All users of the Tideway Foundation system must be a member of one or more groups. Membership of groups defines the various Foundation modules that a user is entitled to access. For example, users defined as members of the System group are able to create and edit user details, while members of the Public group cannot access these areas.
To login, a user must be in a group that has permissions security/user/passwd, appserver/login and appserver/module/home. Only four default groups have this permission: readonly, public, system and admin. Every user must be a member of one of these four groups, or a member of a custom group that has at least these permissions.
For example, a user who is only in the discovery group cannot login. You should put a user that requires access to discovery commands into the discovery and public groups.
The Foundation Administrator is responsible for setting up details of all the user groups in the Foundation system.
Each group is a collection of permissions. Permissions control granular access to Tideway Foundation modules and are described in Group Permissions.
Security Groups
The default user groups and their security access rights are as follows:
- admin - These users have the highest level of customer access to the system.
- appmodel - These users can write and edit patterns, and create nodes to model business applications. They cannot view credentials but can run discovery (in order to test patterns).
- appscan - These users have access to all of the discovery-related data. They can start and stop discovery, add and remove credentials, and enable or disable audit logging.
- cmdb-export-administrator - These users have access to all of the export-related data. They can build, modify, delete and run Exporters.
- lifecyclemanagement-administrator - These users have access to the Lifecycle Management tools. They are also able to modify and create lifecycle views.
- lifecyclemanagement-user - These users have access to the Lifecycle Management tools.
- public - These users have read/write access to all of the system although they cannot access the discovery credentials.
- readonly - These users have read only access to the system, though cannot view the credentials for into target hosts.
- system - These users have full access to the system.
- unlocker - These users are able to unlock and unblock user accounts which have been locked or blocked after exceeding the number of permitted authentication failures. See Managing Security Policies for more information.
To List All Current Groups
- From the Security section of the Administration tab, select Groups. The Groups page is displayed. This page lists all the current groups and allows you to edit details, delete groups or create a new group.
Creating a New Group
- From the Groups page, click the Add... button at the bottom of the page. The Add Group page is displayed. The page is arranged into functional areas, and then subdivided into columns. The arrangement of the columns from left to right is as follows:
- Wildcard – contain items which when checked, select a number of permissions. When you mouseover a wildcard permission, it and the permissions it applies are highlighted.
- Read – read permissions relating to the functional area.
- Write – write permissions relating to the functional area.
- Misc – miscellaneous permissions relating to the functional area, such as appliance reboot.
- Enter a Name for the new group.
- Select the checkboxes that indicate the Foundation modules that members of this user group are allowed to access. The * wildcard matches anything, so selecting this checkbox will give unrestricted access to everything in the system.
- Click OK to save the changes.
Once the group is set up you can add users. See Managing System Users.
Amending a Group's Details
You can change a group name and the modules that group members can access. The access defined by the group membership will apply the next time users in this group log in.
- From the Groups page, click the Edit button next to the user. The page is redisplayed showing editable fields.
- Amend or overwrite the Name field.
- Select one or more checkboxes corresponding with the Foundation modules that members of this group can access.
- Click OK to save the changes.
Deleting a Group
You can delete any group providing you have created it initially. You cannot delete either the public or the system groups.
- From the Groups page, click the Delete button next to the group to be deleted. There is no confirmation.
Group Permissions
The following table shows the permissions assigned by default to each group in Tideway Foundation. The individual permissions are described in System Group Permissions by Category.
| Group Name |
Permissions |
| admin |
* |
| appmodel |
admin/category/createmodify
admin/log/info
admin/log/read
model/audit/purge
reasoning/events/read
reasoning/events/write
reasoning/pattern/config
reasoning/pattern/execute
reasoning/pattern/quickload
reasoning/pattern/write
reasoning/ranges/once
reasoning/ranges/read
reasoning/ranges/rescan
reasoning/ranges/write
reasoning/start
reasoning/startstop
reasoning/stop
ui/report/admin
vault/open
|
| cmdb-export-administrator |
admin/cmdb-exporter
vault/close
vault/credential_types/read
vault/credential_types/write
vault/credentials/read
vault/credentials/write
vault/open
|
| discovery |
consolidation/consolidation/write
consolidation/discovery/write
consolidation/read
discovery/credentials/test
discovery/filters/read
discovery/filters/write
discovery/kslave/read
discovery/kslave/write
discovery/options/read
discovery/options/write
discovery/platforms/read
discovery/platforms/write
discovery/port/settings
model/audit/purge
reasoning/danger/read
reasoning/danger/write
reasoning/events/read
reasoning/events/write
reasoning/pattern/config
reasoning/pattern/write
reasoning/ranges/once
reasoning/ranges/read
reasoning/ranges/rescan
reasoning/ranges/write
reasoning/start
reasoning/startstop
reasoning/stop
ssh_key/read
vault/credential_types/read
vault/credential_types/write
vault/credentials/read
vault/credentials/write
vault/open
|
| lifecyclemanagement-administrator |
lifecyclemanagement/view/browse
lifecyclemanagement/view/edit
lifecyclemanagement/view/viewcontents
model/datastore/partition/LifecycleManagement/read
model/datastore/partition/LifecycleManagement/write
reasoning/events/write
|
| lifecyclemanagement-user |
lifecyclemanagement/view/browse
lifecyclemanagement/view/viewcontents
model/datastore/partition/LifecycleManagement/read
model/datastore/partition/LifecycleManagement/write
reasoning/events/write
|
| public |
appserver/login
appserver/module/*
lifecyclemanagement/view/browse
lifecyclemanagement/view/viewcontents
model/audit/read
model/audit/write
model/datastore/main/read
model/datastore/main/write
model/datastore/partition/Audit/read
model/datastore/partition/Conjecture/read
model/datastore/partition/Conjecture/write
model/datastore/partition/DDD/read
model/datastore/partition/DDD/write
model/datastore/partition/Default/read
model/datastore/partition/Default/write
model/datastore/partition/LifecycleManagement/read
model/datastore/partition/LifecycleManagement/write
model/datastore/partition/Taxonomy/read
model/datastore/partition/_System/read
model/datastore/partition/_System/write
model/notification/publish
model/notification/subscribe
model/taxonomy/nodekind/read
model/taxonomy/relkind/read
model/taxonomy/rolekind/read
reasoning/events/write
reasoning/status
reports/read
reports/write
security/user/passwd
ui/dashboard/admin
ui/report/admin
ui/taxonomy/admin
|
| readonly |
appserver/login
appserver/module/*
lifecyclemanagement/view/browse
lifecyclemanagement/view/viewcontents
model/audit/read
model/audit/write
model/datastore/main/read
model/datastore/partition/Audit/read
model/datastore/partition/Conjecture/read
model/datastore/partition/DDD/read
model/datastore/partition/Default/read
model/datastore/partition/LifecycleManagement/read
model/datastore/partition/Taxonomy/read
model/datastore/partition/_System/read
model/datastore/partition/_System/write
model/notification/publish
model/notification/subscribe
model/taxonomy/nodekind/read
model/taxonomy/relkind/read
model/taxonomy/rolekind/read
reasoning/status
security/user/passwd
|
| system |
* |
| unlocker |
security/group/read
security/options/read
security/user/activate
security/user/read
|
System Group Permissions by Category
The system group security permissions are shown by category in the following tables.
Note: There are no permissions that restrict access to patterns. All logged in users can view patterns.
Security Permissions
The following table shows the current group permissions relating to the security operations.
| Permission |
Definition |
security/group/read
security/group/write |
The user is allowed to read or write group information. |
| security/https/admin |
The user is allowed to configure the HTTPS settings on the appliance. |
security/options/read
security/options/write |
The user is allowed to read or write options information. |
| security/user/activate |
The user is allowed to unlock and re-activate accounts for other users. |
| security/user/passwd |
The user is allowed to change his or her OWN passwords. |
security/user/read
security/user/write |
The user is allowed to read or write user security information. |
Credential Vault Permissions
Tideway Foundation stores all passwords used to access customer devices in a credential vault which can be secured. Secure credential vaults are generated by Tideway Professional Services when the appliance is commissioned. The contents of the vault can be encrypted and secured using a passphrase.
The following table shows the current group permissions relating to the vault operations.
| Permission |
Definition |
vault/open
vault/close
vault/passphrase |
The user is allowed to open, close, and set the passphrase for the credential vault. All three permissions are required to use the Vault Management page. |
vault/credential_types/read
vault/credential_types/write |
The user is allowed to read and write credential types. |
vault/credentials/read
vault/credentials/write |
The user is allowed to read and write credentials. |
Discovery Permissions
The following table shows the current group permissions relating to the discovery operations.
| Permission |
Definition |
| discovery/network/scan |
The user is allowed to scan the network. |
| discovery/network/probe |
The user is allowed to probe the network. |
discovery/options/read
discovery/options/write |
The user is allowed to read and modify discovery options. |
| discovery/credentials/test |
The user is allowed to test discovery credentials. |
discovery/platforms/read
discovery/platforms/write |
The user is allowed to read and modify the platform discovery commands. |
| discovery/host/access |
The user is allowed to query a host on the network. |
discovery/filters/read
discovery/filters/write |
The user is allowed to read and modify sensitive data filters. |
discovery/kslave/read
discovery/kslave/write |
The user is allowed to view and modify the list of known discovery slaves. |
| discovery/port/settings |
The user is allowed to configure port settings. |
ssh_key/read
ssh_key/write |
The user is allowed to view (read) or write (create) ssh keys. |
Consolidation Permissions
The following table shows the current group permissions relating to configuring consolidation and scanning appliances.
| Permission |
Definition |
| consolidation/consolidation/write |
The user is allowed to change the configuration on the consolidation appliance (set as consolidation appliance and approve scanning appliances). |
| consolidation/discovery/write |
The user is allowed to add new consolidation targets to a scanning appliance. |
| consolidation/read |
The user is allowed to view the consolidation setup page. |
Data Store Permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the data store operations.
| Permission |
Definition |
model/datastore/main/read
model/datastore/main/write |
The user is allowed to read or write via the main user interface. |
model/datastore/partition/*/read
model/datastore/partition/*/read |
The user is allowed to read or write to any partition. |
model/datastore/partition/name/read
model/datastore/partition/name/write |
The user is allowed to read or write to the given partition. The name is one of:
- Audit
- Conjecture
- DDD
- Default
- LifecycleManagement
- Taxonomy
- _System
|
Audit Permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the audit operations.
| Permission |
Definition |
| model/audit/read |
The user is allowed to read the audit log. |
| model/audit/write |
The user is allowed to write to the audit log. |
| model/audit/purge |
The user is allowed to purge the audit log. |
| model/audit/admin |
The user is allowed to administer the audit service. |
Reasoning Permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the reasoning operations.
| Permission |
Definition |
| reasoning/start |
The user is allowed to start reasoning. |
| reasoning/startstop |
The user is allowed to start and stop reasoning. |
| reasoning/stop |
The user is allowed to stop reasoning. |
| reasoning/status |
The user is allowed to see reasoning status information. |
| reasoning/ranges/read |
The user is allowed to view the Discovery Status page. |
| reasoning/ranges/write |
The user is allowed to cancel consolidations or local scans. |
| reasoning/ranges/rescan |
The user is allowed to rescan ranges. |
| reasoning/ranges/once |
The user is allowed to add or remove snapshot discovery ranges. |
reasoning/danger/read
reasoning/danger/write |
The user is allowed to read and modify danger settings. |
reasoning/events/read
reasoning/events/write
reasoning/events/state |
The user is allowed to read and write system events. |
| reasoning/internal |
An internal permission. Do not use this. |
| reasoning/pattern/config |
The user is allowed to configure a pattern. |
| reasoning/pattern/edit |
The user is allowed to edit patterns. |
| reasoning/pattern/execute |
The user is allowed to execute patterns. |
| reasoning/pattern/quickload |
The user is allowed to upload and activate patterns. |
| reasoning/pattern/write |
The user is allowed to write patterns. |
Notification Permissions
All public users have access to these permissions, which are a subsystem of the model. The following table shows the current group permissions relating to the notification operations.
| Permission |
Definition |
| model/notification/publish |
The user is allowed to publish events. |
| model/notification/subscribe |
The user is allowed to subscribe to events. |
Search Permissions
These permissions relate to listing and cancelling searches using the Search Management Page. See Using the Search Service for more information on viewing and cancelling searches.
| Permission |
Definition |
| model/search/list |
The user is allowed to view searches submitted by all users. |
| model/search/cancel |
The user is allowed to cancel searches submitted by all users. |
Lifecycle Management Permissions
These permissions relate to the Lifecycle Management tools. The following table shows the current group permissions relating to the Lifecycle Management operations.
| Permission |
Definition |
| lifecyclemanagement/view/browse |
The user is allowed to browse lifecycle views, but may not view the contents. |
| lifecyclemanagement/view/edit |
The user is allowed to modify and create lifecycle views. |
| lifecyclemanagement/view/viewcontents |
The user is allowed to view the contents of lifecycle views. |
Taxonomy Permissions
These permissions are a subsystem of the model. The following table shows the current group permissions relating to the taxonomy operations.
| Permission |
Definition |
| model/taxonomy/nodekind/read |
The user is allowed to read node kind information. |
| model/taxonomy/nodekind/write |
The user is allowed to write node kind information. |
| model/taxonomy/relkind/read |
The user is allowed to read relationship kind information. |
| model/taxonomy/relkind/write |
The user is allowed to write relationship kind information. |
| model/taxonomy/rolekind/read |
The user is allowed to read role kind information. |
| model/taxonomy/rolekind/write |
The user is allowed to write role kind information. |
Application Server Permissions
The following table shows the current group permissions relating to the application server operations.
| Permission |
Definition |
| appserver/login |
The user is allowed to log in to the appserver. |
| appserver/debug |
The user is allowed to debug the appserver. |
| appserver/module/name |
The user is allowed to access the given module. The name is one of:
- Application
- Discovery
- Home
- Infrastructure
- LifecycleManagement
- Reports
- Setup
- System
|
| appserver/module/* |
The user is allowed to access any module. |
| appserver/sessionaccess |
The user is allowed to see sessions. |
Specific UI Permissions
The following table shows the current group permissions relating to specific user interface operations.
| Permission |
Definition |
| ui/dashboard/admin |
The user is allowed to administer the dashboard. |
| ui/datastore/admin |
The user is allowed to administer the data store. |
| ui/taxonomy/admin |
The user is allowed to administer the taxonomy. |
| ui/report/admin |
The user is allowed to access _Report. Note that by default all admin users get this permission. |
Appliance Administration Permissions
The following table shows the current group permissions relating to the appliance administration operations.
| Permission |
Definition |
| admin/category/createmodify |
The user is allowed to create and modify categories. |
| Appliance admin operations |
|
| appliance/info/read |
The user is allowed to read appliance information. |
| appliance/info/write |
The user is allowed to write appliance information. |
| appliance/maintenance |
The user is allowed put the appliance into maintenance mode. |
| appliance/reboot |
The user is allowed to reboot the appliance. |
| appliance/reportsusage/reset |
The user is allowed to reset usage information for reports. |
| appliance/restart |
The user is allowed to restart the appliance. |
| appliance/shutdown |
The user is allowed to shutdown the appliance. |
| appliance/snapshot |
The user is allowed to make snapshots and restore them to the appliance. |
| appliance/snapshot/schedule |
The user is allowed to schedule snapshots. |
| Baseline |
|
| baseline/admin |
The user is able to change the baseline configuration. |
| baseline/read |
The user is able to view the baseline configuration. |
| baseline/update |
The user is able to update the baseline configuration after changes have been seen. |
| Logging |
|
| admin/log/info |
The user is allowed to view log information. |
| admin/log/read |
The user is allowed to read log files. |
| admin/log/delete |
The user is allowed to delete log files. |
| admin/loglevel/read |
The user is able to read the appliance log level. |
| admin/loglevel/write |
The user is able to write the appliance log level. |
| Import |
|
| admin/import/ciscoworks |
The user is allowed to import data using the CiscoWorks importer. |
| admin/import/csv |
The user is allowed to import CSV data. |
| admin/import/hrd |
The user is allowed to import Hardware Reference data. |
| Interface |
|
| admin/interface/read |
The user is allowed to read interface information. |
| admin/interface/write |
The user is allowed to write interface information. |
| Routing |
|
| admin/routing/read |
The user is allowed to read routing information. |
| admin/routing/write |
The user is allowed to write routing information. |
| DNS |
|
| admin/dns/read |
The user is allowed to read DNS information. |
| admin/dns/write |
The user is allowed to write DNS information. |
| Email Configuration |
|
| admin/mail/read |
The user is allowed to read email configuration information. |
| admin/mail/write |
The user is allowed to write email configuration information. |
| System |
|
| system/settings/read |
The user is allowed to read system settings. |
| system/settings/write |
The user is allowed to write system settings. |
| Slave Installation |
|
| admin/software/slave/download |
The user is able to download and install slaves onto the local Windows host. |
 | The 'all' permission (*) allows the user to perform any tasks in Foundation. Each user has a token which is assigned by the security system and whenever a privilege is requested by a user, the security service checks the database to see if that particular user has permission to carry out that particular task. |
However, the first check that Foundation carries out is to see if the user has the * permission. If the answer is yes, no further privilege checks will be carried out.
Tideway Blog