<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: User Groups

On the User Groups tab, you can define access rights for monitoring objects, libraries, maps, and reports at user group level. This means that group membership determines what a user can do and which monitoring objects, libraries, maps, or reports they can see. This does not apply to read-only users, who always have only read access, no matter what access rights the user group they belong to has. You can define group access rights for each object in the object's settings.

This documentation refers to an administrator that accesses the PRTG web interface on a master node. Other user accounts, interfaces, or failover nodes might not have all of the options in the way described here. In a cluster, note that failover nodes are read-only by default.

If 15 minutes (900) seconds have passed since your last credential-based login and you open a setup page from a different setup page, PRTG asks you to enter your credentials again for security reasons. A dialog box appears. Enter your Login Name and Password and click OK to continue.

User Groups Overview

The User Groups tab shows a list of all user groups in this PRTG installation and various types of information about each user group.

Column Header	Description
Object	Shows the name of the user group. Click the user group to open its settings.
Type	Shows the user group type, for example, a PRTG user group, an Active Directory group, or a single sign-on (SSO) group.
Members	Shows all users that are a member of this user group.
Primary Group	Shows all users that have this user group as their primary group. Click the user group name to open its settings.
Active Directory Group	Shows the Active Directory group that the user group is connected to.
SSO Claim	Shows the access claim for the SSO group that the user group is connected to.

Add User Groups

To add a new user group to PRTG Network Monitor or to PRTG Hosted Monitor, hover over and select Add User Group from the menu. The options are almost the same as for editing user groups.

For each user group you create, PRTG automatically adds a new group in the device tree with the name [group_name] home.

For each user group you create, PRTG automatically adds a new email notification to the notification templates. It has the name Email to all members of group [group_name]. The new user group automatically has read access to the new notification template.

By default, there are no access rights defined on objects for a newly created user group. Initially, users in this user group do not see any objects in the device tree except the automatically created [group_name] home group for which they have write access. This does not apply if the new user group is an administrator group. Edit the settings of objects in your device tree, libraries, maps, or reports, and set access rights for the new user group in the Access Rights section.
The easiest way to set access rights is in the root group settings and to use the inheritance of settings.

The multi-edit option is not available for the predefined user groups PRTG Administrators and PRTG Users Group.

You cannot delete predefined objects such as the PRTG System Administrator user account, the PRTG Users Group, or the PRTG Administrators group.

If you want to delete an Active Directory group from PRTG, you must delete all users that are in the user group first. This is because the Active Directory users have this user group as their primary group, and user accounts must have a primary group.

User Group Settings

Setting	Description
User Group Name	Enter a name for the user group. If the name contains angle brackets (<>), PRTG replaces them with braces ({}) for security reasons. For more information, see the Knowledge Base: What security features does PRTG include?
Administrative Rights	Define if the user group members have administrative rights: Give user group members administrative rights: Give administrative rights to all user group members. If you select this option, all user group members have full access to all device tree objects, libraries, maps, reports, and the ticket system. In addition, they can manage user accounts and user groups, and they can change the monitoring configuration of PRTG. Do not give user group members administrative rights (default): Do not give the user group member administrative rights. Access to device tree objects, libraries, maps, and reports for user group members are defined in an object's settings.
Home Page URL	Define the default home page for the user group members. This is the page that the user sees after logging in or when selecting Home from the main menu. Enter a PRTG-internal web page. This applies to new users that were either added via Active Directory Integration or using the Add Multiple Users option.
Active Directory or Single Sign-On Integration	Define whether to connect this user group to external users: Do not use Active Directory integration (default): Do not connect this user group to a user group in your Active Directory or to a single sign-on integration. Use local user accounts instead. Use Active Directory integration: Connect this user group to a user group in your Active Directory. For more information, see section Active Directory Integration. Use single sign-on integration: Connect this user group to a single sign-on integration. For more information, see the Knowledge Base: How to integrate Microsoft Entra ID into PRTG? For more information, see the Knowledge Base: How to integrate Okta SSO into PRTG? You cannot change credentials for users that are members of an Active Directory group. This option is not available in PRTG Hosted Monitor.
Active Directory Group	This setting is only visible if you select Use Active Directory integration above. Select the user group whose members can log in to PRTG using their Active Directory domain credentials. The according user accounts have the access rights of the user group you just created. You need to configure a valid Active Directory domain in the Core & Probes settings for user groups to appear in the dropdown list. For more information, see section Active Directory Integration. If your Active Directory contains more than 1,000 entries in total, PRTG displays an input field instead of a dropdown list. This is for performance reasons. In the input field, you can only enter the name of the user group in your Active Directory. PRTG then automatically adds the domain name prefix. PRTG caches the list of the user groups in your Active Directory for one hour. You can update this list earlier by manually clearing the cache via the Administrative Tools by clicking Go! in the Clear Caches section. This option is not available in PRTG Hosted Monitor.
SSO Group Claim	This setting is only visible if you select Use single sign-on integration above. Enter the access claim for the SSO group, for example a scope name or an Azure group object ID. This option is not available in PRTG Hosted Monitor.
User Type	This setting is only visible if you select Use Active Directory integration above. Define the default user access rights for all new users in this user group: Read/write user: Can only view monitoring results, libraries, maps, reports, and also edit the according settings. In addition, they can add and delete objects, libraries, maps, and reports. The user can acknowledge alarms, edit notification templates, notification contacts, and schedules. Read-only user: Can only view monitoring results, libraries, maps, reports, and the according settings. The user can acknowledge alarms and change their own password if allowed. This is a good choice for public or semi-public logins. Read-only users cannot be members of groups with administrative rights. If a user logs in to PRTG for the first time using Active Directory credentials, PRTG automatically creates a new, local user account for this user with the user type that you define.
Acknowledge Alarms	This setting is only visible if you select Read-only user above. Acknowledging an alarm is an action that requires write access. However, you can explicitly allow a read-only user to acknowledge alarms: Allow user group members to acknowledge alarms: Allow read-only user group members to acknowledge alarms. Do not allow user group members to acknowledge alarms (default): Do not allow read-only user group members to acknowledge alarms.
Sensor Creation Rights	Define if user group members can create all sensors or only specific sensors: Allow user group members to create all sensors (default): No restrictions for group members apply. Allow user group members to create certain sensors only: Select the allowed sensors from the list of available sensors.
Allowed Sensors	This setting is only visible if you select Allow user group members to create certain sensors only above. A list of all available sensors is shown. Select the sensors that user group members can create by enabling check boxes in front of the respective sensor names. You can also select all items or cancel the selection by using the check box in the table header. PRTG displays sensors that are in use in bold print. This setting does not apply when a user group member runs an auto-discovery. The auto-discovery adds all sensors that are defined in the used device templates. This setting does also not apply when a user group member adds recommended sensors.
Ticket System Access	Define if user group members can use the ticket system: Allow user group members to use the ticket system (default): Users in this user group can read, create, assign, and modify tickets. Group members that are read-only users never have access to the ticket system. Do not allow user group members to use the ticket system: The Tickets menu item in the main menu bar is not visible to users in this user group.

Group Members

Setting	Description
Members	This setting is only visible if you select <%C_Do_not_use_Active_Directory_or_single_sign-on_integration%> above. Define which local user accounts are members of this user group. To add a user account from the list, enable the check box in front of the user name. The available user accounts depend on your setup.

Setting

Description

Members

This setting is only visible if you select <%C_Do_not_use_Active_Directory_or_single_sign-on_integration%> above.

Define which local user accounts are members of this user group. To add a user account from the list, enable the check box in front of the user name. The available user accounts depend on your setup.

Primary Group Users

Setting	Description
User List	Shows a list of all user accounts that have this user group as their primary group. This is only shown for your information. You can change the primary group of a user account in the user account's settings.

Save your settings. If you leave the page, all changes to the settings are lost.

KNOWLEDGE BASE

What security features does PRTG include?

https://kb.paessler.com/en/topic/61108

How to integrate Microsoft Entra ID into PRTG?

https://kb.paessler.com/en/topic/88527

How to integrate Okta SSO into PRTG?

https://kb.paessler.com/en/topic/90482

Others

There are some settings that you must define in the PRTG Administration Tool. For more information, see sections: