Monitoring Privileges

The monitoring functions that an administrator can perform within the Enterprise Manager environment depend on privileges that have been granted to that user. To maintain the integrity and security of a monitored infrastructure, only the required privileges for a specific role should be granted. The following guidelines can be used to grant proper privilege levels based on user roles.

Administrators who set up monitoring

Create a role with privileges and grant it to administrators:

  • Recommend using individual user accounts instead of shared account

  • If using super administrator, do not use sysman

  • If privilege is based on targets, create privilege-propagating group containing the targets (or use administration group if it meets requirements) and grant privilege on the group to the role

Administrators who respond to events / incidents

  • Create a role and grant it to administrators

  • Create privilege-propagating group (or use administration group if it meets requirements) containing relevant targets and grant appropriate privilege on the group to the role

Example: You create the role DB_Admins and grant Manage Target Events on a the privilege-propagating group named DB-group containing relevant databases. You then grant role DB_Admins to the DBAs.

Monitoring Actions and Required Privileges

Enterprise Manager supports fine-grained privileges to enable more granular control over actions performed in Enterprise Manager.

The table below shows a (non-exhaustive) list of various job responsibilities and the corresponding privilege in Enterprise Manager required to support these

The following tables summarize the privilege levels required to perform specific monitoring responsibilities.

Table 5-9 Monitoring Operations and Required Privileges

Monitoring Operation Required Privilege(s)

Monitoring Setup

_

Configure SMTP gateway (email)

Super Administrator

Create Advanced Notification Methods (e.g. SNMP traps)

Super Administrator

Configure event or ticketing connector

Super Administrator

Creating Roles

Super Administrator

Create Administration Group Hierarchy

Full Any Target

Create Privilege Propagating Group

Edit Administration Group Hierarchy

Full Any Target

Create Privilege Propagating Group (if adding new target property values as group criteria within a level of the administration group hierarchy)

Delete Administration Group Hierarchy

Full Any Target

View entire Administration Group hierarchy in Group Administration pages

View Any Target

Note: Administrators who have privileges to only a subset of the groups can view these groups in the Groups list page accessible via Targets-->Groups

Use Monitoring Templates

No privileges required to create new monitoring templates. However if the monitoring template contains a corrective action, then Create on Job System privilege is required

View on specific monitoring template to use the template created by another user (e.g. to add the monitoring template to a Template Collection

Use Template Collections

Create Template Collection (to create new Template Collections)View Template Collection on specific Template Collection to view/associate the Template Collection created by another userView Any Template Collection to view/associate any Template CollectionFull Template Collection on specific Template Collection to edit/delete the Template Collection created by another user

Associate a Template Collection with an Administration Group

Manage Template Collection Operations on the group (this includes Manage Target Compliance and Manage Target Metrics privileges)

View Template Collection on the Template Collection

Operations on the Administration Group

_

Manage privileges on the group (for example, grant to other users)

Group Administration on the group

Add a target to an Administration Group by setting its target properties

Configure Target (on the target to be added to the Administration Group)

Perform a manual sync of the group with the associated Template Collection

Manage Template Collection Operations on the group

Operations on the members of the Administration Group

_

Delete the target from Enterprise Manager

Full on the target (Full also contains the privileges enumerated below

Set blackout for planned downtime

Change monitoring settings

Change monitoring configuration

Manage events and incidents on the target

View target, receive notifications for events or incidents

Operator on the target also contains the following privileges:

  • Blackout Target on the target

  • Manage Target Metrics on the target

  • Configure Target on the target

  • Manage Target Events on the target

  • View on the target

Create Incident Rule Sets

Create Enterprise Rule Set

Manage Target Events on target if rule is creating incidents for the target

Granting privileges on administration group to roles

No extra privilege required if creator of the administration group

Set a target's property values

Configure Target

Edit Monitoring Template that is part of Template Collection

Full on the Monitoring Template

Manage Target Metrics on administration group

Change monitoring settings on specific target

Manage Target Metrics

Receive email for events, incidents

View on Target and/or

View on source object (for example, view on job for job events)

Create incident for event

Manage Target Events

Incident management actions (for example, acknowledge, assign incident, prioritize, set escalation level)

Manage Target Events

Note:

SYSMAN is a system account intended for Enterprise Manager infrastructure installation and maintenance. It should never be used for administrator access to Enterprise Manager as a Super Administrator.