How to manage user access rights
for MSPs in 4 easy steps
In a complex network monitoring setup, you usually do not want every user to be able to access every object in your setup. This might become even more important if you are a Managed Service Provider (MSP) who manages several customers in one PRTG installation.
Naturally, a customer should have access to their own devices, maps, or reports, for example, but they should not be able to see or access the devices, maps, or reports of a different customer. This is where the access rights management of PRTG Network Monitor comes into play. In this how-to guide, we want to show you, as an MSP, how to define access rights for multiple customers.
Rules for access rights in PRTG
Individual users are organized in user groups:
Access rights to individual objects in the device tree, for example, devices or sensors, as well as libraries, maps, and reports, are determined at group level.
The actual group access rights for individual objects are defined in the settings of an object. They can be defined locally or they can be inherited from objects that are higher up in the device tree.
- No access: The users of this group do not see the respective object.
- Read access: The users of this group can only view monitoring results.
- Write access: The users of this group can view monitoring results, edit object settings, and add and delete objects.
- Full access: The users of this group can view monitoring results, edit object settings, add and delete objects, and edit access rights for objects.
Users can have specific user access rights as well. There are read-only users and read/write users. Read-only user access rights always override group access rights. This means that even if a read-only user belongs to a user group with write access to an object, they still have only read access.
Users who are a member of an administrator group always have administrator rights. This means that they have full access everywhere. They can also create and manage user accounts and user groups. Read-only users cannot be a member of an administrator group.
Did you know?
Every user needs to be a member of a so-called primary group so that there is no user without group membership. They can optionally be a member of other user groups as well—there is no difference in user experience between a primary group and other user groups. Only administrators can assign a primary group to a user.
First of all, think about how you want to manage your customers in your PRTG installation.
- Do you want to create a user group for each customer on your local probe and thus manage them on your own probe system?
- Or do you want to use one remote probe per customer and manage each customer on their own remote probe system?
Use cases can differ, so for now, let us assume that you work with remote probes.
Take the following steps to prepare your access rights management:
Install one remote probe per customer. For more information, see How to install a PRTG remote probe in 4 steps.
Set up the device tree as required by the customer. For more information, see also How to manually set up your device tree in 3 steps.
Plan the access rights management together with your customer. Ask yourself:
- What user groups with what group access rights do they need?
- What user accounts with what user access rights do they need?
- What user groups get access to what objects?
Now it is time to add the user groups your customer needs. You can create PRTG user groups or integrate Active Directory groups into PRTG.
Keep in mind that users cannot be a member of both types of user group at the same time. Use only one type of user group to minimize your administration effort. Here, we will create a PRTG user group. For adding Active Directory groups, see section Active Directory Integration in the PRTG Manual.
- Go to Setup | System Administration | User Groups. Hover over and select Add User Group.
- Enter a meaningful name for the group.
- Under Administrative Rights, define if members of this user group have full access to all monitoring objects, reports, maps, user accounts, user groups, and much more.
- Under Allowed Sensors, select whether members of this user group can create all sensor types.
- Under Ticket System Access, select whether members of this user group can use the ticket system.
- Leave all other settings as they are and click Create.
You can now see a new group in the device tree with the name [group_name] home. By default, members of this user group have no access to any objects in the device tree, libraries, maps, or reports, unless they have administrative rights.
After creating user groups, add the user accounts your customer needs, and assign the users to according user groups. Here, we will use local user accounts.
For adding Active Directory users, see section Active Directory Integration in the PRTG Manual.
Under Password Changes, define if the user may change their account password. This option is only visible if you previously selected Read-only user.
Under Primary Group, select the primary group for this user from the list of user groups.
In section Ticket System, under Email Notifications, select if the user can receive emails from the ticket system.
Leave all other settings as they are and
Add multiple users
Of course, you can batch-add several users as well. Select Add Multiple Users and choose an existing user group from the list of user groups, then enter the email addresses for which you want to create user accounts.
Keep in mind that you cannot define individual user access rights (read/write user or read/only user) when adding multiple users at once. This can only be done in the specific user accounts.
Now you can define the actual access rights for objects in your device tree (this can be sensors, devices, groups, or probes), libraries, maps, and reports.
- Use the context menu of an object and select Edit | Access Rights. Or define access rights in an object’s settings.
- To define individual access rights per user group, disable the button next to inherit from under Access Rights.
- For each user group, select a group access right from the dropdown menu.
- Click OK to save your settings.
And that’s it! Now you can proceed with fine-tuning your access rights management for all other users, user groups, and objects.