Home > Storage > Data Storage Essentials > DataIQ and CloudIQ > Dell APEX AIOps Infrastructure Observability: A Detailed Review > Identity Management
The Identity Management section allows Observability administrators to set up access controls by assigning users to predefined roles. Administrators can also initiate an invitation to their Identity Provider (IdP) experts to become Dell Identity Admins and federate with their IdP to enable single sign-on. When single sign-on is enabled, users can also use SSO groups that map Observability roles to customers’ active directory groups. This gives customers control over all Observability roles including the Standard and Admin roles.
The administrator of an organization uses MyService360 to define the organization profile. See KB#000183704 for details about using MyService360 for company administration. See KB#000191817 for details about determining Admins for a company in the Dell Support portal.
Note: When SSO groups are not enabled, MyService360 users with a company admin role are automatically mapped to the Observability Admin role. Other users are mapped to the Observability Standard role.
Administrators will see four tabs in the Identity Management page: The USERS tab provides several views of users. The Users | Manage view lists users who have logged into Observability at least once and can be managed by the current admin user. This view shows the username, email address, IdP, Groups, assigned roles, authentication type, and last login. Selecting the Details icon for an individual user provides details about the user profile and assigned roles and permissions.
When SSO groups are not enabled, Administrators can select the Edit button to assign roles to a user. In this case, the Admin and Standard user roles are not managed through the Observability UI but are determined by their status in MyService360.
The Admins view provides a list of users with the Admin role. This allows users to see who they may need to contact in order to request different levels of access to Observability.
The Advisors view shows a list of all Advisors who have been given access to Observability. Both Admins and Standard Users can view, add, and remove advisor access to Infrastructure Observability. Dell Advisors are members of the account team or other Dell employees or partners whom customers want to proactively and routinely view their systems in Observability. The purpose of this role is to assist and make recommendations to customers to help them optimize their storage usage. Dell employees and Partners must explicitly be provided access to Observability from the customer. See the following KB article for details:
https://www.dell.com/support/kbdoc/000020659
To add an advisor, users click the Add Advisor button. In the Add Trusted Advisor window, enter the advisor email address and select which site or sites to give the advisor access, and click Add.
To remove access to an existing advisor, the user clicks the Edit link under the Actions column for the advisor they want to remove and clicks Remove Advisor.
The All Users view lists all users with access to Observability, including those users who are not managed by the existing user logged in to the UI.
The GROUPS tab is visible to Admin users and allows the admin to assign Observability roles to SSO groups after SSO has been enabled. The listed SSO groups are imported from the Dell Identity Portal and were shared by the company’s identity expert when performing the federated IdP configuration.
Clicking the Manage Assignments link for each group allows the Observability Admin to assign one or more roles to the group.
Note that the Enable SSO Groups button is not active until the Admin role is assigned to at least one group. Group role assignments are aggregated so if a user is a member of more than one group, that user receives the roles from all groups.
The ROLES tab lists out the available roles with their description and the number of assigned users. There are nine roles in Observability: Admin, Advisor, Cybersecurity Admin, Cybersecurity DevOps, Cybersecurity Operator, Cybersecurity Viewer, DevOps, Server Admin, and Standard. If SSO Groups are not enabled, users with a Company Administrator role in an organization are automatically assigned the Admin role. Users who are not Company Administrators are automatically assigned the Standard role. These roles are automatically assigned based on the user’s role in their organization. This behavior changes when single sign-on is configured and SSO Groups are enabled. When SSO Groups are enabled, the user has full control over these roles and can assign them to a group just like all other roles. It is important to mention that a user must have either the Admin or the Standard role to access Observability.
The Advisor role is another role that is not managed within Observability. It is assigned to any user that has been invited and accepted the invitation to be an advisor for the company.
The Cybersecurity Admin role gives users access to cybersecurity related features in Observability. These include viewing and editing policies, viewing and editing security incident email preferences, viewing and editing ransomware incidents, viewing Security Advisories, and viewing security status data.
The Cybersecurity DevOps role gives users access to the Integrations menu to view and configure cybersecurity-related Webhooks, including the Cybersecurity Ransomware Incident, Cybersecurity Misconfigurations, and Cybersecurity Configuration Webhooks.
The Cybersecurity Operator role is designed to give a user access to edit and view cybersecurity ransomware incidents. The permissions include viewing and editing security incident email preferences, viewing and editing ransomware incidents, viewing policies, viewing Security Advisories, and viewing security status data.
The Cybersecurity Viewer role is a view-only role for cybersecurity features with the additional permission of editing their security incident email preferences. Permissions include viewing policies, viewing Security Advisories, viewing ransomware incidents, and viewing security status data.
The DevOps role allows users access to the Integrations menu to view and configure Webhooks and REST API credentials. A user with DevOps role can view and configure Health Issue Change webhooks.
The Server role is required for users who want to initiate remote management functions on PowerEdge servers. Note that additional remote management permissions need to be enabled in the CloudIQ plugin in OpenManage Enterprise.
Note that Admins must assign themselves any of the additional roles to gain those privileges.
The Manage Assignments link is used to assign roles to either users (when SSO Groups are not enabled) or to groups (when SSO Groups are enabled).
The Single Sign-On tab allows Observability Admins to send an invitation to their Identity Provider Administrators to become Dell Identity Admins. The Dell Identity Admin can then configure single sign-on on the Dell Identity Portal and federate with their IdP. This allows organizations to manage users’ Observability authorization using their IdP. After the Identity Admin federates their IdP, the IdP is listed under the IdPs tab. Clicking the IdP hyperlink opens the Dell Identity Portal. Users can also see a list of Dell Identity Admins who can manage the IdP group. For additional information, see KB#000212047.
The Identity Management page for Standard users displays a subset of the Users tab. Standard users can see Team Members, Admins, and Advisors. The Admins button allows users to identify their Admins from the Observability UI to contact them if they need additional roles and permissions. The Advisors tab allows users to add and remove advisors.