I recently worked with a customer on the following use case. They've successfully integrated Active Directory logins with Foglight and wish to match up an AD Group with a group on the Databases dashboard in order to implement User Level Access (ULA). It should just work - when a new AD user logs in to Foglight, the group(s) they belong to should limit the instances they see on the Databases home page to the matching database group.
But it wasn't working.
We found out that when a user is created (either native Foglight user or AD import), ULA by default sets all instances to visible at the user level, regardless of security group membership. In essence, the user would see all instances.
Now to figure out a fix. Within 9 hours of passing this to our R&D team, we had something to implement!
Let's take it from the top, on how you start with creating a user, assigning groups and roles, then mapping those in the Databases dashboard for ULA.
But first, the fix. We have to first implement the fix before creating / importing users.
We need to set a registry variable that controls the behaviour by default of whether "All" or "None" is set for each user upon creation in ULA.
Search for "user_level" then modify the variable "User_Level_Access_New_User" by clicking "All" in the Global Default column. On the next screen, you can change it to None .
Next, we'll go to User Management to create a user and a group. The order doesn't matter. You can create a group and then assign it when you create the user or vice versa. In the case of LDAP (AD) integration, this step is automated. Users and their groups get imported upon setup/login.
In this example, I created a group called "DB_Prod" and a user called "darrenM".
You can also assign roles directly to users, or use groups as a proxy. Roles generally control the dashboard access (every dashboard has 1 or more allowed roles) and functions that can be performed (Administration, clearing an alarm, etc.)
For quick reference on roles to add:
- General Access and Console User to see Databases Dashboard, drill into data (eg. SQL PI)
- Add Operator to see Alarms dashboard, click on Alarms (no clear or ack)
- Add Advanced Operator to clear/ack alarms
Since every user will be assigned to the "Foglight Users" group as a default, you can assign roles to that group, another group, or to the user. This is what my new user "darrenM" looks like after creation.
Moving right along, we'll go to the Database dashboard. We'll have to create at least 1 group, and assign an instance to it. I'm going to create a DB group named "DB_Prod" - it doesn't need to match up to the security group. I've put in a Sybase dataserver and a SQL RDS instance so they're easy to remember.
Next, we'll go to Settings -> User Level Access and match up the security group to the DB group.
Ok, one more thing before testing. Let's take a look at the user "darrenM" on the Users tab of ULA. All of the instances are showing "0", a result of our registry variable setting. The user has not logged in either.
I'll use a different browser so I don't have to log out of my Foglight server with my admin credentials. Hopefully, that user only sees a single Sybase and SQL RDS instance.
It mostly works. We have an enhancement request to add "Azure SQL DB" to user-level access, but if you don't have Azure SQL DB no need to wait for that.
The key is to set the registry variable first, before creating users or importing AD users.
To take a deeper dive with Foglight in your environment, you can try it out by downloading the installer here.