Understanding user groups
OMS controls access to the assets it manages through user groups. Different groups have access to different assets or have different levels of access to the same asset. This access is controlled through the permission policy associated with the user group. Assigning permissions to a group rather than to each unique user makes maintenance for the OMS administrator much easier.
User groups are collections of users, asset groups, and single assets. By assigning a permission policy to the group, you control what access members of the groups have.
OMS does not have a default user group. You must create at least one user group, associate a permission policy with it, and add users to the group before any user can access any assets managed by OMS.
User group permissions are additive. When a user is a member of multiple groups, the user is granted the least restrictive permissions. If a user is a member of multiple user groups and at least one of the user groups allows access to the feature, then that group's permissions are in effect for that feature. That means if one group has access to a feature and another group does not, any user who is a member of both groups is indeed granted access.
Some examples of groups you might create may be based on:
Location—Suppose you want Pat to have full access to the local probes in Chicago, but not allow him to capture packets on probes located in the central office in New York. Create two Authentication permission policies ("Chicago Probes" and "New York Probes") and two user groups ("Admins" and "Operators") with the appropriate permissions policy set. Add Pat to both user groups. By adding Admins (who have full permissions) to the access list for Chicago Probes, Pat is granted full access permission to any probe in the Chicago asset group. By adding Operators to the access list for New York Probes, Pat will have more restricted access to the New York Probes.
Employment status: internal vs. contractor—Suppose Pat is a contractor and you want contractors to have the ability to use the network trending, but not to administer the probe or set properties. Create two Authentication permission policies ("Employee Permissions" and "Contractor Permissions") and two user groups ("Employees" and "Contractors") with the appropriate permissions policy set. As a member of the Contractors user group, Pat will not be able to change a probe's properties but will be able to see how the network is performing based on statistical analysis of the packets through network trending.
Responsibility: security team vs. network team—Suppose Pat is a network administrator. As a network administrator, Pat needs access to many things, but all security analysis and artifact and stream reconstruction is handled by the security team of which Pat is not a member. Create two Authentication permission policies ("Security Permissions" and "Network Admin Permissions") and two user groups ("Security Admins" and "Network Admins") with the appropriate permissions policy set. As a member of the 'Network Admins' user group, Pat will not be able to reconstruct any artifacts such as VoIP calls or viewed websites, but will be able to capture and analyze traffic from a probe.
OMS role—Suppose Pat is an OMS administrator while Chris is not. As an OMS administrator, Pat has the ability to add users, change passwords, and other tasks. Meanwhile, Chris is a user of the Observer Platform who should not have the same rights as Pat. Create an 'OMS Admin' group and add Pat to it. Add Chris to the 'Observer Platform' group.
 
Figure 2: User Groups
 
How to create a user group
User groups are very beneficial when you have a collection of users for which you want to regulate access to assets.
Tip! In Auth > AuthFlow, you can create a new user group by clicking .
1. Starting in the dashboard, click Auth > User Groups.
2. Click the new icon .
3. Type a Group name.
Group names are case-sensitive. An effective group name is identifiable to other users.
Valid Input: Any character may by used, except for these five: " ' & > <. The length may be 1-63 characters.
4. Ensure Login enabled is selected.
This option is selected by default. As an alternative to deletion, a group can be disabled.
5. Choose a Authorization policy.
Sets the authorization policy assigned to this user group.
Note: An authorization policy assigns what rights a user has when interacting with assets.
6. Click Users. Adding users is an easy drag-and-drop operation from the Available list to the Members list.
7. Click Asset Groups. Adding asset groups is an easy drag-and-drop operation from the Available list to the Members list.
8. Click Assets. Adding assets is an easy drag-and-drop operation from the Available list to the Members list.
9. Click Accept.
 
The group is created when the Saved user group notification appears on the screen.
 
How to add users to a user group
Adding a user to a group allows OMS administrators to assign permissions more efficiently to a group rather than individually.
Tip! In Auth > AuthFlow, you can drag a user directly onto a group.
1. Starting in the dashboard, click Auth > User Groups.
2. Select the user group you want to update.
3. Click Users. Adding users is an easy drag-and-drop operation from the Available list to the Members list.
4. Click the accept icon .
 
The user is added and now has access to all assets in the group using the privileges set in the group's permission policy.
 
How to delete a user group
Deleting a user group removes access for all users in the group. The user accounts remain though.
Tip! Instead of deleting the group, consider whether disabling the group is more appropriate for you. Some organizations require inactive accounts be maintained for auditing purposes.
1. Starting in the dashboard, click Auth > User Groups.
2. Select one by clicking a table row.
3. Click the garbage can icon .
4. Click Yes to confirm the deletion.
 
The group is deleted when the Deleted the group popup appears on the screen. All users in the group no longer have access to OMS or any assets unless they are a member of another group.