Adding users

Contents

Adding users

Overview

Right after installation, the only user that exists in the system is the first and main central administrator or admin user. The admin user has unrestricted access to all data available in both the Portal and the Finder. Moreover, the admin user is able to create and modify all kinds of content in the system, including dashboards, investigations, categories, alerts and user accounts.

Incidentally, you may want to give other people the chance to log in to the system and use it without necessarily having all the capabilities of the admin user. The admin user can thus create accounts for other users, restrict their views on the data and limit their ability to alter content. In this section, learn how to add users to the system and control their access to the data recorded.

Account update considerations

Beware that changes to accounts and their permissions may not take immediate effect on logged in users.

For users logged in to the Finder or to the Portal, the user keeps the permissions before the change during the session lifetime. For users making use of Web API (NXQL), the old permissions are still in force up to five minutes after the change, until the Engine synchronizes account information with the Portal.

Defining user roles

The roles attributed to a user determine how the user interacts with the system. The tasks of the users of the system depend on their responsibilities. Roles let you group the elements that allow users to carry out the tasks that are assigned to them. Using roles, you can specify the modules that the users playing that role can see in the Portal, the investigations that they are able to run in the Finder, and the alerts that they must be aware of.

To incorporate elements into a role, first create these elements in the Finder. It is not essential to have all the elements ready before defining a role. You can start by creating the role and edit it later to add the missing elements.

To define a new role:

  1. Log in to the Portal as administrator .
  2. Click the ADMINISTRATION drop-down menu at the top of the window.
  3. Select the option Roles to open the dashboard for editing roles.
  4. Click the plus sign at the top right hand side of the dashboard to open the wizard for adding a new role.

Step 1: Adding modules

  1. Type in the name of the new role in the Name field.
  2. Optional: Click Add module to add an existing module of the Portal to the role. A dialog to choose the module pops up.
    1. Select a module from the list labeled Module.
    2. Click Add. The dialog closes and the selected module is added to the Modules list of the role.
  3. Repeat the previous step to add as many modules as the role needs.
  4. Click Next to go on with the next step of the wizard.

Step 2: Adding service-based alerts

  1. Optional: Click Add alert to include service-based alerts to the role. A dialog to specify the alerts pops up.
    1. Select a service-based alert from the list labeled Alert.
    2. Optional: Click yes in the Mandatory section to force the subscription to the alert of all users with the current role. By default, the alert is not mandatory.
    3. Click Ok.
  2. Repeat the previous step to add as many alerts as the role needs.
  3. Click Next.

Step 3: Adding investigations

  1. Optional: Click Add investigation to share existing investigations with all users who have the current role assigned. A dialog to specify the investigation pops up.
    1. Export an investigation or a folder of investigations from the Finder to the clipboard.
    2. Paste the contents of the clipboard on the dialog of the wizard.
    3. Click Add. The dialog to paste the investigation closes and the investigation is added to the Investigations list of the role.
  2. Repeat the previous step to add as many investigations as the role needs.

Step 4: Adding one-click investigations

  1. Optional: Export a pack with all the one-click investigations that you want to add to the role from the Finder.
    1. Paste the pack of one-click investigations on the dialog of the wizard.
  2. Click Next.

Step 5: Adding investigation-based alerts

  1. Optional: Click Add alert to include investigation-based (Finder) alerts to the role. A dialog to specify the alert pops up.
    1. Export an alert or a folder of alerts from the Finder to the clipboard.
    2. Paste the contents of the clipboard on the dialog of the wizard.
    3. Click Add. The dialog to paste the alert closes and the alert is added to the Alerts list of the role.
      • The syslog notification mechanism of global alerts is local to the Engine where the global alert was created and, therefore, not propagated to other Engines via roles. If you add a global alert with syslog notification enabled to a role, only the email notification mechanism is propagated to the users with that role.
  2. Repeat the previous step to add as many alerts as the role needs.
  3. Click Finish to end the wizard. The new role is added to the list of the Roles dashboard.

Defining user profiles

The profile of a user defines the type of user, the access rights of the user to the different domains of a hierarchy (both as a viewer and as administrator, if applicable) and to the functions of the Finder. Moreover, you can associate one or multiple roles to a profile. Thus, users are able to play any of the roles associated to their profile, along with any other possible role that you may additionally assign to them.

Profile types

There are three main types of profiles:

User
This profile is intended for users that only have the right to view the information; both in the Portal and, optionally, in the Finder. They are able to see only the data that belongs to their view domain (a subset of the available hierarchies), possibly limited by privacy settings as well.
Administrator
In addition to viewing information, users with an Administrator profile can publish modules and manage Portal components. The view domains and administrative domains of an Administrator may be different for each hierarchy. Optionally, Administrators can have the right to create other user accounts.
Central administrator
This profile defines a special kind of Administrator who has access to all hierarchies and the right to create and modify profiles and hierarchies. Only a central administrator can configure the license and the connections to the Engines.

See here the complete matrix of access rights and permissions.

To create a new profile:

  1. Log in to the Portal as central administrator.
  2. Click the ADMINISTRATION drop-down menu at the top of the window.
  3. Select the option Profiles to open the dashboard for editing profiles.
  4. Click the plus sign at the top right hand side of the dashboard to add a new profile. The wizard to add a new profile opens.

Step 1: Choosing the type of account

  1. Type in a name for the new profile in the field labeled Profile name.
  2. Select one of the three types of accounts from the choice Account type.
    • Select User if the profile is intended for users without administrative tasks.
      • Optional: Uncheck the box Allow creation of personal dashboards to prevent users with the current profile from creating their own modules and dashboards. By default, the box is checked, allowing the users to create Portal content.
    • Select Administrator if the profile is intended for users with administrative tasks.
      • Optional: Uncheck the box Allow creation of user accounts to prevent the administrative user from creating new accounts. By default, the box is checked, allowing administrators to create new accounts.
    • Select Central administrator to create users that can administer the whole system in the same way as the admin user, except for the fact that you can restrict what they see in their data privacy settings.
  3. In the section Available metrics, choose the group of metrics that users with the current profile may use to build their own dashboards and see in dashboards created by others:
    • Select All metrics for the user to be able to see and use any of the metrics in the system. This option is mandatory if the user must be able to edit metrics (see step 4).
    • Select Only metrics in roles for the user to be able to see and user only those metrics which are part of their roles; that is, metrics embedded in the modules added to their roles. This is the only option available if the user has no right to create dashboards.
  4. Click Next to go on with the next step of the wizard.

Step 2 (Administrator profile only): Select administration domain

If you selected to create a profile of the type Administrator in the previous step, set now its administration rights. If you chose to create a profile of the type Central administrator instead, this step is skipped, since the administration rigths of central administrators are not limited.

  1. In the field Administration domain, select a hierarchy in the first field, a level in the second and a node in the third. The profile will have administrative rights over the selected node and all the nodes below it in the hierarchy.
    • Leave the top node of the administration domain undefined by choosing ---parameter--- from the list. Define the top node of the administration domain individually for each user when creating their user account.
  2. Optional: If you checked the option Accounts creation in the previous step, select now the profiles that an Administrator with this profile can assign to the user accounts that he creates. Use the Ctrl key while clicking the names of the profiles in the list Profiles available for accounts creation to select more than one profile. If no profile is selected, the Administrator will not be able to create user accounts.
  3. Click Next.

Step 3: Set privacy settings, roles and view domain

This is step 2 if you chose a user or central administrator profile.

  1. Select the Data privacy settings for the profile:
    • anonymous users, devices, destinations and domains: user accounts with this profile cannot see the names of users, devices, destinations, or domains.
    • anonymous users and devices: user accounts with this profile can see neither the names of users nor of devices.
    • anonymous users: user accounts with this profile cannot see the names of users.
    • none (full access): user accounts with this profile have full access to the collected data.
  2. Select the roles of the profile by clicking their name in the Role(s) list. Use the Ctrl key to select several roles at the same time. The investigations, alerts, modules, etc attributed to the selected roles are inherited by the profile.
  3. Specify the view domain of the profile for each defined hierarchy. Users with the current profile can only view the objects grouped in the specified domain:
    1. In the from field, select the highest level in the hierarchy that belongs to the view domain.
    2. In the Node field, either:
      • Choose the top node of the view domain from the available nodes of the level. This node and all the nodes below it belong to the view domain, down to the level specified in the next step.
      • Leave the top node undefined by choosing --parameter-- from the list. Define the top node of the view domain individually for each user when creating their user account.
    3. In the to field, select the lowest level in the hierarchy that belongs to the view domain.
  4. Click Next.

Step 4: Set Finder access

This is step 3 if you chose a user or central administrator profile. If you want the users with the current profile to be able to access the Finder:

  1. Check the box Finder access.
  2. Select the time zone of the user.
  3. Optional: Check the box Allow edition of application and object tags if you want the users with the current profile to be able to manually modify the tags of objects in the Finder.
  4. Optional: Check the box Allow system configuration if you want the users with the current profile to be able to edit categories, services, metrics, scores, campaigns, and global alerts, as well as import and export content, or manually synchronize users and devices with Active Directory. You can only select this option if you gave full access to the profile in the privacy settings of the previous step.
  5. Optional: Check the box Allow management of web API for users with the profile to be able to publish and edit web API investigations in the Finder. The profile must have full access in the privacy settings, a top view in at least one of the hierarchies defined, and full Web & Cloud visibility (see below) to be eligible for the management of the web API.
  6. Optional: Check the box Allow management of Collectors if you want the users with the current profile to be able to follow and control the deployment of the Collector from the Finder. Again, you can only select this option if you gave full access to the profile in the privacy settings of the previous step.
  7. Optional: If you have purchased the Web & Cloud module, set the visibility level of the users with the current profile to restricted or full in the list under Web & Cloud visibility.
  8. Click Finish to end the creation of the profile. The profile is added to the list of profiles in the dashboard.

Creating a user

After creating roles and profiles for users, finally create user accounts that make use of them:

To create a user account:

  1. Log in to the Portal as central administrator, or as administrator with account creation rights.
  2. Click the ADMINISTRATION drop-down menu at the top of the window.
  3. Select the option Accounts to open the dashboard for editing accounts.
  4. Click the plus sign in the top right corner of the dashboard. The wizard to create a new user account shows up.

Step 1: Setting personal data and profile

Nexthink supports user authentication both internally or through Active Directory.

  1. Type in the name of the user:
    • To use internal authentication, type in the desired account (login) name of the user in the field Username.
    • To authenticate users through Active Directory, type in the sAMAccountName of the user followed by the @ character and the DNS domain name (e.g. [email protected]) in the field Username. Note that this field is case sensitive. Therefore, the name of the Nexthink account must exactly match the sAMAccountName name in Active Directory.
  2. Type in the complete name of the user in the field Full name.
  3. Configure the email address for sending notifications to the user in the field Email address.
  4. Type in a password for the user in the field Password and retype it in Password confirmation.
  5. Select the profile of the user from the list Profile. The user gets all the permissions, default content and roles associated to the profile.
    • If the selected profile does not define a particular top node for the administration or view domains of the users with that profile (because one of the two domains or both are parameterized), select now the top nodes of those domains individually for the current user.
  6. Optional: tick the check box Never automatically sign out this account from Portal when active if you want to override the session timeout control configured in the Portal and never log out the user from the Portal while active. Note that having a live view on a service keeps a user active even without actual user interaction.
  7. Click Next.

Step 2: Setting additional roles

  1. Optional: If you want the user account to inherit content from one or more roles that do not belong to its assigned profile, select the desired roles from the list Additional roles. Use the Ctrl key to select more than one.
  2. Click Ok to end the creation of the user account. The account is added to the list of accounts in the dashboard.