A policy is assigned to each user/group of XpoLog to define the permissions of that user/group members in the system. The policy includes permissions for viewing and editing logs and folders and applying different operations in the system. In addition, for a specific log/folder/application, XpoLog enables Administrators to edit the permissions granted to a user/group ,so that the log/folder/application will be exposed to them or not.
It lets the Administrator choose one of the following to define the permissions of users on the folder/log:
- Use parent permissions – the folder/log inherits permissions from its parent folder.
- Use application permissions – the folder/log has the permissions defined in the application which the folder/log is tagged to.
- Use specified permissions – the folder/log has the permissions that you assign on this page.
To edit permissions of a folder or log:
- In the XpoLog menu, click Administration > Folders and Logs, select a folder or log, and then click the Permissions button.
Alternately, in the Log Viewer left pane, under the Folders and Logs menu, right-click a log, and click Edit Permissions.
The Permissions console opens.
- Select one of the following options:
Use parent permissions
Use specified permissions
- Under Edit Group Members, in the Available Members list, select a member that you want to be able to view and edit the folder/log, and click Add.
The member is moved to the Selected Members list.
- Repeat step 3 for each user/group that is to be permitted to view and edit the folder/log.
Note: You can remove a user/group from the Selected Members list by selecting it and clicking Remove. It then returns to the Available Members list.
- Under View Group Members, in the Available Members list, select a member that you want to be able to view only the folder/log, and click Add.
The group is moved to the Selected Members list.
- Repeat step 5 for each user/group that is to be permitted to view only the folder/log.
Note: You can remove a group from the Selected Members list by selecting it and clicking Remove. It then returns to the Available Members list.
- Click Apply.
The permissions are applied on the selected folder/log.
In case the authentication of users is done against an LDAP or Active Directory (see LDAP/AD Authentication) it is possible to assign permissions on groups which are defined in the organizational LDAP/AD.
Add groups in XpoLog - XpoLog>Security>Groups, for each new group set its name to be the exact name as it is in the LDAP/AD* server, no need to change anything inside it will be done automatically. Set the relevant policy from the policies list to the created group. In case no policy will be selected; the default policy will be applied to the the authenticated user which is associated to this group.
Specify on each Folder/Log/Application which group is allowed to view it as described above (make sure the All group is removed from the top Folders and Logs and other Folders/Logs).
When a user will sign in to XpoLog (authenticating against the LDAP/AD) XpoLog will match the groups retrieved from the LDAP/AD and will look to a matched group which is defined internally - in case such a match exists the user will be enforced wit the group's policy and permissions (based on the group's policy) automatically.
XpoLog audit (audit log) the list of groups that the authenticated user is associated to in the LDAP/AD server. After a user signs in, you can check the list of groups in the audit log in order to create matching groups internally in XpoLog.