One of our biggest customer is using MSP 3.1.1 in a multi-national environment, where they have one MSP server installed in Germany and 10 different country organizations access this MSP via the web console. Each country has different requirements, settings, packages and bundles.MSP does not allow to restrict the permissions for a user, based on countries, sites or relay servers. Each user, even with the role: Provisioning Only, may create a Provisioning Policy where the "Rule Type" is set to "Affect all devices" - without any limitations. And by doing just one wrong click, such a Provisioner can damage thousands of devices.
What do we tell our customers and partners how to handle this or what is our recommended way/configuration to avoid such a potential disaster?
The customer has proposed to disable the "Affect all devices" feature in order to force the user for defining an explicit rule.Telling them: "It works as designed!" is not an option.
1 Replies
A User with a Role of Provisioning Only CANNOT create ANY Policies, he can only USE Policies that have to be created by a User with a Role of Operations or Administrator. So, a User with a Role of Provisioning Only cannot choose to use a Role that "Affects all Devices" to gain access to devices he should not. This was intentional to prevent just such a situation as you describe. However, if a Policy with a Rule that "Affects all Devices" is created by a User with a Role of Operations or Administrator and is made visible to a User with a Role of Provisioning Only, then that User WILL be able to affect all devices. In the type of situation you describe, this would represent a failure on the part of the person defining the Policies and managing the User Roles and Scopes. To use the Provisioning Only User Role to best effect in the type of scenario you suggest, you would need to carefully craft Policies whose Rules limit affect to chosen groups of devices. You would need to name those Policies suitably so the User Access Prefixes for chosen Users with the Provisioning Only User Role had access ONLY to Policies that were suitable for those Users. If that is set up correctly, then when a given User with Provisioning Only User Role logs in, they will only be able to directly see devices that are associated with Sites or Relay Servers whose names match their assigned User Access Prefixes. And they will only be able to see Policies whose names match their assigned User Access Prefix for Policiies. Then, via those Policies, they will be able to view and affect only devices that are consistent with the Rules for those Policies. It all comes down to careful planning and control by the Users with the Operations or Administrator Roles who define the Policies and the way in which the User Objects are defined and maintained by Users with the Administrator Role. You are correct that MSP 3.2 is NOT designed to handle a situation where a User needs to be given the ability to define Policies (which requires the Operations Role or better) without also being given the ability to potentially affect devices outside their defined scope. This is something that we hope to improve in future versions when we address the needs of Service Providers who want to offer MSP as a service to multiple independent customers. Sorry to say, it IS working as designed and if that does not suit a particular customer then there is likely little that can be done except to note the desired improvement as a GRIP for a new enhancement that may be included in a future version.