Roles
Last updated on 04 December, 2024Roles are sets of permissions and configurations that determine how a user interacts with the LogicMonitor platform, as well as what functionality users can access. By default, LogicMonitor installs with four standard roles:
- Administrator. The administrator role assigns manage permissions to all areas of the platform, allowing administrators to perform any possible function, including security-sensitive actions.
- Manager. The manager role assigns almost the same level of permissions as the administrator role, with the exception of security-sensitive actions.
- Ackonly. The ackonly role assigns view, acknowledge, and SDT permissions for alerts for all hosts and websites. It also includes permissions for managing device dashboards and creating private dashboards.
- Readonly. The readonly role assigns view permissions to all areas of the platform; it provides no ability to make changes to the platform, with one exception: users with this role can create private dashboards.
In addition to these four predefined roles, administrators (or any user granted manage permissions for User Access settings) can create an unlimited number of additional roles with very granular sets of permissions. This flexibility is extremely useful for limiting users to the specific areas of the platform relevant to their duties.
You can assign View or Manage permissions for a user’s access to different areas of the platform: Dashboards, Resources, Websites, Logs, Saved Maps, Reports, Settings, and Help & Support. Within each platform area, there may be other more granular permissions available.
Creating Roles
To create a new role, navigate to Settings > Users & Roles > Roles > Add > Role. The Add Role dialog displays, featuring all permissions and configurations available for inclusion in a role. Each is discussed next.
Name and Description
In the Name and Description fields, enter a name and description for the role.
Note: Role names cannot include the operators and comparison functions used by LogicMonitor’s datapoint expression syntax, which is discussed in Complex Datapoints.
Role Group
From the Role Group field, enter the name of the existing role group to which this new role belongs. If your organization doesn’t organize roles by group, or if the group hasn’t yet been created, leave the default “Ungrouped” group in place. For more information on role groups, see the Role Groups section of this support article.
Require to sign LogicMonitor’s EULA
Checking the Require to sign LogicMonitor’s EULA option will require any user assigned this role to sign LogicMonitor’s End User Licensing Agreement (EULA).
This setting is configured per role, but stored per user. Once a user has accepted the terms, they will not be shown the EULA again, unless the LogicMonitor terms change.
Dashboard Permissions
Under the Dashboards area of the Add Role dialog, establish the level of dashboard permissions that users assigned this role will have. As discussed (and shown) next, there are several types of permissions available for dashboards.
Allowed to Create Private Dashboards
Checking the Allowed to create private dashboards option allows users to create/edit their own private dashboards. As discussed in Creating Dashboards, private dashboards are only available to the user who created them (and administrators).
Allow Widget Sharing
When checked, the Allow Widget Sharing option allows the role’s users to share widgets via a URL that can be embedded externally to the LogicMonitor platform. Users must also have manage permissions for the dashboard group that parents a widget in order to share it.
Additionally, this option must be selected to allow the user to manage embedded URL widgets from the Widget Tokens tab. To learn more about generating and managing embedded widget URLs, see Sharing Widgets via Embedded URLs.
View/Manage Permissions for Dashboards
From the table of dashboards, you can assign view or manage permissions for all dashboards found within a dashboard group or subgroup. Subgroups will inherit permissions specified for a parent group.
- View. View permissions provide the ability to view all dashboards within a selected group. If you don’t provide, at a minimum, either (1) view permissions for at least one dashboard group or (2) permissions to create private dashboards, the Dash page will be hidden for this role.
- Manage. Manage permissions provide the ability to view, edit, and delete dashboards within a selected group, as well as add, edit, or delete widgets for those dashboards. Manage permissions also provide the ability to create new subgroups for those groups permissions are assigned.
If you check the All option at the top of the “View” or “Manage” column, you’re setting that level of permissions not only for all current existing dashboard groups, but for all future dashboard groups as well.
Note: In order to view dashboard widgets that display data for a particular resource, website, or topology map, a user will additionally require view permissions for that component. To give a user permission to view component data via dashboards, but not view the component(s) themselves, uncheck the pages from the options found under the View Permission heading in the user account record. It’s important to note that unchecking pages (e.g. resources, websites, mapping, etc.) from this area of the user record will hide these pages altogether from the user.
Note: View or manage permissions can only be given to public dashboards. Private dashboards are not available for access through role assignment, but the sharing of a private dashboard can be initiated from the dashboard itself, as discussed in Sharing and Exporting/Importing Dashboards.
Resource Permissions
Under the Resources area of the Add Role dialog, establish the level of resource permissions that users assigned this role will have. As discussed (and shown) next, there are several types of permissions available for resources.
Allowed to Manage Resource Dashboards
When checked, the Allowed to manage Resource Dashboards option allows users assigned this role to manage the resource dashboards (i.e. Graphs tab) for each resource in which the user is assigned permissions.
Allowed to View Map Tabs
When checked, the Allowed to view Map Tabs option allows users assigned this role to access a resource’s Maps tab, assuming they have view (or greater) permissions to that resource. As discussed in Maps Tab, Maps tabs are related to topology mapping, a feature that is only available to LogicMonitor Pro and Enterprise accounts.
Configs Tab Only Visible with Manage Permissions
When checked, the Configs tab only visible with Manage permissions option allows users assigned this role to view the Configs tab that displays for ConfigSources, assuming they are applied to resources for which the user has manage permissions.
Note: If a user has more than one role assigned and the option Configs tab only visible with Manage permissions is selected in any of the roles, then the user will be able to see the Config tab for the Configsources of resources only with Manage permission.
View, Acknowledge, SDT, Threshold, Manage, and Remote Session Permissions for Resources
From the table of resources, you can assign view, acknowledge, SDT, and threshold permissions to all devices or services found within a resource group. In addition, manage and remote session permissions are available for device groups and subgroups. If not explicitly assigned, subgroups will inherit permissions specified for a parent group. Resource permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual resources within a group.
Note: You cannot directly assign manage permissions to dynamic groups (or services which are a type of dynamic group) as the resources that make up these groups are ever changing. Only administrators and those with admin-level manage permissions to resources (i.e. the All option is selected at the top of the table of resources) have the ability to manage dynamic groups. For more information on dynamic groups, see Device Groups Overview.
- View. View permissions provide the ability to view all resources within a selected group. View permissions are also required in order to view resource data from dashboard widgets, reports, and the Alerts page. If you don’t provide view permissions for at least one resource group, the Resources page will be hidden for this role.
- Acknowledge. Acknowledge permissions provide the ability to acknowledge alerts for the resources in the selected group.
- SDT. SDT permissions provide the ability to schedule downtime for the resources in the selected group.
- Threshold. Threshold permissions allow a user to set or update datapoint thresholds at the resource group, resource, or instance level.
- Manage. Manage permissions incorporate view, acknowledge, SDT, and threshold permissions. In addition, this permission level provides the ability to:
- Edit and delete resources within the selected group.
- Add new resources to the selected group.
Note: When adding new devices, you must assign the device to a Collector or Collector group; therefore, you must also have view permissions to the relevant Collectors, as discussed in the Settings Permissions section of this support article, in order to add new devices.
- Create new subgroups for the group.
- Remote session. Remote session permissions apply to device groups only, allowing users to remotely access and operate the devices within a selected group from within the LogicMonitor platform. As discussed in Remote Session, this functionality, when assigned, is initiated from the Resources page.
If you check the All option at the top of the “View,” “Acknowledge,” “SDT,” “Threshold,” “Manage,” or “Remote Session” column, you’re setting that level of permissions not only for all current existing resource groups, but for all future resource groups as well.
Service Group Permissions
Service Group permissions are managed within the subset of Resources. LM Services can be created within existing Service Groups if provided during instrumentation, or will be automatically created at ingestion (for Service Namespaces).
The existing functionality within Resources is also supported for Service groups.
Traces Permissions
Traces permissions enables access to view the Traces page and its associated features.
To view data on the Traces page, you must have both Traces View permission enabled as well as View permissions on the Service groups.
If the Traces View permission is disabled, you can not view any of the data presented on the Traces page (even if you have access to the Service groups corresponding with the traces).
If you have Traces View permissions enabled, but only view access to a subset of Service groups, you will not see the traces in your LogicMonitor portal. Any data corresponding to services that you do not have access will not be visible.
Website Permissions
Under the Websites area of the Add Role dialog, establish the level of website permissions that users assigned this role will have. As discussed (and shown) next, you can assign view, acknowledge, SDT, or manage permissions to all websites found within a website group or subgroup.
Website permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual websites within a group. If not explicitly assigned, subgroups will inherit permissions specified for a parent group.
- View. View permissions provide the ability to view all websites within a selected group. View permissions are also required in order to view website data from dashboard widgets, reports, and the Alerts page. If you don’t provide view permissions for at least one website group, the Websites page will be hidden for this role.
- Acknowledge. Acknowledge permissions provide the ability to acknowledge alerts and schedule down time for the websites in the selected group.
- SDT. SDT permissions provide the ability to schedule downtime for the websites in the selected group.
- Manage. Manage permissions incorporate view, acknowledge, and SDT permissions. In addition, this permission level provides the ability to edit and delete websites within the selected group, as well as add new websites. Manage permissions also provide the ability to create new subgroups for those groups permissions are assigned.
If you check the All option at the top of the “View,” “Acknowledge,” “SDT,” or “Manage” column, you’re setting that level of permissions not only for all current existing website groups, but for all future website groups as well.
Note: If you would like a user to be able to edit the default checkpoint and alert triggering settings in place for websites, the All option must be checked for the “Manage” column. For more information on website default settings, see Website Default Settings.
Saved Map Permissions
Under the Saved Maps area of the Add Role dialog, establish the level of permissions that users assigned this role will have for the Mapping page. As discussed in Mapping Page, saved maps are related to topology mapping, a feature that is only available to LogicMonitor Pro and Enterprise accounts.
You can assign view or manage permissions to all topology maps found within a map group. Map permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual maps within a group.
- View. View permissions provide the ability to view all topology maps within a selected group. View permissions are also required in order to view topology map widgets based on a saved topology map. If you don’t provide view permissions for at least one topology map group, the Mapping page will be hidden for this role.
- Manage. Manage permissions provide the ability to edit and delete topology maps within the selected group, as well as add new maps.
If you check the All option at the top of the “View” or “Manage” column, you’re setting that level of permissions not only for all current existing topology map groups, but for all future topology map groups as well.
Note: If a user does not have the permissions necessary to see a resource that would otherwise be rendered via a topology map (i.e. the resource is a member of a resource group that the user does not have permissions for), it will be hidden from the map output and not display as a vertex on the map.
Report Permissions
Under the Reports area of the Add Role dialog, establish the level of report permissions that users assigned this role will have.
You can assign view or manage permissions to all reports found within a report group. Report permissions can only be assigned at the group level; you cannot assign view or manage permissions to individual reports within a group.
- View. View permissions provide the ability to view and generate all reports within a selected group. If you don’t provide view permissions for at least one report group, the Reports page will be hidden for this role.
- Manage. Manage permissions provide the ability to edit, schedule, and delete reports within the selected group, as well as add new reports.
If you check the All option at the top of the “View” or “Manage” column, you’re setting that level of permissions not only for all current existing report groups, but for all future report groups as well.
Note: In order to view reports that display data for a particular resource or website, a user will additionally require view permissions for that component.
Logs Permissions
The Logs permissions enables access to LM Logs and its associated features.
Logs
- View grants access to the Logs page and its shared functionality on other pages. To view log events, you also need permissions to view the Resources that generate the logs.
Pipelines
- View grants access to Log processing pipelines.
- Manage enables you to view, add, and edit log pipelines and alert conditions.
Log Ingestion API
- Manage lets an API-only user submit logs through the Log Ingestion API. See Sending Logs to the LM Logs Ingestion API.
Settings Permissions
Under the Settings area of the Add Role dialog, establish the level of permissions that users assigned this role will have for the various configurations and features available from the Settings page.
Note: If you don’t provide view permissions for at least one setting, the Settings page will be hidden for users with this role.
Access Logs
Access Logs permissions allow users assigned this role to view, filter, download, and report on the data stored in the platform’s Audit Logs.
Account Information
Account Information permissions allow users assigned this role to view or manage the account information and account-wide settings established for your portal.
Alert Settings
Alert Settings permissions are broken into five categories. You can individually assign view or manage permissions for configurations relating to alert dependency (i.e. root cause analysis), alert rules, escalation chains, external alerting, and recipient groups. In order to configure alert rules for a resource or website, a user must have view permissions for that resource or website.
Collectors
Collectors settings allow you to assign view or manage permissions to all Collectors found within a Collector group.
- View. View permissions provide the ability to view all Collectors within a selected group, as well as add devices or websites to those Collectors.
Note: To give a user permission to assign devices/websites to a group of Collectors, but not to view the Collectors themselves, assign view rights to the Collector group and, from the User account, uncheck the Settings option available under the View Permission heading. It’s important to note that this will hide the Settings page altogether and disrupt the user’s ability to view or manage other setting areas.
- Manage. Manage permissions provide the ability to view, edit, and delete all Collectors within a Collector group, as well as perform all actions associated with Collectors available from the Settings page.
If you check the View or Manage option for the overall Collectors category, you’re setting that level of permissions not only for all current existing Collector groups, but for all future Collector groups as well.
Exchange
This allows users assigned this role to view or manage modules (for example, DataSources or EventSources) within the Exchange. In addition, this role enables users to “Commit” and “Publish” to the Exchange in addition to the standard “View” and “Manage” permissions. This role provides control over what users can commit private or publish version of modules in the LogicMonitor portal.
My Module Toolbox (LogicModules)
This allows users assigned this role to view or manage modules installed from Exchange within My Module Toolbox.
Integrations
Integrations permissions allow users assigned this role to view or manage integrations (pre-built or custom) with external ticketing and team collaboration systems.
Message Templates
Message Templates permissions allow users assigned this role to view or manage the global templates in place for alert messages and new user messages.
NetScans
NetScans permissions allow users assigned this role to view or manage NetScans, which are configured processes that direct LogicMonitor Collectors to periodically look for and automatically discover devices in your network.
Ops Notes
Ops Notes permissions allow users assigned this role to view or manage Ops Notes, which are time-stamped annotations that display in your resource or website graphs.
The level of permissions granted here determine access to Ops Notes both from the Settings page and the Resources/Websites page. You must have at least view permissions for a resource/website group in order to enter ops notes for it or one of its members.
Role Access
Expand the Role Access setting to assign view permissions to all roles found within a particular role group. The ability to create and manage roles is intended for administrators only; therefore, manage permissions can only be assigned as a whole to all role groups (i.e. manage permissions cannot be assigned to roles on a per-group basis).
Note: View permissions are required here in order to create new users.
User Access
Expand the User Access setting to assign view or manage permissions to all users found within a user group. View permissions for users are required in order to add users to recipient groups, add users/user groups as alert recipients as part of escalation chains, or deliver reports to users.
Manage permissions provide the ability to create new users and manage single sign-on settings and are generally intended for administrator accounts.
User Profile
If you do not give manage permissions to User Access settings, you will be provided the option to additionally assign manage permissions to two User Profile settings, which allow users to manage the following settings on their own profile::
- Edit basic user account information (for example name, password, time zone, contact information) by clicking on their usernames in the upper right corner of the LogicMonitor UI
- Create API tokens
Security
Security permissions allow users assigned this role to view or manage the LogicMonitor account’s security settings for your portal. This permission allows you to manage security settings for your portal.
Recommendation: LogicMonitor does not recommend assigning ‘Manage’ access to your user. The ‘Manage’ access is reserved only for users with ‘Admin’ privileges. For more information, see LogicMonitor Security Best Practices.
Note: The Security permission applies to out-of-the-box user roles.
Help/Support Permissions
Under the Help & Support area of the Add Role dialog, establish the level of access to support and help documentation that users assigned this role will have.
Support Type
There are several types of support you can make available to users assigned this role.
- Documentation. If view permissions are given for Documentation, a “Support” link displays in the upper right of the top navigation bar for users assigned this role. When clicked, the “Support” link opens an inline search window titled “Support Guide” that provides access to LogicMonitor’s support articles and development guides. Depending upon other support access provided to the user, the Support Guide window may also feature a “Contact Support” link at its bottom with one or more of the following available actions:
- Chat with an Engineer. This allows users to launch a live chat from within the platform.
- Support Request. This allows users to submit a support ticket.
- Feedback. This allows users to submit platform feedback.
- Training. If view permissions are given for Training, a “Training” link displays in the upper right corner of the top navigation bar for all users assigned this role. The “Training” link allows users to enroll in the LogicMonitor Certified Professional (LMCP) Exam, as discussed in LogicMonitor Certified Professional Exam Information.
For more information on the support resources available to users, see Accessing Support Resources.
Custom Help Link
In addition to LogicMonitor’s built-in Support and Training links, you can also display custom help links for internal sites. You also have the option to add a custom help link and label if you’d like to give users direct access to an internal help site.
If Documentation is enabled by the role, then the label for this link will be displayed under the “Contact Support” link found at the bottom of the Support Guide window. If Documentation is not enabled by the role (i.e. users cannot view inline documentation), then clicking the “Support” link will take the user directly to the URL specified for the custom link.
Assigning Roles to Users
Roles, once created, are assigned to users from the user record, as discussed in Users.
If a user is assigned multiple roles, the effective permissions for that user will be the sum of the privileges of each role. For example, if one assigned role provides view only permissions to all resources, but another assigned role provides manage permissions to all resources, the user will have view and manage permissions for all resources. If yet another assigned role provides view permissions for all dashboards, but no permissions for resources, the user will maintain manage permissions for all resources and additionally gain view permissions for all dashboards.
Note: To see all users assigned to a particular role, generate the Role Report.
Note: From user account settings, there is the ability to remove one or more pages (e.g. Dash page, Resources page, Alerts page, etc.) from the user’s view. If a page is removed from view from the user’s account, this takes precedence over permission levels provided by assigned roles.
Managing Roles
Existing roles can be viewed at Settings | Users & Roles | Roles. All roles are nested in group(s) and listed in table form.
From this table, you can:
- Filter roles. Restrict table display to one or more role groups using the “Groups” filter.
- Search roles. Search for roles using role name, group name, or role description.
- Log off users. Place a checkmark in the leftmost column of one or more roles and click the Logoff Users button to log off all users to which a role is assigned.
- Expand role details. Click the arrow to the left of a role to expand listing to include all permissions assigned to the role.
- View user count. The far right column displays the number of users the role is assigned to. You can get additional details on users assigned to a particular role by generating the Role Report.
- Edit, clone, or delete a role. Click the gear icon to open the Manage Role dialog. From this dialog, you can update the permissions assigned to a role, clone a role, or delete a role. If you update role permissions assigned to a user that is currently active in the platform, they will experience those updates as soon as they move to a new area of the product (i.e. a refresh takes place). You cannot delete a role that is currently assigned to one or more users.
- Manage role groups. Click the drop-down arrow to the right of a role group name to edit or delete the group.
Role Groups
As with other areas of LogicMonitor, roles can be organized into logical groupings.
Creating Role Groups
To create a role group, navigate to Settings | Users & Roles | Roles | Add | Role Group. Once created, roles can be added to the group from the Add Role or Manage Role dialogs.
Managing Role Groups
Role groups can be edited or deleted from the Roles tab by clicking the drop-down arrow located to the right of a role group name.
When deleting a role group, you have the option to delete the group only, or the group and all its member roles:
- Delete group only. This option deletes the group and moves any member roles to the default “Ungrouped” group.
- Delete group and all the roles within the group. This option deletes the role group and all of its member roles. If users are currently assigned to any of the member roles, they must first be unassigned before the role can be deleted.