The users/groups/permissions authorization paradigm manages global permissions. For example, a user with Dashboard permission can manage all dashboards. This paradigm is sufficient for many Wavefront customers.
Admins who need finer-grained control can manage access to Wavefront objects on a per-object basis. we currently support access control for dashboards and alerts. See Authorization in Wavefront for background information.
This video shows how to limit access for dashboards, how to share dashboards, and how to set the Security system preference. You can manage access for alerts the same way.
Note: After the Access security preference is set to Creator in an environment, only the creator of a new object and Super Admin can view and modify new objects initially. Those users can share the object with other groups or users.
How Access Control Works
Wavefront supports granting and revoking access to dashboards and alerts.
- By default, all users can access all dashboards and alerts.
- Users with Dashboard permission can:
- Change access for one or more dashboards from the Dashboard browser.
- Select the Share icon on individual dashboards to change who has access.
- Users with Alert permission can:
- Change access for one or more alerts from the Alerts browser.
- Select the Share icon on individual alerts to change who has access.
In high-security environments, administrators change a security preference. After that:
- Each new object (dashboard or alert) is visible only to the creator and to Super Admin users.
- The object creator or a Super Admin user can then share new dashboards with groups or users.
- If the administrator changes the Security preference back to allow Everyone access, then the objects that were created while the strict security preference was set continue to be governed by access control.
Change Access for One or More Dashboards or Alerts
Privileged users can change the access setting for one or more dashboards or alerts from the Dashboards browser or the Alerts browser. The process is the same for both objects. The following steps show how to do it for dashboards.
- From the top menu bar, click Dashboards > All Dashboards.
- Select the check boxes for the dashboards you want to change. You can see the dashboard’s current Access settings in the Access column.
- Click +Access to add groups/users and -Access to remove groups/users.
- Specify the groups/users and click Update.
Changing Access for Individual Dashboards or Alerts
You can change access for an individual dashboard or alert from the Edit page of the object. For example, you can add access for the Finance group and revoke access for the Everyone group for a dashboard:
- Click Dashboards > All Dashboards and navigate to the dashboard you want to modify.
- Click the Share Dashboard icon.
- In the dialog, select Users & Groups:
- To grant View Access or View & Modify access, type the name(s) of groups or users
- To revoke View Access or View & Modify access, click the
xnext to the group or user name.
- Click Update.
Changing the Access Control Security Preference
Initially, all users can view all dashboards and alerts. In addition, global permissions apply:
- Users with Dashboard permission can modify all dashboards
- Users with Alert permission can modify all alerts.
Administrators can restrict access for new dashboards and alerts:
- Click the gear icon and select System Preferences.
- Click the Security tab and select Grant Modify Access To: Creator
After the change to the preference, access to new dashboards and new alerts is initially limited to the dashboard creator and Super Admin users. Those users can share the objects with other groups or individual users by giving View access or View & Modify access.
Note: A security preference change applies only to dashboards and alerts created after the change. If you change the setting to Creator, only new dashboards and alerts have restricted access. If you later change the setting to Everyone, all dashboards and alerts that were created while the setting was Creator keep the restricted access.
Making Orphan Dashboards or Alerts Visible
An orphan dashboard results if:
- All users and groups, including the Everyone group, no longer have access.
- Only one user had access to a dashboard or an alert, and that user was deleted.
To restore an orphan dashboard or alert:
- Log in as Super Admin and select Super Admin from the gear icon.
- Select the orphaned dashboard or the alert and share it with other users or groups.