About Group Access Rights

Group Access Rights enable WhatsUp Gold users to see or make changes to specific groups and devices. These rights can be enabled or disabled by the WhatsUp Gold administrator, and are disabled by default. They are turned off by default because it isn't necessary to use them, though they can be quite helpful when multiple users are present on WhatsUp Gold.

So if they aren't necessary, why would you want to use Group Access Rights? A simple answer to this question is to allow users to view and edit only those groups that matter to them. How so? Well for example, Group Access Rights are respected throughout the system, so a System Report will only show a user the devices from groups he or she has rights to view.

Another advantage of using Group Access Rights is their aid in the division of a large network. Group Access Rights allow an administrator to give users rights to certain parts of the network, so they can focus their attention on the segments in which they are granted rights.

Before enabling and assigning Group Access Rights, it is important to understand them and what they allow users to do.

Types of Group Access Rights

There are four types of Group Access Rights:

  1. Group Read. With Group Read rights for a group, users can view anything within the selected group and anything pertaining to that group, for example a group's reports, map, and device list.
  2. Device Read. With Device Read rights for a group, users can view all devices in a specific group. Users can also view the Device Properties and device reports of all devices within the selected group.
  3. Group Write. With Group Write rights for a group, users can edit group properties, as well as add, edit, and delete devices and subgroups within the selected group.
  4. Device Write. With Device Write rights for a group, users can edit the Device Properties of any device within the selected group, as well as delete the device from the group.

Rights are respected system-wide

When enabled, Group Access Rights are applied throughout WhatsUp Gold. Device and group pickers, reports, and group views all respect what a user account is granted permission to view and edit.

Inheritance

Group Access Rights are passed from parent group to subgroup: when a new a group is created, all of the Group Access rights that exist in the parent group are copied to the new group.

The "highest right"

Devices can belong in more than one group, so it is important to grasp the "highest right" philosophy. Basically, the highest right given to a user for a device is the right that is respected by WhatsUp Gold.

Example scenario:

A device, DEV12, belongs to two groups: Atlanta and Developers. A user on the network, Joe, has Device Write access to the Developers group, and Group Write access to the Atlanta group. Though Joe does not have Device Write Access for the Atlanta group, Joe can still delete the DEV12 device from the Atlanta Group. This is because in order to delete a device, a user needs Group Write and Device Write access. In this example, Joe has Group Write access to Atlanta and receives Device Write Access to DEV12, since it is also in the Developers group.

Group Access Rights with "Manage Groups" and "Manage Devices"

Another important aspect to understand about Group Access Rights is how they work with two user rights: Manage Groups and Manage Devices. Keep in mind that because they are user rights, they apply to a user account throughout the system. Essentially, they both act like global Write access flags to all groups and devices in the system. These two user rights can be very useful if you want to restrict a user account from editing devices or groups on the network.

If Group Access Rights is enabled and a user account has Group Write access to a group but does not have the Manage Group User Right, then the user account cannot edit the group. Both rights are needed. User Rights are global flags, whereas Group Access Rights allow you to fine-tune what user accounts can edit and view in the network.

Users' Home group

Users are given Group Read access to their Home group. If WhatsUp Gold did not automatically give users this Group Access Right, a user could become locked out of the Device List.

When an administrator changes a user's Home group, he or she can accidentally give a user access to an area of the application that wasn't desired.

Example scenario:

An administrator creates a new user account and leaves the Home group as the default, My Network. The new user account automatically receives Group Read access to My Network. At a later date, the administrator moves the user account to a subgroup, but doesn't make any changes to the user account's Group Access Rights, leaving the user account with Group Read access to the previous Home group, My Network.

A way to check for these undesirable permissions is to sign is using the user account you are making changes to, and check around to make sure the user account is seeing what it needs, and not seeing what it shouldn't.

Group Access Rights and Dynamic Groups

Group Access Rights cannot be assigned to dynamic groups. However, every device within a dynamic group belongs to at least one other group. Therefore, the Group Access Rights applied to the other groups apply to each device within that group, even though Group Access Rights aren't applied to the dynamic group. Remember that devices adopt the highest right out of the groups in which they belong.