SystemLink Forum
Admin User vs Mapped Windows Administrator Privileges
Solved!
I have a mapped Windows users under the admin role of the SystemLink Server configuration.
I understand that there are a few levels of access.
1. Everyone - this is the view that you see prior to logging in. For me, there's only a couple of applications available.
2. Users - this is what I see when I log in as a Windows user that's mapped in a Active Directory domain. I can confirm that these users can see more than what they can prior to logging in, but not everything, since some functionality is reserved for the admins.
3. Admin - According to the SystemLink "NI Web Server Configuration", "Users mapped to this role are always granted every privilege across all applications." This is the statement I am questioning though.
I'm seeing a weird behavior for my two admins. My "admin" user (the default one for SystemLink that you can't delete) can see 2 dashboards in my Dashboards app, rename them, and edit them. My mapped Windows user can see only 1 dashboard and cannot rename or edit them. It seems that these two admins are not equal, and I want to know: is expected or why I don't see the same options for the default admin as I do with configured admins?
I anticipate that I may get asked, "Are you sure you setup the user as an admin?" I do know this because that particular user can see applications that are restricted to just admins.
Any help is appreciated!
Thanks for the quick reply. I'm not sure I completely see what you're saying though. My default admin for the SystemLink Server CAN in fact edit, rename, and do anything with a dashboard any user has created. My additional admin that is mapped to a windows user in the server configuration cannot do this.
There seems to be 4 levels of access, with increasing permissions:
1. Everyone
2. Users
3. Configured Admins
4. Default Admin
Though the configuration for admins does not seem to specify that there would be any difference, which I why I'm wondering if there's a problem with admin configuration.
Thanks for the input, and I agree it's a little different in our cases. It's at least interesting to note that we are both seeing that the default admin and the configured windows admin (or in your case LDAP admin) seem to have different permissions, where I would have expected them to be the same.
What versions of SystemLink are you guys using?
When I configure my 19.0 SystemLink Server to allow login from Windows accounts, and add my windows user to the list of admins, I am not able to see any other users dashboards unless they are shared. Also, both the added windows admin account and the default admin account have the ability to share dashboards. I'm unable to reproduce either behavior that you guys are seeing.
@Sdusing,
You mentioned that you are signing in using a windows account. Is the user that you are using to log in a local user for the server machine? Or an active directory user?
I'm using SystemLink 19.0. We have checked the "Log in using Windows accounts" option on the Authentication tab of the NI Web Server Configuration UI. We then selected the "Restrict to users in a single Active Directory domain" and entered our company Domain.
Your statement that "I am not able to see any other users dashboards unless they are shared" is consistent with what I see as well. My windows user that (which is configured for admin rights) sees only 1 dashboard (of the 2 that exist). If I log in using the default "Admin user," then I see both dashboards. I think this is expected though, since I created both dashboards with the "Admin user" and only shared the 1 that my windows user can see. So, in summary, my understanding is that Admin users cannot see ALL dashboards, but only those that are shared or that were made by the admin themselves? (Note - I have "Manage dashboards and templates created by other users" set to admin level in the NI Web Server Configuration UI)
My windows user account does log me into the server machine. Does this make a difference?
@sdusing wrote:My windows user account does log me into the server machine. Does this make a difference?
No, this shouldn't make a difference. I think I understand the way that your install is behaving but I want to very clearly and explicitly explain the behavior that I am seeing. The behavior that I'm seeing is the behavior that I would expect.
I have 3 accounts set up. I have the default admin that you setup during the Web Server configuration. I have a Windows user that I have given Admin privileges to. The third account that I have set up is a Windows user which does not have Admin privileges. Lastly, we can see the behavior when an account is not used to login. For this you need to make sure that the App is set to the correct permissions. I have included a screenshot showing my Web Server settings for Dashboard builder.
When anyone creates a dashboard and does not share the dashboard, no user (except for the user that created the dashboard) can see its dashboards. When any user shares its dashboard, all users, and when you are not logged into a user, can see the dashboard. No user in my setup can see dashboards of any other user unless they have shared the dashboard.
Also, to add some clarity, the "Manage dashboards and templates created by other users" privilege should not allow you to see other users dashboards but instead was added so that admins can clean up shared dashboards if for instance a user leaves a company and they don't have a way to unshare their dashboards. And even then, this can only be done via the HTTP API, and cannot be done via the GUI. I would not expect any users to be able to see any others dashboards that are not shared.
Is this the behavior that you see?
I can try to look into whether using Active Directory or LDAP changes this behavior, but I don't expect it to considering local accounts don't see different behavior.
Thanks Brandon. I think that very nicely answered my question. I did not understand that unshared Dashboards could ONLY be viewed by the maker (due in part to my misunderstanding of the "Manage dashboards and templates created by other users" setting). It makes sense now with your explanation.
