Stop having the Add Device Wizard adding properties to root group


Mike Moniz
 Share

Recommended Posts

Please stop having the wizard add snmp and esxi and other properties to the root group when using the Add Device Wizard or respect RBAC permissions for users running the wizard.

We try to use SNMP v3 when possible with all our customers and that doesn't uses the snmp.community property. But if someone uses the wizard for a completely different customer for v2c, it sets snmp.community on root and via inheritance to all other customer's devices and it breaks them. We or our customers then get a bunch of false No Data alerts as LM switch over to using v2c, even with v3 creds provided or our attempts to force v3 with snmp.version. ESXi creds on root can also cause a problem because we sometimes use a domain account for vcenter access, so it looks like "customer/username" and then we end up leaking customer names and usernames to any customer who can look at any info page.

Thanks!

  • Upvote 3
Link to comment
Share on other sites

10 minutes ago, Mike Moniz said:

Please stop having the wizard add snmp and esxi and other properties to the root group when using the Add Device Wizard or respect RBAC permissions for users running the wizard.

We try to use SNMP v3 when possible with all our customers and that doesn't uses the snmp.community property. But if someone uses the wizard for a completely different customer for v2c, it sets snmp.community on root and via inheritance to all other customer's devices and it breaks them. We or our customers then get a bunch of false No Data alerts as LM switch over to using v2c, even with v3 creds provided or our attempts to force v3 with snmp.version. ESXi creds on root can also cause a problem because we sometimes use a domain account for vcenter access, so it looks like "customer/username" and then we end up leaking customer names and usernames to any customer who can look at any info page.

Thanks!

 

This is a specific case of the more general "RBAC and groups are not sufficient to support an MSP model", which I have been trying to get fixed for years.  There needs to be structural support for multiple clients, not bolted on as is currently done.

I never use the wizard, didn't realize it did this was how it worked :).

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
  • 7 months later...
  • 2 weeks later...

My recommendation? Stay away from any wizards LM provides.  This stuff happens here and with the "simple" netscan setup, you end up with a bunch of nonsense top-level groups if you are not careful.  I think there should be a knob in the portal settings to disable wizards...

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share