Understanding authorization policies
Authorization policies provide a centralized way to configure and manage a set of authorization that applies to only a subset of users or groups for the Observer Platform.
There is a default authorization policy that is aptly named Default Policy. It allows full administrative access for all users to all applications and contains the default settings when creating new policies.
Note: Authorization policies differ from authentication schemes. Authorization policies control access to the Observer Platform but only after a user account has been authenticated. Authentication occurs either locally or with a third-party server.
An authorization policy must be selected when creating a user group. Authorization policies apply to a user group and never directly to an individual user.
How to create an authorization policy
Create new permission policies when the Default Policy does not meet your needs, which is likely every situation except proof of concepts since the Default Policy allows full access to everything.
Note: An authorization policy can prohibit use of an asset or asset element, but the policy cannot hide the assets from being seen.
1. Starting in the dashboard, click Auth > Authorization.
2. Click the new icon .
3. Type a Policy Name.
Names are case-insensitive. That means you cannot have two names that are the same except for upper- or lowercase spelling differences. For example, ‘Administrators’ and ‘administrators’ are considered identical.
4. Type a description.
5. For each policy, select the permission you want user groups to have.
6. Click Accept.
 
 
How to edit an authorization policy
Permission policies can be edited at any time. Edit an authorization policy to affect the permissions of all user groups it is assigned to.
To edit an anthorization policy:
1. Starting in the dashboard, click Auth > Authorization.
2. Select an authorization policy by clicking it.
3. Click the edit icon .
4. Make changes to the authorization policy.
For descriptions of the available options, see Authorization list.
5. Click Accept.
 
You successfully edited a authorization policy. These changes take effect immediately on any user group currently assigned the authorization policy.
 
How to delete an authorization policy
Authorization policies can be deleted for any reason. Deleting an authorization policy causes the user groups it was assigned to, to use the default policy instead.
To delete authorization policy:
1. Starting in the dashboard, click Auth > Authorization.
2. Select an authorization policy by clicking it.
3. Click the garbage can icon .
4. Click Yes to confirm the deletion.
 
The authorization policy has been deleted. Any user groups that were assigned the authorization policy will now use the default policy.
 
How to modify the default authorization policy
To affect the asset authorization of all user groups that are not specifically given a authorization policy, you can modify the Default Policy.
By default, all user groups use Default Policy as an authorization policy unless explicitly changed.
To modify the default authorization policy:
1. Starting in the dashboard, click Auth > Authorization.
2. Click Default Policy.
3. Click the edit icon .
4. Modify the default authorization policy. See Authorization list for details about each option.
5. Click Accept.
 
Now, any user group that has Default Policy selected for its authorization policy is granted these authorizations.
 
Authorization list
The policy settings control the type of access a user group has. Use this information to configure an authorization policy.
 
Observer
Administer—Grants users the ability to administer probes and probe instances.
Log User Activity—Grants users the ability to view log file activity.
Protocol Definitions—Grants users the ability to view protocol definitions.
Redirect—Grants users the ability to change where a probe instance is connected.
Shared Filters—Grants users the ability to modify filters marked as shared in Observer.
Artifact Reconstruction
Reconstruct Stream—Controls whether HTML and other non-VoIP streams can be reconstructed.
Voice and Video Playback—Control whether VoIP content can be reconstructed.
 
 
Observer Apex
No Access: Use of Apex is denied.
User: User may create and use:
Application Dependency Mapping
Dashboards
Execute dashboards
Widgets
System: Cannot use anything in User, but may
Change options under System
Use the log
Connect to a GigaStor
Use a drill down
Set and manage alarms
Admin/Full: User and System access.
 
 
Observer Infrastructure
Access Level—
No Access: Use of OI is denied.
User: User may connect to device groups.
System: User access, plus Connect to device groups and view status and properties.
Edit device groups.
Start/stop polling.
Admin/Full: System access, plus Create and delete device groups and routes.
Activate device groups.
Edit maps.
Web Reports—Grants users ability to view reports in a web browser.
 
 
Observer Management Server
Access Level—
No Access: Use of OMS is denied.
System: Allows the user the ability to change options under System.
Admin/Full: System access, plus ability to control (add, modify, delete):
Assets
Asset groups
Authentication
Auto-adding assets and licenses
Licenses
Permissions
Security
Shared filters
Shared protocols
Updates
Upgrades
Users
User groups
Auto-Add Asset & License—Grants users the ability to auto-add new assets to OMS plus license them if System > Settings is set to allow those.