Overview

This page reviews system administration for the GroundWork Monitor portal including user accounts, access and permissions, and portal page management.

1.0 About System Administration

Basic Administration This documentation is intended to guide Administrators for things like adding new staff, changing passwords, adding custom pages, portlets and permissions. For advanced administration, please contact GroundWork Support.

Best Practice Back up JBoss prior to making administration changes.

Authentication vs. Authorization

• Authorization refers to rules which determine who is allowed to do what (e.g., userA is authorized to create and delete dashboards, while userB is only authorized to read).
• Authentication is the process of ascertaining that somebody really is who he claims to be.
• The two concepts are completely independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.
• In terms of Web apps, basically, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control to allow the user to edit, delete or create content.

The default identity store for GroundWork Monitor is DB. For example, all users, groups, roles, and memberships are persisted in the jboss-idm database. It is recommended to use APIs to access this database when needed along with the help of GroundWork Support.

GroundWork delegates the authentication module to Java Open Single Sign On (JOSSO). JOSSO consists of two main components namely JOSSO Gateway and JOSSO Agent. JOSSO Gateway is an application running on Tomcat (port 8888) on a separate JVM. The GroundWork portal is running on JBoss (port 8080) on a separate JVM. The login page is served by the JOSSO Gateway module. JOSSO Gateway is configured in josso-gateway-config.xml to talk to DB or LDAP. Once JOSSO performs the authentication, the system relays it to JBoss to perform the authorization part. For GroundWork Monitor, a successful login leads to a landing page. Before JBoss shows the landing page, it checks if the user has privilege to access the page as well as the nodes.

2.0 GroundWork Monitor Portal Structure

In the JBoss portal, a node is a collection of one or more pages. A node itself can have a page. For example, Dashboards is a node, where Summary, Grafana, Enterprise View are pages for that node.

Figure: Node and pages

The Dashboards node itself duplicates portlets from the Summary page and has its own page, this is the landing page for the stock GroundWork Monitor Enterprise 7.x.x.

Figure: Dashboards as node with Summary portlets


A portal group is a logical collection of users. This concept is new in GroundWork Monitor 7.x as it is inherited from JBoss Portal Platform (JPP6). Group Management is available to Portal Administrators and GroundWork Administrators and is under Group > Organization > User and Group Management > Group Management. Since GroundWork Monitor 7.0, a user should be associated to a portal group and a membership. A membership describes MSP restrictions, actions and dashboard restrictions. In the JBoss portal, a role and a membership has to be defined to restrict any portal object (node, pages, portlet, container).

This image shows how an access permissions page looks like for a portal object.

Figure: Access permissions


The image below illustrates the diference between a node, subnode and a page. Configuration is a node with Services as one of the underlying pages, Maintenance is a Configuration sub-node with Device Cleanup as one of the underlying pages.

Figure: Nodes, sub-nodes, pages

A user can belong to any membership ?and a combination of a portal group and membership defines the privileges for a portal object.

The portal is very flexible in terms of defining privileges for a role or group. The image below shows a sample portal layout with a container, portlet and a page. A container is a canvas to place one or more portlets. A page can have one or more portlets or containers. Permissions can be set at many levels; a page level or container level or portlet level or application level.

Figure: Permission components

3.0 Users, Groups, Roles, Memberships

A fresh GroundWork Monitor installation includes default system users, groups, roles, and memberships.

A system account is made up of a user which part of a group and is associated with a group ID (role) and a membership. A group ID (role) allows the user specific portal access and permissions, while a membership defines the priveleges relating to what can be done when access is obtained. A group is a logical collection of users.

Let's take a look at the one of the default accounts:

• User: user
• Group: Users
• Role: GWUser
• Membership: gw-portal-user
  
  Figure: Default system account user
  

With further inspection, using the table below, the user account has role access to only Dashboards, Status, and Views portal pages, and membership privileges to link to Status from all Dashboards, is restricted to using the Actions portlet in Status, and has access to all host and server groups. Regarding the application level, each GroundWork integrated PHP/Perl apps such as monarch, cacti, nagvis, nagios, BSM, weathermap, nedi has its application level permissions. These apps have their own web.xml file which has params as displayed below. This permission states that only roles named GWAdmin or GWOperator has access to the application page. Since we IFrame the application in the portal, this application level prevents anonymous access to the application URL.

<init-param>
<param-name>AUTHORIZED_ROLES</param-name>
<param-value>GWAdmin,GWOperator</param-value>
</init-param>

GroundWork Administrator admin/admin can control the various membership permissions and restrictions. A Portal Administrator root/root can control the portal pages that are accessible to this user. It is important to note new users by default, will be created within the Users group, with a GWUser role, assigned the gw-portal-user membership, and will have permissions to all host groups and service groups.

This table shows the GroundWork Monitor default system accounts including users, groups/roles and memberships and access priviledges for each. Additionally, there is a ro-dashboard membership used for read-only dashboard access and a msp-sample membership associated with the group MSP Users which can be used for multiple service providers.

Table: Default System Accounts