eG Administration 
 

Associate a new user with the segment/services/components/zones in the environment

In order to manage large infrastructures in a more effective and efficient manner, administrators might prefer to break down the infrastructure into smaller, more manageable units known as Zones, and monitor these individual units. A zone can typically comprise of individual components, segments, services, and/or other zones that require monitoring. Using this page, administrators can associate a new user with specific zones that have been configured in the environment. This association ensures that the user is authorized to monitor all the components, segments, services, and/or other zones that form part of the selected zone.

Another characteristic feature of the eG Enterprise product is that users can be associated with specific services. A service can be a group of applications or network devices that work together to deliver certain services to the end-user. It is characterized by a group of servers that belong to a segment(s) or a group of independent servers. In this case, a user associated with one service cannot view the details pertaining to the other.

Similarly, the eG Enterprise suite also facilitates the association of users with specific segments. Access to a segment provides the user with access to all the components that form a part of its topology.

In the same manner, independent components can also be assigned to a user's view. Independent components are those components that are not part of any segment or a service.

Besides the above infrastructure elements, virtual machines can also be assigned to specific users. This feature is particularly useful for cloud service providers, who often need to provision a VM on-demand for any customer who requests for it. These cloud consumers (i.e., customers) are only concerned with the availability and internal health of those VMs that the service provider has provisioned for them, as typically, they will have no knowledge of the virtual servers on which the VMs operate. This means that these customers may not require monitoring access to the whole virtual server as such. By configuring user-VM mappings using the eG administrative interface, the cloud service providers will not only be able to track who is using which VM, but will also be able to provide a customer with the ability to view in real-time the status, overall performance, and problems related to only the VMs (and not the virtual servers) that were specifically launched on the cloud for him/her.

To associate one/more of these infrastructure elements to a user, follow the steps given below:

  • First, choose the type of element to be associated with the new user from the Associate list in this page. This list displays all the infrastructure element types that have been configured in the environment. To associate a zone for instance, select the Zone option from this list. Likewise, select the Components option to assign one/more independent components to the new user.

  • If the Zone/Service/Segment option is chosen from the Associate list, the AVAILABLE list in this page will display all zones/services/segments that have been configured in the environment. If a Component type is chosen, then all independent components of that type will be listed in the AVAILABLE list. From this list, select the elements to be associated with the new user, and then click the Associate >> button. This will transfer the selection to the ASSOCIATED list in this page. Similarly, you can disassociate elements from a user by selecting the elements from the ASSOCIATED list and clicking the >> Disassociate button. If you want to update the current association and continue adding more elements to the user view, click on the Assign and Add More button. Upon clicking, an ASSOCIATED ELEMENTS section appears, displaying a summary of your associations. If you are done with associating elements to a user, then you can save your last association and exit this page by clicking the Finish button.

  • If the Components option is chosen from the Associate list, a Component type list appears that consists of all managed component types in the target environment. To assign components of a specific type to the user, select a Component type from this list.

  • All independent components of the chosen type will be displayed in the AVAILABLE list. To associate specific components, select them from the AVAILABLE list, and then click the Associate >> button. Instead, if you want to associate all components of the chosen type, simply click the Auto associate all servers of type check box. Doing so automatically transfers all the components displayed in the AVAILABLE list to the ASSOCIATED list.

  • If you want to assign one/more VMs to users, select Components from the Associate list, and then pick Virtual Machine as the Component type. This will automatically populate the HYPERVISOR TYPES list with all the managed hypervisors in the environment. Select a hypervisor from this list; note that at any given point in time only a single hypervisor type can be chosen from this list.
    • Doing so will instantly populate the HYPERVISOR HOSTS list with all the managed virtual hosts of the chosen HYPERVISOR TYPE. From the HYPERVISOR HOSTS list, select the hosts that have been configured with the VMs to be assigned to the user. The VMs that the eG agent auto-discovers from the chosen virtual hosts will then be displayed in the VIRTUAL MACHINES AVAILABLE list. From this list, select the VMs that are to be assigned to the user for monitoring and click the << Associate button. The chosen VMs will then be moved to the VIRTUAL MACHINES ASSOCIATED list. To associate all the VMs displayed in the VIRTUAL MACHINES AVAILABLE list with the user at one go, select the Auto associate all vms check box.

    To disassociate one/more VMs that were previously mapped to a user, select the VMs from the VIRTUAL MACHINES ASSOCIATED list and click the Disassociate >> button.

  • If you are done with associating elements to a user, then you can save all your previous associations and exit this page by clicking the Finish button. To add more elements, click the Assign and Add More button.

Note:

  • Independent components that belong to a zone that is associated with a user, will be automatically removed from the AVAILABLE COMPONENTS list.
  • Newly added/managed components belonging to the selected component type do not get associated with the new user immediately. Since this association is mapped as part of the discovery process, there might be a latency equal to the rediscovery period before an association between users and components is updated. If the rediscovery period has not been specified, there will be a latency equal to one day.

By clicking on the Configure mail filters button, the administrator can configure the eG manager to not send out email/SMS alerts to specific users for specific layers/components/component-types. This button will appear only if the Allow mail / sms filter configuration flag is set to Yes in the MAIL ALERT PREFERENCES page that appears when you follow the menu sequence: Alerts - > Mail Settings -> Alerts. An administrator can filter the email/SMS alerts to be sent out to a user only if the following are in place:

  • The user in question is configured with a mail ID and/or mobile number;
  • The user is assigned at least one infrastructure element (i.e., component/zone/segment/service);

The Back button enables you to go back to the previous screen.

Note:

  • This page will appear only if the role assigned to the new user allows access to only Limited components in the monitored environment. If the new user is assigned a role that allows Complete access, then this page will not appear.

  • Say, a user was assigned a role that allowed Limited component access. Assume that a segment named seg-a and a service named online_shop were assigned to this user. If the user role is now modified to allow Complete component access, the access rights of the user will change accordingly - i.e., the user will now have access to all the managed elements in the infrastructure. Now, say the user role is modified once again to allow Limited component access. When this is done, the corresponding user profile will also change, and the segment (seg-a) and service (online_shop) that were originally associated with this user will be automatically reassigned. This indicates that when the access rights of a user role changes from Limited to Complete and then back to Limited, eG Enterprise retains the original assignments of the corresponding user and applies the same eventually.

Note:

Typically, the user activity in high-security environments is periodically audited to ensure compliance with set standards and to enable the swift detection of unauthorized accesses. One of the requirements of such audits is a report that provides a consolidated list of users to the target environment as on the current date, the application(s) they have access to, and the details of the access privileges granted to each user with respect to that application. Such a report enables both the administrators and the auditors to determine if any user has been allowed access to more areas than necessary, thus enabling them to fine-tune their firewall rules.

As part of this exercise, if administrators want to generate a report for tracking users to the eG Enterprise application alone, then they can enable the user logging capability of the eG manager. To enable this capability, do the following:

  • Edit the eg_services.ini file in the <EG_INSTALL_DIR>\manager\config directory.
  • Set the UserAudit flag in the [MISC_ARGS] section to Yes (default is No).
  • Save the eg_services.ini file.

Enabling user logging results in the creation of a user_log file in the <EG_INSTALL_DIR>\manager\config\logs directory. By default, the access permissions of all ‘active’ user accounts registered with the eG Enterprise system as on the current date, are logged in this file every day. If you want the file to log the permissions of "expired" user accounts too, then, set the LogExpiredUsersPrivilege flag in the [MISC_ARGS] section of the eg_services.ini file to Yes.

The format of the entries in the user_log file is as follows:
ApplicationNumber, User Id, User Role, Access Permissions

In the format, ApplicationNumber is a unique identification number that you need to manually assign to the eG Enterprise application. To define an ApplicationNumber for eG Enterprise, edit the eg_specs.ini file in the <EG_INSTALL_DIR>\manager\config directory, and provide any string/number against the ApplicationNo parameter (in the [MISC_ARGS] section). Note that if an Application Number is not defined for eG users in the eg_specs.ini file, then user logging will not occur!

UserId refers to the name of the user registered with the eG Enterprise system.

User Role represents the role assigned to the user.

Access Permissions is a brief description of the specific permissions that have been granted to the user.

A sample log entry is provided below:
100, john, testConfigure, testConfigure users have the following abilities: [Admin] configure tests; configure thresholds. Here, 100 is the ApplicationNumber, john is the UserId, testConfigure is the User Role assigned to john, and finally, user john is permitted to configure tests and configure thresholds using the eG administrative interface.