Administrators can configure the AppMon built-in security system to protect AppMon installations against unauthorized access or unintentional usage. AppMon uses user accounts, groups, and roles to assign permissions that control access to the product and certain features. Permissions are assigned to roles. Each user group has a role, and thus permissions from this role. To get the permissions the user has to be a part of the group.
The AppMon security system involves three security areas:
- AppMon Server Management for server related permissions.
- System Profiles for managing permissions on the level of specific System Profiles.
- Dashboards for defining read/write access to shared dashboards.
To manage user accounts in the AppMon Client, click Settings > Dynatrace Server > Users.
Use the Accounts tab to create and edit user accounts.
Set up the account parameters in the User Preferences dialog box. To open it, click Create to create a new account, or double-click an existing account to edit it.
Each user account needs a unique user ID and a password. The Full Name and Email fields are optional.
In the Select User Groups list, assign the required user groups to the account. If no user group is selected, the user has no permissions. See the Groups section for more information.
The System Profiles and Dashboards columns of the Accounts tab display the System Profiles and dashboards to which the user has access. If LDAP is used for user authentication, there is no need to create user accounts manually. The AppMon security system creates a local account when a user first logs in with an LDAP account. User accounts have the Use LDAP Authentication option set by default. The Full Name and Email are kept in sync with LDAP. The AppMon security system assigns membership to LDAP groups automatically, according to the LDAP configuration. These groups are dimmed in the User Preferences dialog box and you cannot map them manually. However, you can add LDAP accounts to local user groups. For non-LDAP users added to AppMon, there is no difference between LDAP groups and locally defined user groups.
System admin account
AppMon provides a default administration account that has full access rights granted. This account is available after installation of the AppMon Server, with the username and password both set to
admin. The admin user cannot be deleted from the system, and another user with this name can't be created. For security reasons, you should change the admin password immediately after installation.
Changing a user's password
You cannot change a user's password through the AppMon Client if the user is authenticated by LDAP.
To change the password for the currently logged-in user, do one of the following in the AppMon Client:
- Select Settings > Change user password.
- Right-click the server connection icon in the lower right corner of the window, and select Change Password.
When changing a user's password be aware that the Change User Password dialog does not accept passwords containing whitespace characters. For customizable complexity requirements for passwords see Password Security.
A group defines the roles (and thus the actual permissions) that users can have for AppMon Server management, System Profiles, and dashboards. To assign a user to one or more groups, select the groups in the User Preferences dialog box.
When AppMon uses LDAP for user authentication, it is also possible to define LDAP groups. The advantage of using LDAP groups is that the users´ group membership is automatically maintained by the AppMon security system in accordance with the LDAP group memberships. To be recognized as an LDAP group, the AppMon group name must match the LDAP name exactly and you must select the Is LDAP Group option in the User Group Preferences dialog box. To assign an LDAP group as an AppMon Group, click Select LDAP Group in the User Group Preferences dialog box. The size of the group list is limited to the page size configuration of your LDAP server (a default of 1,000 rows is usual). Use a filter expression to limit the number of groups.
The Management Role, System Profiles, and Dashboards columns in the Groups tab of the Users item from the Dynatrace Server Settings dialog box show a summary of the profiles and dashboards that are available for each group. See the Roles section for more information.
A user group specifies exactly one role to manage AppMon Servers. Roles applied to management only grant access to AppMon Server. AppMon ignores other permissions contained in this role, such as those for a specific System Profile. To completely deny access to AppMon Server management, select No Permission.
To protect System Profiles, AppMon defines roles for them. Unlike management roles, System Profile roles only use permissions that apply to System Profile functionality such as run analyses and create memory dumps. A role's permissions for AppMon Server management are ignored.
Dashboard permissions can have one of two values: Read or Read/Write. With the Read permission, users can view dashboards. Any manipulations are temporary: Save and Save As operations are denied for the AppMon Server, but you can save on local drives. Users with Read/Write permissions have full access to view dashboards, change them, and save them on the AppMon Server.
A role is a set of granted permissions.
By default, AppMon has these roles for different levels of access control, sorted from less to more powerful:
- No Permission: doesn't have any permissions.
- Guest: allowed to view certain application-related dashboards, but cannot modify them or create new. Doesn't have access for self-monitoring dashboards. Can't modify System Profile and server settings. Typically suitable for business users, who wants to see the data, but doesn't need to perform any configurations.
- User: allowed to view certain application- and system-related dashboards, but cannot modify them or create new. Allowed to work with stored sessions. Can't modify System Profile and server settings. Typically suitable for experienced business users.
- Power User: allowed to view and modify certain application- and system-related dashboards. Can modify System Profile, can't modify server setting. Typically suitable for developers, who should have extended access, but should not affect server settings.
- Administrator: has all the permissions
See Permission mapping for more information about permissions and full list of permissions for these roles.
You cannot delete these roles. The Administrator, Guest, and No Permission roles cannot be edited.
The Roles tab of the Users item from the Dynatrace Server Settings dialog box lists all out-of-the-box and custom roles. Select a role to see the list of permissions granted to the role. The colored icons at the left of the permissions indicate how risky the permission is. For example, a red icon may indicate a permission to change configuration settings, with a potentially significant effect on all users.
If a role's permission can be changed, the Edit button below the permissions list is available when you select the role.
To create a custom set of permissions, click Create below the roles list and specify a unique name and optional description to create a new role. After you create the role, add permissions to it:
- Click Edit below the Permissions table to open the Permission Chooser.
- Select the desired permissions in the Denied Permissions list. To select multiple permissions, hold down the Ctrl key and click the permissions.
- Click Add to move the selected permissions to the Allowed Permissions list.
- Click OK to add the allowed permissions to the role and close the Permission Chooser.
To support single sign-on solutions, configure AppMon to authenticate users according to credentials stored on an LDAP server. See Users - LDAP tab for details.
To provide an intermediate solution until a more sophisticated user management is implemented, you can define user password security. Setting the Allow Clients to store credentials check box requires all users to sign on using their credentials each time they connect to the server. You can set the number of digits, lowercase letters, uppercase letters, special characters, and the minimum length a password must have to be accepted. Old passwords that don't meet the complexity don't have to be instantly changed, but when the password is changed, the complexity requirements apply.