User Permissions
- Last Updated: April 5, 2026
- 6 minute read
- Flowmon Products
- Flowmon Anomaly Detection System
- Documentation
This part of the configuration can be found in Settings → System settings → User Permissions.
The Flowmon ADS application allows admins to limit the data that can be viewed by non-admin users. To limit the events that can be shown to a particular non-admin user, you can assign a perspective to each of these users. The user can only see the events that are produced by detection methods defined in the perspective. Also, the assigned perspective limits method instances that are displayed - only instances of methods defined in perspective are shown to the user.
The perspectives can be defined using the simplified interface. It is sufficient to select the data feed, the IP address filter, and to assign the priorities to the detection methods. The selected source and filter are then assigned to each defined priority (the filter is assigned twice to each priority - once as source filter and once as target filter).
User permissions summary
-
The following entities can be assigned to non-admin users:
-
Filters:
-
Users can only see the filters assigned to them and cannot edit the filters.
-
Filter assigned to the user limits the content of displayed report chapters.
-
-
Perspectives:
-
Users can only see perspectives assigned to them and cannot edit the perspectives.
-
Users can only see the detection methods (and relevant events) that are defined by the perspectives assigned to them.
-
Users can only see the email reports related to perspectives assigned to them.
-
Users can only see data feeds related to priorities in perspectives assigned to them.
-
The perspective assigned to a user limits the content of displayed report chapters.
-
A user without assigned perspectives can see all data feeds (including relevant events and overview charts).
-
A user with an assigned perspective with some priority defined as independent of the data feed can see all data feeds (including relevant overview charts but events are limited by the perspective).
-
-
-
Non-admin user permissions for Report chapters:
-
A user can see the following chapters if:
-
Events by priority: The perspective that is set has a non-empty intersection with the perspectives assigned to the user.
-
Event matrix: The filter and perspective that are set have a non-empty intersection with the filters and perspectives assigned to the user.
-
Events count by type: The perspective that is set has a non-empty intersection with the perspectives assigned to the user.
-
-
-
General facts:
-
Changing the perspective has no impact on the already existing finished events.
-
The Lock the configuration for non-admin users choice is locking the Settings → System Settings → User preferences and Settings → Processing → Event response.
-
Overview of access rights in the user interface
The access rights to various parts of the user interface are determined not only by the role of a user (ADS administrator, tenant administrator, and so on) but also by whether a user is a member of a Base tenant or one of its subtenants. Base tenant is a default tenant that is used when a Flowmon appliance does not operate in a multi-tenant mode. In a multi-tenant mode, the Base tenant is usually used to define other tenants and also to configure the system-wide settings of the Flowmon appliance. Therefore, users with administrative privileges in the Base tenant have more configuration privileges than users with the exact same privileges in subtenants. For more information about multi-tenancy in the ADS module, refer to the following page: Tenants.
In the tables below, you can see which parts of the user interface a user has access rights to based on the assigned role. The first table describes the access rights for the Base tenant and the second one for its arbitrary subtenant. The following terms are used in the tables:
-
Edit rights: A user with a respective role is able to access, view, and change the configuration in the part of the user interface being described.
-
Read rights: A user with a respective role is able to access and view the configuration but cannot change it.
-
Not available (N/A): A user with a respective role has no access to this part of the user interface at all.
Access rights for Base tenant:
| Tenant admin with ADS admin | ADS admin only | Non-privileged user | |
|---|---|---|---|
| Analysis | Edit | Edit | Edit (Read) 1 |
| Events | Edit | Edit | Edit (Read) 1 |
| Chapters | Edit | Edit | Read |
| Data feeds | Edit | Edit 6 | Read 3 |
| Methods | Edit | Edit | Read 3 |
| Custom Patterns | Edit | Edit | Read |
| Filters | Edit | Edit | Read 3 |
| False Positives | Edit | Edit | N/A |
| Blacklists | Edit | Edit | Read |
| Perspectives | Edit | Edit | Read 3 |
| Email notifications | Edit | Edit | Edit (Read) 1,3,4 |
| Syslog messages | Edit | Edit | N/A |
| SNMP messages | Edit | Edit 2 | N/A |
| Traffic recordings | Edit | Edit | Edit (Read) 1,3,4 |
| Custom scripts | Edit | Edit | Edit (Read) 1,3,4 |
| General settings | Edit | N/A | N/A |
| IDS Collector | Edit | N/A | N/A |
| Storage settings | Edit | N/A | N/A |
| LDAP settings | Edit | N/A | N/A |
| ePO settings | Edit | N/A | N/A |
| User permissions | Edit | Edit | Read |
| User preferences | Edit | Edit | Edit (Read) 1 |
| Named services | Edit | Edit | Read |
| External queries | Edit | Edit | Read |
| Event categories | Edit | Edit | Read |
| Custom script files | Edit | N/A | N/A |
| Configuration template | Edit | Edit | N/A |
| Reset to factory settings | Edit 5 | N/A | N/A |
| Delete data | Edit 5 | N/A | N/A |
| Clear DNS cache | Edit | N/A | N/A |
| IP details | Edit | N/A | N/A |
| Logs | Read | N/A | N/A |
| About | Read | Read | Read |
Explanatory notes:
-
When the Lock the configuration for non-admin users option in Settings → System Settings → General Settings is enabled, a user has only read rights. Otherwise, a user has edit rights.
-
An ADS administrator without Tenant administrator rights has no access to SNMP target groups. Therefore, all the settings of SNMP messages can be modified, except the target SNMP servers.
-
When a user has limited visibility to some perspectives or filters, it is possible to view or edit only entities related to these perspectives or filters.
-
When Email notifications, Custom scripts, and Traffic recordings are created, they require you to specify their owner. You can only view or edit them if a you are assigned as their owner.
-
Executing this action will result in data loss (not only in the Base tenant but also in all of its subtenants).
-
Only users with ADS administrator and Tenant administrator permissions (Tenant admin with ADS admin) can edit the FPS limit field.
Access rights for an arbitrary subtenant:
| Tenant admin with ADS admin | ADS admin only | Non-privileged user | |
|---|---|---|---|
| Analysis | Edit | Edit | Edit (Read) 1 |
| Events | Edit | Edit | Edit (Read) 1 |
| Chapters | Edit | Edit | Read |
| Data feeds | Edit | Edit 5 | Read 3 |
| Methods | Edit | Edit | Read 3 |
| Custom Patterns | Edit | Edit | Read |
| Filters | Edit | Edit | Read 3 |
| False Positives | Edit | Edit | N/A |
| Blacklists | Edit | Edit | Read |
| Perspectives | Edit | Edit | Read 3 |
| Email notifications | Edit | Edit | Edit (Read) 1,3,4 |
| Syslog messages | Edit | Edit | N/A |
| SNMP messages | Edit | Edit 2 | N/A |
| Traffic recordings | Edit | Edit | Edit (Read) 1,3,4 |
| Custom scripts | Edit | Edit | Edit (Read) 1,3,4 |
| General settings | N/A | N/A | N/A |
| IDS Collector | N/A | N/A | N/A |
| Storage settings | N/A | N/A | N/A |
| LDAP settings | N/A | N/A | N/A |
| ePO settings | N/A | N/A | N/A |
| User permissions | Edit | Edit | Read |
| User preferences | Edit | Edit | Edit (Read) 1 |
| Named services | Edit | Edit | Read |
| External queries | Edit | Edit | Read |
| Event categories | Edit | Edit | Read |
| Custom script files | N/A | N/A | N/A |
| Configuration template | Edit | Edit | N/A |
| Reset to factory settings | N/A | N/A | N/A |
| Delete data | N/A | N/A | N/A |
| Clear DNS cache | N/A | N/A | N/A |
| IP details | N/A | N/A | N/A |
| Logs | N/A | N/A | N/A |
| About | Read | Read | Read |
Explanatory notes:
-
When the Lock the configuration for non-admin users option in Settings → System Settings → General Settings is enabled, a user only has read rights. Otherwise, a user has edit rights.
-
An ADS administrator without Tenant administrator rights has no access to SNMP target groups. Therefore, all the settings of SNMP messages can be modified, except the target SNMP servers.
-
When a user has limited visibility to some perspectives or filters, it is only possible to view or edit entities related to these perspectives or filters.
-
When Email notifications, Custom scripts, and Traffic recordings are created, they require you to specify their owner. You can only view or edit them if you are configured as their owner.
-
Only users with ADS administrator and Tenant administrator permissions (Tenant admin with ADS admin) can edit the FPS limit field.