8 Replies Latest reply on Nov 6, 2019 11:07 AM by Ali Khoshkar

    Users cannot see any of the devices

    Ali Khoshkar
      Share This:

      Hello everyone,

       

      I am trying to give our support staff here (NOC/TAC technicians) access to entuity. I connected our LDAP instance, delegated our 2 admins (myself and one other), and placed all other users in "All Users" group.

       

       

      I added all the devices in our infrastructure through the device administration page. However when other non-admin users log in, they cannot see anything on their dashboards or enter any of the devices details.

       

      When I log in as an administrative user, I can see this:

      Furthermore, I can see incidents, drill into each device to see ports, metrics, etc.

       

      However when a non-administrator user logs in they cannot see anything even though I gave them FULL permissions (which is not desired, just did it as a test to see if that would change anything).

       

      Any ideas how to fix this? Is there a permission I can give to users to be able to login and see incidents, devices, etc. without actually placing everyone in the admin group?

        • 1. Re: Users cannot see any of the devices
          Laurence Balon

          Ali,

           

          Have you created an AD group for your non-admin users and mapped it to the All Users Entuity group? The behavior you are describing leads me to believe that these users are not mapped correctly. The default behavior for Entuity is to allow access for all users.

           

          Allow_Access_All_Users.jpg

           

          When configured like this, users who do not meet group mapping policies will be allowed to authenticate but they will not be able to see anything but the post-authentication landing page. This needs to be set to Allow Access for Specified Users/Groups.

           

          Larry

          1 of 1 people found this helpful
          • 2. Re: Users cannot see any of the devices
            Ali Khoshkar

            Hello Laurence,

             

            Thanks for your reply. You are correct, I had only mapped admin access and set the server access policy to allow access for all users as you show in your screenshot above thinking all users would be able to login.

             

            However now that I created a group in AD and switched the server access policy to "Allow Access for Specified Users/Groups" and then added that group to the list, I am completely locked out. I get a "You are not allowed to connect to this server" message.

             

            Haha I hope I didn't just lock myself out permanently Any ideas?

            • 3. Re: Users cannot see any of the devices
              Laurence Balon

              Ali,

               

              I am assuming you can get back in with your administrator credentials. I don't think we allow mapping an AD group to the All Users group. You will need to go into Account Management, create a new Entuity group. Assign the proper permissions for this new group and also allow access to specific views. You will then need to configure the LDAP group mapping to map the AD group that these users are a member of to this newly created Entuity group.

               

              Larry

              1 of 1 people found this helpful
              • 4. Re: Users cannot see any of the devices
                Ali Khoshkar

                Hi Larry,

                 

                unfortunately its not allowing the default admin account to log back in either. completely locked out. Not sure how to get back in at this point.

                 

                Yes I did what you suggested and created a new entuity group called test, added all proper permissions to the group, and in LDAP configuration I added all members of an AD group into the entuity group. Why would it lock me out after this I don't understand, the underlying admin permission did not get modified. Unless I needed to add "admins" to the "allow access only to specific users or groups" section...

                • 5. Re: Users cannot see any of the devices
                  Laurence Balon

                  Ali,

                   

                  You can reconfigure the authentication to internal authentication. You will need to RDP or SSH to the Entuity server. Change to the [ENTUITY_HOME]/etc directory. Locate the file named security.config.xml and open it with a text editor. Locate this section of the file:

                   

                  <application>

                  <module name="Authentication">

                  <authentication>

                  <ssoMode>memory</ssoMode>

                  <allowSuperUserAccess>true</allowSuperUserAccess>

                  <externalAuthHandler>com.entuity.security.external.ldap.LdapLogon</externalAuthHandler>

                  <authMode>external</authMode>

                  <attemptAfterAuthError>false</attemptAfterAuthError>

                  </authentication>

                   

                  Change the <authMode> section to internal. Save the file and then restart the tomcat service. You can do this from the command line by changing to the [ENTUITY_HOME]/bin directory. Enter the following command: stop tomcat<ENTER>

                   

                  The above command will stop the tomcat service. It will restart automatically and re-read the security.config.xml file. The Entuity server will now be configured for internal authentication and you should be able to get back in to the server.

                   

                  Larry

                  1 of 1 people found this helpful
                  • 6. Re: Users cannot see any of the devices
                    Ali Khoshkar

                    Thanks Larry you're a gem

                     

                    OK so I'm back in and have played around some more with the permissions. Users still cannot see any of the devices in our inventory or any data/incidents associated with them. This is how I have it setup:

                     

                    I already have a security group (domain local) in AD with all of the analysts I am trying to give permissions to.

                     

                    I created a group called "Analysts" and added almost all tool, report, and task permissions to them.

                     

                    Lastly, in the LDAP configuration under group mapping tab I mapped all LDAP users belonging to BMCAnalysts LDAP group to the Entuity "Analysts" group:

                     

                     

                    Is there something I am missing?

                    • 7. Re: Users cannot see any of the devices
                      Laurence Balon

                      Ali,

                       

                      There does not appear to be anything incorrect in your configuration. Re-check your initial LDAP configuration. I usuually use an AD service account to bind to the AD server and perform the lookups. The first step is to test is that the AD service account is working. You can click the test button to make sure it is working.

                       

                      LDAP_Config_01.jpg

                      If this is successful, go to the next page and check that the search base is correct. I use an open source tool from Softerra (Softerra LDAP Browser - URL: Softerra LDAP Browser ) to connect to the AD controller and verify the search base.

                       

                      LDAP_Config_02.jpg

                       

                      Once you have verified the search base, click the Test button. Enter the username and password from a person that is in the Analysts group. If the lookup and authentication succeeds, a pop-up window will display all the AD groups that user is a member of. I usually find that this is where the problem lies. Either the search base is incorrect or the user is not a member of the AD group that is mapped to the Entuity group. You can also open a ticket with Support.

                       

                      LDAP_Config_03.jpg

                      Larry

                      1 of 1 people found this helpful
                      • 8. Re: Users cannot see any of the devices
                        Ali Khoshkar

                        Hi Larry,

                         

                        Yes I did test the LDAP configuration and it returned successful. Also I tried testing the group searching as you suggested and it does seem to be capturing the group correctly:

                         

                         

                        Blah unfortunately we no longer have support. If you have any other ideas let me know! Thanks for your help regardless brother, much appreciated.