This article was updated to support v12.1.0 of Goliath Performance Monitor.

By default, the Goliath Performance Monitor web console is accessible to all who can reach the url. However, security can be enabled to provide only specific users access to the web console. In addition, users can be given specific permissions on what screens they can access and what machine/device data they can see. Security can be configuring via Active Directory integration or by creating accounts that are local to the product. For Active Directory authentication, the SamAccountName is property that is used for authentication.

Article Contents:

1. Security Roles
2. Enable Security
3. Appendix
   1. Multiple Domain Configuration
   2. Active Directory User/Security Group Lookup
   3. Settings Page Permissions Table

Security Roles

At a high level, there are 5 main security roles for product access. For each role, there are access tiers to chose from.

1. Allow Administration: Enabling administration allows end users access to the administrative pages of the technology. This includes the pages in the Configure section of the product and Settings*.
   1. Full Rights: grants the user full rights to all of the administrative pages.
   2. Limited Rights: grants the user full rights to the Inventory, Monitoring Rules and Groups pages. Settings* page access limited. 
   3. View Only: the user is unable to make any modifications but can view the administrative pages.
2. Allow Analysis: Enabling analysis allows end users to access the pages of the technology which feature the data collected. This includes the pages in the Dashboards, Views, Log Management, Application Availability and Reports sections of the product.
   1. Full Rights: grants the user full rights to all of the analysis pages.
   2. View Only: the user is unable to make any modifications but can view the analysis pages.
3. Allow Server/Device Maintenance: Enabling server/device maintenance allows end users access to the Settings - Maintenance Mode Configuration page
   
   1. Full Rights: grants the user full rights to view, create and edit maintenance schedules.
   2. View Only: restricts the user from making modifications to maintenance schedules or creating new ones.
4. Allow Agent Install/Download: Enabling agent installation grants the user full rights to install and update agents via the Configure - Inventory page.
5. Allow On-Demand Remediation: Enabling on-demand remediation allows grants the user full rights to interact with Citrix sessions via the Views - Virtual Apps & Desktops page. For example, Stop a Process/Application, Log off a user session, Disconnect a user session.

In addition to the above security roles, one can also restrict users to only viewing data for particular machines. This can be done by enabling "Restrict Access to Only These Groups" or "Restrict Access to Only These Servers/Devices". Please note, you can only use one of these two options at a time and not both. The options for "Restrict Access to Only These Performance Graph Folders" and "Restrict Access to Only These Topology Sites" can also be configured. 

One can also restrict what monitoring rules/alerts users have access to view/modify via the "Restrict Access to Only These Watches" option. 

*See the appendix for additional security role information on the Settings page.

Enable Security

Please follow the below steps for enabling security:

1. Connect to the Goliath web console
2. Navigate to the Settings page in the top right hand corner
3. Click the link for Security and User Accounts
4. Half way down the page click the New button to add a new user or group.
   1. Active Directory User:
      1. To have user(s) login with domain credentials, enter in the AD "user logon name" of the end user and then check the box for Use Active Directory* next to the username/group field. This user can be in any domain in your AD Forest as Goliath is authenticating via the Global Catalog.
         1. Parent & Child domains are supported by default, to be able authenticate against trusted domains see the Appendix below for Multiple Domain Configuration.
      2. Then configure the appropriate security roles as outlined above and click the Save button.
   2. Active Directory Security Group:
      1. To grant an AD security group permission to the technology, enter in the group name, case sensitive, followed by "()", and then check the box for Use Active Directory* next to the username/group field.
         1. For example, if you want to add the group "Domain Admins" to the product, you would enter "Domain Admins()", minus the quotes.
         2. Please note, nested security groups are not currently supported. Only users defined explicitly in the security group can authenticate.
         3. By default, Goliath can only authenticate to AD groups in the parent domain. To be able authenticate against child and or trusted domain(s) see the Appendix below for Multiple Domain Configuration.
      2. Then configure the appropriate security roles as outlined above and click the Save button.
   3. Local GPM User:
      1. To have user(s) login with non-domain credentials, define a username and password, chose the appropriate security roles as outlined above and click the Save button.
         1. Please note, the username is case sensitive.
   4. Repeat this step until all users/security groups are added into the technology.
5. Once users or groups are added into the technology, at the bottom of the page in the Global Security Settings section, see the field for *Active Directory/LDAP Path for Verify. By default, the primary domains rootDSE path is listed (GC://rootDSE). We've seen in some circumstances where the GC fails to make a connection. We recommend adding additional ldap connections for each AD Domain that will be authenticating into Goliath, create a semi-colon delimited list of all of the domains where authentication should be enabled using, LDAP:// as the pre-fix, case sensitive.
   1. For the additional paths, you'll need to specify the domain that Goliath will connect to in the format of "LDAP://{domain name}".
      1. For example, LDAP://test.local
   2. If the domain controller uses a non-standard LDAP port (i.e. not 389 or 636), this can be defined by defining a domain controller and appending the port "LDAP://{{domain controller}}:####/{domain name}".
      1. For example, LDAP://SV-DC05:50000/test.local
   3. In general, the domain controller can also be optionally defined in the format "LDAP://{{domain controller}}/{domain name}".
      1. For example, LDAP://SV-DC05/test.local
   4. To add additional ldap connections, create a semi-colon delimited list of all of the domains where authentication should be enabled using, LDAP:// as the pre-fix, case sensitive.
      1. Example of multiple paths, "GC://rootDSE; LDAP://SV2-DC03/tech.local; LDAP://SVR-AD01/test.goliathtechnologies.com"
         
         1. 
   5. Enable the checkbox option for Enable Security.
   6. Select Apply to complete the configuration.
   7. Refresh the browser to be prompted with the sign in page
      1. Please note, when signing into the product with AD credentials only enter the SamAccountName into the username box. Do not use the format of "domain\user" or "user@domain".
         1. 

Appendix

Multiple Domain Configuration

Goliath has the ability to authenticate to child and trusted domains by configuring additional LDAP connections. Follow the below steps to configure the one-time setting. Once configured, follow the steps in the Enable Security section above.

Supported Configurations:

• Child Domain or any Domain in the same AD Forest that the Goliath Server is a member of
• Two-Way trust between the domain the Goliath Server is a member of and a domain outside the AD Forest
• One-Way trust where the domain the Goliath Server is a member of trusts a domain outside the AD Forest
  • The authentication scope of the trust must be "domain-wide"

Prerequisites for Multiple Domain Support:

• an AD User must be running the MonitorIT Server Service
  • Per the Goliath Performance Monitor Prerequisites, this account must have "database_owner" rights to the SQL database
• For authenticating to an One-Way or Two-Way trust, the above mentioned account must also be in the trusted domains with the same SamAccountName and password. It must also be a Domain Admin in the trusted domains. 
  • • For example, if the Goliath Server user account is "Corp/Test123" with password "AFG". Then in the trusted "TEST" domain, there must be a user "TEST/Test123" with password "AFG" that is a domain admin in order make the LDAP bind.

Active Directory User/Security Group Lookup

When adding a new user or security group into Goliath, if this user/group is a member of the domain that the Goliath Server resides on, Goliath has the ability to search the AD tree. If unsure of a user logon name or security group name, once you check the box "Use Active Directory", next to the checkbox is a "..." button. Clicking that button will open a new pane where you can search the AD tree.

Settings Page Permissions Table