodes | | Relabel Nodes | ||
| − | | | + | | The user is able to change the label of the node |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Remove Nodes | | Remove Nodes | ||
| − | ||- | + | | The user is able to remove the node from the organisation |
| + | |- | ||
|} | |} | ||
| Line 132: | Line 142: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage Node Billing Plan | | Manage Node Billing Plan | ||
| − | | | + | | The user is able to change the billing plans for any node that they can see |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Organisation Billing Details | | View Organisation Billing Details | ||
| − | | | + | | The user is able to view the invoices for the organisation |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Line 144: | Line 154: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Change Default Settings | | Change Default Settings | ||
| − | | | + | | The user can change the organisation default settings of: Language; Time Zone and Default new node plan. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage Schedules | | Manage Schedules | ||
| − | | | + | | The user can change the schedules |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Add Users to Global and Application Roles | | Add Users to Global and Application Roles | ||
| − | | | + | | User can add and remove users in Global and Application roles. |
| + | NOTE: The user needs to be granted access to the application before they can add or remove users from the applications roles. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Edit Global and Application Role Permissions | | Edit Global and Application Role Permissions | ||
| − | | | + | | User can edit a role by adding or removing permissions from it. They also can create new roles. |
| + | NOTE: The user needs to be granted access to the application before they can add or remove permissions from the applications roles. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage Auto Discovery | | Manage Auto Discovery | ||
| − | | | + | | The user can manage the auto discovery options for discovering application on servers |
|- | |- | ||
|} | |} | ||
| Line 171: | Line 183: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View All | | View All | ||
| − | | | + | | The user can view storm rules |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage All | | Manage All | ||
| − | | | + | | The user can create and edit storm rules |
|- | |- | ||
|} | |} | ||
| Line 186: | Line 198: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage all | | Manage all | ||
| − | | | + | | Allows the user full permissions to policies for any application that they are able to view. Can be used in conjunction with the application "View all" global permission to empower a user to enter any application and modify the policies. |
|} | |} | ||
| Line 196: | Line 208: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Add Users to Global Roles | | Add Users to Global Roles | ||
| − | | | + | | The user can add and remove users from global roles |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Invite User to Organisation | | Invite User to Organisation | ||
| − | | | + | | The user can send an invitation to an external email address to add them to their organisation |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Remove User from Organisation | | Remove User from Organisation | ||
| − | | | + | | The user can remove any user, except for the organisation owner, from the organisation |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Active User Sessions | | View Active User Sessions | ||
| − | | | + | | The user can view active user sessions for all users |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Expired User Sessions | | View Expired User Sessions | ||
| − | | | + | | The user can view expired user sessions for all users |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Kill any Users Session | | Kill any Users Session | ||
| − | | | + | | The user can kill any users active session. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Add User to Application | | Add User to Application | ||
| − | | | + | | The user can add another user to any application that they can view |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Add / Remove user from Application User Group | | Add / Remove user from Application User Group | ||
| − | | | + | | The user can add or remove a user from an application user group that they can view |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Add Other Users to this Role | | Add Other Users to this Role | ||
| − | | | + | | Allows any member of the role to add another user to the role. This means that the members of the role are able to self manage rather than having to rely on someone with the Global "Assign User to Global Role" role. |
|- | |- | ||
|} | |} | ||
| Line 239: | Line 251: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage all | | Manage all | ||
| − | | | + | | Can be used in conjunction with the application "View all" global permission to empower a user to enter any application and modify the dashboards. |
|- | |- | ||
|} | |} | ||
| Line 253: | Line 265: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View all actions | | View all actions | ||
| − | | | + | | The user can view all of actions in the application |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Run Operator Actions | | Run Operator Actions | ||
| − | | | + | | The user can run actions that have an operator level permission. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Run Power User Actions | | Run Power User Actions | ||
| − | | | + | | The user can run actions that have a Power User level permission. |
| + | Note: This does not mean that users have permission to run an operator level action. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Run Administrator Actions | | Run Administrator Actions | ||
| − | | | + | | User can run actions that have an Administrator level permission. |
| + | Note: This does not mean that users have permission to run an Operator or Power User level action. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage Actions | | Manage Actions | ||
| − | | | + | | The user is able to create, edit and delete actions. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Assign Action to Action Group | | Assign Action to Action Group | ||
| − | | | + | | The user can add actions to actions group. This allows the action to be available to be run on any server in the application. |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Manage Groups | | Manage Groups | ||
| − | | | + | | The user can add and remove action groups |
|- | |- | ||
|} | |} | ||
| Line 288: | Line 302: | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| View Events | | View Events | ||
| − | | | + | | The user can view events for the application |
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Edit Event Description | | Edit Event Description | ||
| − | | | + | | The user can change the event description for an open event. |
| + | NOTE: Under no circumstances can the description for a closed event be changed. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Change Event Severity | | Change Event Severity | ||
| − | | | + | | The user can change the event severity for an open event. |
| + | NOTE: Under no circumstances can the severity for a closed event be changed. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Run Action from Event | | Run Action from Event | ||
| − | | | + | | The user is able to run an action on a node from an event. |
| + | NOTE: The user also needs to have the run Operator/Power User/Administrator permission in order for the action to be available to them. | ||
|- | |- | ||
| [[file:slider_right.png|30px]] | | [[file:slider_right.png|30px]] | ||
| Close Events | | Close Events | ||
| − | | | + | | User can close an open event. |
| + | NOTE: Once closed an event cannot be re-opened. | ||
|- | |- | ||
|} | |} | ||
| Line 418: | Line 436: | ||
=== Owner === | === Owner === | ||
| − | The role of owner has permanent permissions that cannot be revoked. Even if all roles are lost to everyone else | + | The role of owner has permanent permissions that cannot be revoked. Even if all roles are lost to everyone else the owner is still able to access the ones below. Once the role of owner is given to another user it cannot be taken back. If the role of owner is somehow lost to an organisation then contact Veloopti. |
{| class="wikitable" style="text-align: left; color: black;" | {| class="wikitable" style="text-align: left; color: black;" | ||
| Line 447: | Line 465: | ||
| | | | ||
|- | |- | ||
| − | | | + | | Edit Global and Application Role Permissions |
| [https://ap1.veloopti.com.au/permissions ap1.veloopti.com.au/permissions] | | [https://ap1.veloopti.com.au/permissions ap1.veloopti.com.au/permissions] | ||
| | | | ||
| Line 455: | Line 473: | ||
| style="text-align:center;" | Menu item | | style="text-align:center;" | Menu item | ||
|- | |- | ||
| − | | | + | | Add Users to Global and Application Roles |
| − | | [https://ap1.veloopti.com.au/roles/index/ ap1.veloopti.com.au//roles/index/ | + | | [https://ap1.veloopti.com.au/roles/index/ ap1.veloopti.com.au//roles/index/] |
| | | | ||
| | | | ||
Revision as of 22:33, 15 January 2019
Contents
1 Overview
A central design point of Veloopti security is that no user has permission to perform any operation unless they have been specifically granted it. The purpose of granting a permission is to enable a user to perform a specific action. Permissions either extend globally to the whole of Veloopti, or locally to a single application. Each application has total control of its own permissions and they do not interfere with another application.
2 Design considerations
A central design point of Veloopti permissions is to empower the owner of an application to have everything they need to monitor their application. They should be able to write and deploy any monitoring for their application without being interfered by another application.
3 Roles and permissions
Permissions are bundled together and can appear in one or more roles.
Global permissions and application permissions
Global permissions reach to the entire Veloopti organisation and can extend into every application. Application permissions exist only in the application.
4 Global permissions
AGENTS
|
Install | The user can install an agent on a server by providing their username and password. |
|
|
Upgrade | The user can initiate an agent to upgrade |
|
|
Restart | The users can stop an start the Veloopti agent |
|
|
Create installation token | The user can create an installation token that can be used to install an agent that does not require a username and password. |
APPLICATIONS
|
|
List all | The user is able to view the complete list of applications in the application list view. |
|
|
View all | The user is able to enter all applications in the application list view. This gives the user a read only view of the Dashboards, users and nodes in the application. |
|
|
Create and Rename | The user can create a new application and rename an existing one |
|
|
Change application owner | User can change an application owner to another user.
NOTE: This permission allows the user to assume full rights over any application. As the Owner of an application is the only user that is able to delete an application that means that this permission is also the "Delete Application" permission. |
EVENTS
|
|
View all | The user can view all events for all applications |
|
|
Manage all | The user can change the status and set the event to closed |
|
|
View internal Veloopti events | User can view events that have been created internally by server agents. These can be used to help diagnosing agent issues. |
LOGS
|
|
View Audit Logs | The user can view the logs that are created any time a change is made in Veloopti |
|
|
View Notification Logs | The user can view the logs that are created any time a notification is sent. |
|
|
View Security Logs | The user can view logs that are created any time a user does something in Veloopti. This included logon and logout activities. |
|
|
View Billing Logs | The user can view the logs that relate to billing |
NODES
|
|
View all | The user can view all nodes in the node list. They also can view the node properties. |
|
|
Deploy policies | The user can deploy all application policies to servers whether they have access to the application or not. |
|
|
Add Node to Applications | The user can add a node to any application in the organisation.
NOTE: The user does not need to have permission to view the application to add it. |
|
|
Relabel Nodes | The user is able to change the label of the node |
|
|
Remove Nodes | The user is able to remove the node from the organisation |
ORGANISATION
|
|
Manage Node Billing Plan | The user is able to change the billing plans for any node that they can see |
|
|
View Organisation Billing Details | The user is able to view the invoices for the organisation |
|
|
View Extra Details | x |
|
|
Change Default Settings | The user can change the organisation default settings of: Language; Time Zone and Default new node plan. |
|
|
Manage Schedules | The user can change the schedules |
|
|
Add Users to Global and Application Roles | User can add and remove users in Global and Application roles.
NOTE: The user needs to be granted access to the application before they can add or remove users from the applications roles. |
|
|
Edit Global and Application Role Permissions | User can edit a role by adding or removing permissions from it. They also can create new roles.
NOTE: The user needs to be granted access to the application before they can add or remove permissions from the applications roles. |
|
|
Manage Auto Discovery | The user can manage the auto discovery options for discovering application on servers |
STORM RULES
|
|
View All | The user can view storm rules |
|
|
Manage All | The user can create and edit storm rules |
POLICIES
|
|
Manage all | Allows the user full permissions to policies for any application that they are able to view. Can be used in conjunction with the application "View all" global permission to empower a user to enter any application and modify the policies. |
USERS
|
|
Add Users to Global Roles | The user can add and remove users from global roles |
|
|
Invite User to Organisation | The user can send an invitation to an external email address to add them to their organisation |
|
|
Remove User from Organisation | The user can remove any user, except for the organisation owner, from the organisation |
|
|
View Active User Sessions | The user can view active user sessions for all users |
|
|
View Expired User Sessions | The user can view expired user sessions for all users |
|
|
Kill any Users Session | The user can kill any users active session. |
|
|
Add User to Application | The user can add another user to any application that they can view |
|
|
Add / Remove user from Application User Group | The user can add or remove a user from an application user group that they can view |
|
|
Add Other Users to this Role | Allows any member of the role to add another user to the role. This means that the members of the role are able to self manage rather than having to rely on someone with the Global "Assign User to Global Role" role. |
DASHBOARDS
|
|
Manage all | Can be used in conjunction with the application "View all" global permission to empower a user to enter any application and modify the dashboards. |
5 Application permissions
ACTIONS
|
|
View all actions | The user can view all of actions in the application |
|
|
Run Operator Actions | The user can run actions that have an operator level permission. |
|
|
Run Power User Actions | The user can run actions that have a Power User level permission.
Note: This does not mean that users have permission to run an operator level action. |
|
|
Run Administrator Actions | User can run actions that have an Administrator level permission.
Note: This does not mean that users have permission to run an Operator or Power User level action. |
|
|
Manage Actions | The user is able to create, edit and delete actions. |
|
|
Assign Action to Action Group | The user can add actions to actions group. This allows the action to be available to be run on any server in the application. |
|
|
Manage Groups | The user can add and remove action groups |
EVENTS
|
|
View Events | The user can view events for the application |
|
|
Edit Event Description | The user can change the event description for an open event.
NOTE: Under no circumstances can the description for a closed event be changed. |
|
|
Change Event Severity | The user can change the event severity for an open event.
NOTE: Under no circumstances can the severity for a closed event be changed. |
|
|
Run Action from Event | The user is able to run an action on a node from an event.
NOTE: The user also needs to have the run Operator/Power User/Administrator permission in order for the action to be available to them. |
|
|
Close Events | User can close an open event.
NOTE: Once closed an event cannot be re-opened. |
NODES
|
|
Manage Node Groups | x |
|
|
Add Node to Node Group | x |
|
|
Link Policy Group to Node Group | x |
|
|
Link Action Group to Node Group | x |
|
|
Remove Node from Application | x |
|
|
Run action from Node | x |
POLICIES
|
|
View Policies | x |
|
|
Manage Policies | x |
|
|
Manage Policy Groups | x |
|
|
Add Policy to Policy Group | x |
|
|
List Policies on a Node | x |
|
|
Deploy Policies | x |
|
|
Assign Action to Policy | x |
|
|
Manage Node Overrides | x |
USERS
|
|
Manage USer Groups | x |
|
|
Add User to User Group | x |
|
|
Add / Remove user to Application | x |
|
|
Add User to Application Role | x |
|
|
Edit Application Role Permissions | x |
DASHBOARDS
|
|
Manage Dashboards | x |
5.1 Owner
The role of owner has permanent permissions that cannot be revoked. Even if all roles are lost to everyone else the owner is still able to access the ones below. Once the role of owner is given to another user it cannot be taken back. If the role of owner is somehow lost to an organisation then contact Veloopti.
| Description | Location | |||||
|---|---|---|---|---|---|---|
| Permissions | URL | Global options | Context options | Item options | Button | Other |
| Change Owner | ap1.veloopti.com.au/organisation/index/special | Yes | ||||
| Change Billing Administrator | ap1.veloopti.com.au/organisation/index/special | Yes | ||||
| Edit Global and Application Role Permissions | ap1.veloopti.com.au/permissions | Menu item | ||||
| Add Users to Global and Application Roles | ap1.veloopti.com.au//roles/index/ | Menu item | ||||