PRTG Manual: Access Rights Management
With the access rights management, you can define which user in which user group can access which objects in your PRTG installation, and you can manage all user access rights and group access rights.
You can create a nearly unlimited number of other users, which you can organize in a nearly unlimited number of user groups. Each user group can have separate access rights for each object in the device tree except channels, as well as for libraries, maps, and reports. Objects can also inherit access rights according to the object hierarchy.
Each user also has specific access rights. There are administrators who are user group members with administrative rights, read/write users, and read-only users. You can define the user type (read-only user or read/write user) in the user account settings.
For more information, see section User Accounts.
Individual user access rights, combined with the access rights of the groups that the user is a member of, determine the access rights for device tree objects, libraries, maps, and reports. In general, group access rights override user access rights unless a user is a read-only user. Read-only users always have only read access.
You can define the group access rights for each object in the device tree via the corresponding context menus or in the object settings.
The following classes of group access rights are available, in hierarchical order (from the lowest group access right to the highest group access right).
The access rights apply to device tree objects and to libraries, maps, and reports.
Group Access Rights |
Description |
---|---|
No access |
The members of the user group cannot see or access the object. They also cannot see or access logs, tickets, or alarms for the object. |
Read access |
The members of the user group can only view the object and its settings. Read-only users who have been explicitly allowed to acknowledge alarms and read/write users in a user group that has read access can still acknowledge alarms. For more information, see section User Accounts. |
Write access |
The members of the user group can view the object and edit its settings. They can also add and delete objects, acknowledge alarms, edit notification templates, notification contacts, and schedules. |
Full access |
The members of the user group can view the object and edit its settings. They can also add and delete objects, acknowledge alarms, edit notification templates, notification contacts, and schedules. In addition, they can edit group access rights for objects. |
If a user group has administrative rights, all user group members always have full access to every object in the device tree, library, map, and report, and all other functionalities and features of PRTG.
Group access rights that you define directly on an object, for example a device, override inherited rights. If you do not define group access rights directly on an object, PRTG checks the next object that is higher up in the object hierarchy for group access rights until there is no higher-level object available.
Users are either members of PRTG user groups or of Active Directory groups. They cannot be members of both types of user group. We recommend that you use only one type of user group to minimize administration.
Group Access Rights in Combination with User Access Rights
The following table shows the correlation between group access rights and user access rights. The table applies to both PRTG user groups and Active Directory groups, as well as to both PRTG users and Active Directory users. The column headings show the group access rights to an object. The row headings show the type of user.
Group Access Rights and User Access Rights Combined |
||||
---|---|---|---|---|
|
User group has read access to an object |
User group has write access to an object |
User group has full access to an object |
Administrator group |
Read-only user |
Read access |
Read access |
Read access |
n/a |
Read/write user |
Read access |
Write access |
Full access |
Full access |
Administrator |
Full access |
Full access |
Full access |
Full access |
The following rules apply:
- Read-only users
- always have only read access, no matter what access rights you define for the user groups they are members of
- can never see or use the ticket system
- can acknowledge alarms and change their own password in their user account settings, if an administrator allows them to
- can never be members of user groups with administrative rights
- Read/write users
- can use the ticket system if the user group they are members of has access to the ticket system
- can acknowledge alarms
- can change their own password
- can have full access to device tree objects, libraries, maps, and reports, if the user group they are members of has full access to the respective object
- always have administrative rights if they are members of a group with administrative rights
- Administrators
- are members of groups with administrative rights
- have no access restrictions at all
- can also manage user accounts, user groups, and cluster setups
- can change the monitoring configuration of PRTG
If a user is a member of more than one user group, the group access rights of the user group with the highest access rights apply.