Settings

Roles

Introduction to Roles

Roles are sets of permissions and configurations that determine how a user interacts with the LogicMonitor platform, as well as what functionality users can access. By default, LogicMonitor installs with four standard roles:

  • Administrator. The administrator role assigns manage permissions to all areas of the platform, allowing administrators to perform any possible function, including security-sensitive actions.
  • Manager. The manager role assigns almost the same level of permissions as the administrator role, with the exception of security-sensitive actions.
  • Ackonly. The ackonly role assigns view and acknowledge permissions for alerts for all hosts and websites. It also includes permissions for managing device dashboards and creating private dashboards.
  • Readonly. The readonly role assigns view permissions to all areas of the platform; it provides no ability to make changes to the platform, with one exception: users with this role can create private dashboards.

In addition to these four predefined roles, administrators (or any user granted manage permissions for User Access settings) can create an unlimited number of additional roles with very granular sets of permissions. This flexibility is extremely useful for limiting users to the specific areas of the platform relevant to their duties.

Generally, there are seven areas of the platform that can be individually addressed within a role:

  • Dashboards
  • Resources
  • Websites
  • Saved Maps
  • Reports
  • Settings
  • Help & Support

And within each of the platform areas, generally, there are view or manage permissions that can be assigned at a minimum. Depending upon the unique purpose of the platform area, there may be other permissions available as well. Often, these permissions can be assigned down to the level of a single resource or dashboard.

Creating Roles

To create a new role, navigate to Settings | Users & Roles | Roles | Add. The Add Role dialog displays, featuring all permissions and configurations available for inclusion in a role. Each is discussed next.

Name and Description

In the Name and Description fields, enter a name and description for the role.

Note: Role names cannot include the operators and comparison functions listed in Datapoint Expressions.

Require to sign LogicMonitor's EULA

Checking the Require to sign LogicMonitor's EULA option will require any user assigned this role to sign LogicMonitor's End User Licensing Agreement (EULA).

This setting is configured per role, but stored per user. Once a user has accepted the terms, they will not be shown the EULA again, unless the LogicMonitor terms change.

Dashboard Permissions

Under the Dashboards area of the Add Role dialog, establish the level of dashboard permissions that users assigned this role will have. As discussed (and shown) next, there are several types of permissions available for dashboards.

Allowed to Create Private Dashboards

Checking the Allowed to create private dashboards option allows users to create/edit their own private dashboards. As discussed in Creating Dashboards, private dashboards are only available to the user who created them (and administrators).

Allow Widget Sharing

When checked, the Allow Widget Sharing option allows the role's users to share widgets via a URL that can be embedded externally to the LogicMonitor platform. Users must additionally have manage permissions for the dashboard group that parents a widget in order to share it.

View/Manage Permissions for Dashboards

From the table of dashboards, you can assign view or manage permissions for all dashboards found within a dashboard group or subgroup. Subgroups will inherit permissions specified for a parent group.

  • View. View permissions provide the ability to view all dashboards within a selected group. If you don't provide, at a minimum, either (1) view permissions for at least one dashboard group or (2) permissions to create private dashboards, the Dash page will be hidden for this role.
  • Manage. Manage permissions provide the ability to view, edit, and delete dashboards within a selected group, as well as add, edit, or delete widgets for those dashboards. Manage permissions also provide the ability to create new subgroups for those groups permissions are assigned.

If you check the All option at the top of the "View" or "Manage" column, you're setting that level of permissions not only for all current existing dashboard groups, but for all future dashboard groups as well.

Note: In order to view dashboard widgets that display data for a particular resource, website, or topology map, a user will additionally require view permissions for that component.

Note: View or manage permissions can only be given to public dashboards. Private dashboards are not available for access through role assignment, but the sharing of a private dashboard can be initiated from the dashboard itself, as discussed in Sharing and Exporting/Importing Dashboards.

Resource Permissions

Under the Resources area of the Add Role dialog, establish the level of resource permissions that users assigned this role will have. As discussed (and shown) next, there are several types of permissions available for resources.

Allowed to Manage Resource Dashboards

When checked, the Allowed to manage Resource Dashboards option allows users assigned this role to manage the resource dashboards (i.e. Graphs tab) for each resource in which the user is assigned permissions.

Allowed to View Map Tabs

When checked, the Allowed to view Map Tabs option allows users assigned this role to access a resource's Maps tab, assuming they have view (or greater) permissions to that resource. As discussed in Maps Tab, Maps tabs are related to topology mapping, a feature that is only available to LogicMonitor Pro and Enterprise accounts.

Configs Tab Only Visible with Manage Permissions

When checked, the Configs tab only visible with Manage permissions option allows users assigned this role to view the Configs tab that displays for ConfigSources, assuming they are applied to resources for which the user has manage permissions.

View, Acknowledge, Manage, and Remote Session Permissions for Resources

From the table of resources, you can assign view or acknowledge permissions to all devices or services found within a group. In addition, manage and remote session permissions are available for device groups. Subgroups will inherit permissions specified for a parent group. Resource permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual resources within a group.

Note: You cannot directly assign manage permissions to dynamic groups (or services which are a type of dynamic group) as the resources that make up these groups are ever changing. Only administrators and those with admin-level manage permissions to resources (i.e. the All option is selected at the top of the table of resources) have the ability to manage dynamic groups. For more information on dynamic groups, see Device Groups Overview.

  • View. View permissions provide the ability to view all resources within a selected group. View permissions are also required in order to view resource data from dashboard widgets, reports, and the Alerts page. If you don't provide view permissions for at least one resource group, the Resources page will be hidden for this role.
  • Acknowledge. Acknowledge permissions provide the ability to acknowledge alerts and schedule down time for the resources in the selected group.
  • Manage. Manage permissions provide the ability to edit and delete resources within the selected group, as well as add new resources. Manage permissions also provide the ability to create new subgroups for those groups permissions are assigned.

    Note: When adding new devices, you must assign the device to a Collector or Collector group; therefore, you must also have view permissions to the relevant Collectors, as discussed in the Settings Permissions section of this support article, in order to add new devices.

  • Remote session. Remote session permissions apply to device groups only, allowing users to remotely access and operate the devices within a selected group from within the LogicMonitor platform. As discussed in Remote Session, this functionality, when assigned, is initiated from the Resources page.

If you check the All option at the top of the "View," "Acknowledge," "Manage," or "Remote Session" column, you're setting that level of permissions not only for all current existing resource groups, but for all future resource groups as well.

Website Permissions

Under the Websites area of the Add Role dialog, establish the level of website permissions that users assigned this role will have. As discussed (and shown) next, you can assign view, acknowledge, or manage permissions to all websites found within a website group or subgroup.

Subgroups will inherit permissions specified for a parent group. Website permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual websites within a group.

  • View. View permissions provide the ability to view all websites within a selected group. View permissions are also required in order to view website data from dashboard widgets, reports, and the Alerts page. If you don't provide view permissions for at least one website group, the Websites page will be hidden for this role.
  • Acknowledge. Acknowledge permissions provide the ability to acknowledge alerts and schedule down time for the websites in the selected group.
  • Manage. Manage permissions provide the ability to edit and delete websites within the selected group, as well as add new websites. Manage permissions also provide the ability to create new subgroups for those groups permissions are assigned.

If you check the All option at the top of the "View," "Acknowledge," or "Manage" column, you're setting that level of permissions not only for all current existing website groups, but for all future website groups as well.

Saved Map Permissions

Under the Saved Maps area of the Add Role dialog, establish the level of permissions that users assigned this role will have for the Mapping page. As discussed in Mapping Page, saved maps are related to topology mapping, a feature that is only available to LogicMonitor Pro and Enterprise accounts.

You can assign view or manage permissions to all topology maps found within a map group. Map permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual maps within a group.

  • View. View permissions provide the ability to view all topology maps within a selected group. View permissions are also required in order to view topology map widgets based on a saved topology map. If you don't provide view permissions for at least one topology map group, the Mapping page will be hidden for this role.
  • Manage. Manage permissions provide the ability to edit and delete topology maps within the selected group, as well as add new maps.

If you check the option at the top of the "View" or "Manage" column, you're setting that level of permissions not only for all current existing topology map groups, but for all future topology map groups as well.

Note: If a user does not have the permissions necessary to see a resource that is rendered via a topology map (i.e. the resource is a member of a resource group that the user does not have permissions for), a question mark icon will display for its vertex in topology maps. Similarly, the API will show only the ERT, labeled as “unknown.”

Report Permissions

Under the Reports area of the Add Role dialog, establish the level of report permissions that users assigned this role will have.

You can assign view or manage permissions to all reports found within a report group. Report permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual reports within a group.

  • View. View permissions provide the ability to view and generate all reports within a selected group. If you don't provide view permissions for at least one report group, the Reports page will be hidden for this role.
  • Manage. Manage permissions provide the ability to edit, schedule, and delete reports within the selected group, as well as add new reports.

If you check the All option at the top of the "View" or "Manage" column, you're setting that level of permissions not only for all current existing report groups, but for all future report groups as well.

Note: In order to view reports that display data for a particular resource or website, a user will additionally require view permissions for that component.

Settings Permissions

Under the Settings area of the Add Role dialog, establish the level of permissions that users assigned this role will have for the various configurations and features available from the Settings page.

Note: If you don't provide view permissions for at least one setting, the Settings page will be hidden for this role.

Access Logs

Access Logs permissions allow users assigned this role to view, filter, download, and report on the data stored in the platform's Audit Logs.

Account Information

Account Information permissions allow users assigned this role to view or manage the account information and account-wide settings established for your portal.

Alert Settings

Alert Settings permissions are broken into four categories. You can individually assign view or manage permissions for alert rules, escalation chains, external alerting, and recipient groups. In order to configure alert rules for a resource or website, a user must have view permissions for that resource or website.

Collectors

Collectors settings allow you to assign view or manage permissions to all Collectors found within a Collector group.

  • View. View permissions provide the ability to view all Collectors within a selected group, as well as add devices to those Collectors.

    Note: To give a user permission to assign devices to a group of Collectors, but not to view the Collectors themselves, assign view rights to the Collector group and, from the User account, uncheck the Settings option available under the View Permission heading. It's important to note that this will hide the Settings page altogether and disrupt the user's ability to view or manage other setting areas.

  • Manage. Manage permissions provide the ability to view, edit, and delete all Collectors within a Collector group, as well as perform all actions associated with Collectors available from the Settings page.

If you check the View or Manage option for the overall Collectors category, you're setting that level of permissions not only for all current existing Collector groups, but for all future Collector groups as well.

LogicModules

LogicModules permissions allow users assigned this role to view or manage all global LogicModule definitions (e.g. DataSources, EvenSources, JobMonitors, and so on).

Integrations

Integrations permissions allow users assigned this role to view or manage integrations (pre-built or custom) with external ticketing and team collaboration systems.

Message Templates

Message Templates permissions allow users assigned this role to view or manage the global templates in place for alert messages and new user messages.

NetScans

NetScans permissions allow users assigned this role to view or manage NetScans, which are configured processes that direct LogicMonitor Collectors to periodically look for and automatically discover devices in your network.

Ops Notes

Ops Notes permissions allow users assigned this role to view or manage Ops Notes, which are time-stamped annotations that display in your resource or website graphs.

The level of permissions granted here determine access to Ops Notes both from the Settings page and the Resources/Websites page. You must have at least view permissions for a resource/website group in order to enter ops notes for it or one of its members.

User Access

User Access permissions allow users assigned this role to view or manage users and roles. If manage permissions are provided for User Access, the user is able to create new users and roles for the account as well as manage single sign-on settings. The user is also automatically assigned manage permissions to User Profile settings.

User Profile

If you don't give manage permissions to User Access settings, you'll be provided the option to additionally assign manage permissions to two User Profile settings, which allow users to:

  • Edit basic user account information (e.g. name, password, time zone, contact information) by clicking on their usernames in the upper right corner of the LogicMonitor UI
  • Create API tokens

Help/Support Permissions

Under the Help & Support area of the Add Role dialog, establish the level of access to support and help documentation that users assigned this role will have.

Support Type

There are several types of support you can make available to users assigned this role.

  • Documentation. If view permissions are given for Documentation, a "Support" link displays in the upper right of the top navigation bar for users assigned this role. When clicked, the "Support" link opens an inline search window titled "Support Guide" that provides access to LogicMonitor's support articles and development guides. Depending upon other support access provided to the user, the Support Guide window may also feature a "Contact Support" link at its bottom with one or more of the following available actions:
    1. Chat with an Engineer. This allows users to launch a live chat from within the platform.
    2. Support Request. This allows users to submit a support ticket.
    3. Feedback. This allows users to submit platform feedback.
    4. Training. If view permissions are given for Training, a "Training" link displays in the upper right corner of the top navigation bar for all users assigned this role. The "Training" link allows users to enroll in the LogicMonitor Certified Professional (LMCP) Exam, as discussed in LogicMonitor Certified Professional Exam Information.

For more information on the support resources available to users, see How do I get support resources?.

Custom Help Link

In addition to LogicMonitor's built-in Support and Training links, you can also display custom help links for internal sites. You also have the option to add a custom help link and label if you'd like to give users direct access to an internal help site.

If Documentation is enabled by the role, then the label for this link will be displayed under the "Contact Support" link found at the bottom of the Support Guide window. If Documentation is not enabled by the role (i.e. users cannot view inline documentation), then clicking the "Support" link will take the user directly to the URL specified for the custom link.

Assigning Roles to Users

Roles, once created, are assigned to users from the user record, as discussed in Users.

If a user is assigned multiple roles, the effective permissions for that user will be the sum of the privileges of each role. For example, if one assigned role provides view only permissions to all resources, but another assigned role provides manage permissions to all resources, the user will have view and manage permissions for all resources. If yet another assigned role provides view permissions for all dashboards, but no permissions for resources, the user will maintain manage permissions for all resources and additionally gain view permissions for all dashboards.

Note: To see all users assigned to a particular role, generate the Role Report.

Note: From user account settings, there is the ability to remove one or more pages (e.g. Dash page, Resources page, Alerts page, and so on) from the user's view. If a page is removed from view from the user's account, this takes precedence over permission levels provided by assigned roles.

Managing Roles

Existing roles can be viewed at Settings | Users & Roles | Roles. All roles are listed in table form, in alphabetical order.

From this table, you can:

  • Expand role details. Click the arrow to the left of a Role to expand listing to include all permissions assigned to the role.
  • View user count. The far right column displays the number of users the role is assigned to. You can get additional details on users assigned to a particular role by generating the Role Report.
  • Log off users. Place a checkmark in the leftmost column of one or more roles and click the Logoff Users button to log off all users to which a role is assigned.
  • Edit, clone, or delete a role. Click the gear icon to open the Manage Role dialog. From this dialog, you can update the permissions assigned to a role, clone a role, or delete a role. If you update role permissions assigned to a user that is currently active in the platform, they will experience those updates as soon as they move to a new area of the product (i.e. a refresh takes place). You cannot delete a role that is currently assigned to one or more users.