PRTG Manual: Access Rights Management

With the access rights management, you can define which user in which user group can access which objects in your PRTG installation, and you can manage all user access rights and group access rights.

You can create a nearly unlimited number of other users, which you can organize in a nearly unlimited number of user groups. Each user group can have separate access rights for each object in the device tree except channels, as well as for libraries, maps, and reports. Objects can also inherit access rights according to the object hierarchy.

User Access Rights Overview

Each user also has specific access rights. There are administrators who are user group members with administrative rights, read/write users, and read-only users. You can define the user type (read-only user or read/write user) in the user account settings.

i_square_cyanFor more information, see section User Accounts.

User Access Rights in User Accounts Settings

User Access Rights in User Accounts Settings

Individual user access rights, combined with the access rights of the groups that the user is a member of, determine the access rights for device tree objects, libraries, maps, and reports. In general, group access rights override user access rights unless a user is a read-only user. Read-only users always have only read access.

You can define the group access rights for each object in the device tree via the corresponding context menus or in the object settings.

Group Access Rights Overview

The following classes of group access rights are available, in hierarchical order (from the lowest group access right to the highest group access right).

i_round_blueThe access rights apply to device tree objects and to libraries, maps, and reports.

Group Access Rights

Description

No access

The members of the user group cannot see or access the object. They also cannot see or access logs, tickets, or alarms for the object.

Read access

The members of the user group can only view the object and its settings.

i_round_blueRead-only users who have been explicitly allowed to acknowledge alarms and read/write users in a user group that has read access can still acknowledge alarms. For more information, see section User Accounts.

Write access

The members of the user group can view the object and edit its settings. They can also add and delete objects, acknowledge alarms, edit notification templates, notification contacts, and schedules.

Full access

The members of the user group can view the object and edit its settings. They can also add and delete objects, acknowledge alarms, edit notification templates, notification contacts, and schedules. In addition, they can edit group access rights for objects.

If a user group has administrative rights, all user group members always have full access to every object in the device tree, library, map, and report, and all other functionalities and features of PRTG.

i_round_blueGroup access rights that you define directly on an object, for example a device, override inherited rights. If you do not define group access rights directly on an object, PRTG checks the next object that is higher up in the object hierarchy for group access rights until there is no higher-level object available.

Different Access Rights Depending on User Groups

Different Access Rights Depending on User Groups

i_round_redUsers are either members of PRTG user groups or of Active Directory groups. They cannot be members of both types of user group. We recommend that you use only one type of user group to minimize administration.

Group Access Rights in Combination with User Access Rights

The following table shows the correlation between group access rights and user access rights. The table applies to both PRTG user groups and Active Directory groups, as well as to both PRTG users and Active Directory users. The column headings show the group access rights to an object. The row headings show the type of user.

Group Access Rights and User Access Rights Combined

 

User group has read access to an object

User group has write access to an object

User group has full access to an object

Administrator group

Read-only user

Read access

Read access

Read access

n/a

Read/write user

Read access

Write access

Full access

Full access

Administrator

Full access

Full access

Full access

Full access

The following rules apply:

  • Read-only users
    • always have only read access, no matter what access rights you define for the user groups they are members of
    • can never see or use the ticket system
    • can acknowledge alarms and change their own password in their user account settings, if an administrator allows them to
    • can never be members of user groups with administrative rights
  • Read/write users
    • can use the ticket system if the user group they are members of has access to the ticket system
    • can acknowledge alarms
    • can change their own password
    • can have full access to device tree objects, libraries, maps, and reports, if the user group they are members of has full access to the respective object
    • always have administrative rights if they are members of a group with administrative rights
  • Administrators
    • are members of groups with administrative rights
    • have no access restrictions at all
    • can also manage user accounts, user groups, and cluster setups
    • can change the monitoring configuration of PRTG

i_round_blueIf a user is a member of more than one user group, the group access rights of the user group with the highest access rights apply.