Tuesday, September 06, 2011

Solarwinds: Giving rights to NCM without giving away the farm

This is an enhancement to a thread that originally started on thwack:

Since NPM 10.1.x, everyone has enjoyed the ability to use AD groups rather than individual user accounts. Yay for NPM. But now in NCM, we have to somehow validate all these "new" users in NCM. Users who might not even have logged in yet, because you added an AD GROUP rather than a single account.
  1. To do that, in NPM you have to give the group (or account) "View Customization" right, which ain't gonna happen because then all your users can change anything about any screen anywhere.
  2. Not to mention that NCM doesn't allow you to add AD Groups, so you have to 
    1. Add user accounts individually to the NCM system
    2. OR stick with generic NCM roles and map them for each user in NPM
While I'm hopeful that the next version of NCM  (rumor has it that it will be version 7.0, due out by the end of 2011) will have some improvements to this, we've found a work-around.

This assumes you've set up the generic roles (webviewer, engineer, etc) on the NCM server.

  1. Log onto your SolarWinds website with an account that has “Change View” permissions
  2. Go to the "Config" tab and make sure you are set the credentials to use the account “Webviewer” (with whatever password you gave it in the NCM Console)
  3. Open an RDP session to your NPM server
  4. Start the Solarwinds Orion Database Manager utility
  5. Find the table “WebUserSettings”, right-click it, and choose "Query"
  6. Run the query: “Select * from WebUserSettings where settingname like '%cirrus%' and accountID like ‘%%’”
  7. make sure is the one you used in step 1 above
  8. Click the read-write radio button and hit “refresh”
  9.  Change the AccountID for the 3 settings (CirrusIsFirstTime, CirrusISPassword, CirrusISUserName) to use the user account, in the form:
Repeat this step by going back to the Solarwinds website, hitting refresh (you will see that you have to re-enter your credentials; and then going back to the RDP session and hitting refresh and renaming your account again.

No comments: