The Orion platform is quite great in many area's as compared to most other monitoring platforms. It is, however, severely lacking in the area's of user management and security policies. I would like to request the following features to be added to the platform in order to satisfy requirements from a good portion of my clients. Enterprises use Active Directory but more and more I am seeing clients not able to use AD and are forced to use the individual Orion accounts.
- Provide a user self service portal where simple user based tasks can be performed by the user themselves. An idea on this could include a password recovery system based on e-mail and security questions such as what is present on nearly every single major web site. I know existing users without any enhanced privileges can change their own password, but this is so very basic in its current sense and could definitely use massive enhancement.
- Add options to force a user logging in the very first time to change their password. This could be enhanced dramatically by not requiring the password at all to begin with. Imagine a SW admin creating an account and having a spot for an e-mail for the person who will use the account. Upon account creation, an e-mail would be sent to the user providing a link that when clicked would bring the user to the site, ask for a password to be set, and then continue on from there. This method removes having default passwords on accounts that no one has ever logged into and changed the password.
- Add options to lock a user account after a certain number of failed attempts. Seems very basic to me.
- Add options to set and enforce password restriction policies including not using the past 5 password, password length requirements, and password complexity requirements. This could be enhanced by adding a random password generator into the mix as well.
- Add the ability to have "master" account for a number of sub accounts. This would allow administration of these sub accounts to be handled by the team/customer themselves rather than by the SolarWinds admin. The idea here is that the SW Admin provisions the master account with account limitations on what devices this master and any sub account can see/manage. The master account can then create, delete, enable, or disable sub accounts for the devices the master account's privileges provide access. Think of a managed service provider use case where the folks using Orion are customers of the MSP. This feature is present on most MSP style monitoring packages and allows for the administration overhead to be handled by the customer and not the SW admin. This would make the Orion platform truly multi-tenant.
There are probably countless other options here that could be implemented, but I think these are some high level, pressing needs in terms of SolarWinds platform security. Enterprises have it nice with AD integration but those customers who can not use AD are literally left in the dark.
Sohail Bhamani
Loop1 Systems