Versions Compared

Version Old Version 1 New Version 2
Changes made by

Aliaksei Shautsou (Deactivated)

Aliaksei Shautsou (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

  • Administrators can enable the Force Local Authentication check box for local user accounts to provide a specific profile to users that also exist on a remote authentication/authorization service. In the user configuration, you enable the Force Local Authorization option and its read-only Last Login value will show the external service name. Locally created user accounts automatically enable this option, which can be disabled at any time. If the user is learned by NetMRI through a remote authentication/authorization service, this option is automatically disabled.
  • When a user is learned by NetMRI through a remote authentication/authorization service, the administration cannot then re-create the user account. You may activate the Force Local Authentication check box for an externally learned account and redefine its password and other user details. (The Local authentication service also must be placed first in the Authentication Services list.) Taking these steps, you can ensure that an account is verified and authorized locally, without using the same login defined on the external service. An alternative is to define a different local login credential for the user.
  • The Force Local Authentication setting is automatically enabled for all new locally created users. You can change local user accounts settings at any time:
  • You can change the local user password.
  • You can disable a user account at any time;
  • You can change assigned Roles and device groups for an account, but changes will persist only when the account is locally authenticated and authorized, with the Local authentication service taking the highest Priority setting and the Force Local Authentication check box enabled for the account.
  • You can define CLI credentials, notes and Email settings for all users in the User database.



  • Anchor
    Understanding Users and Roles
    Understanding Users and Roles
    Anchor
    bookmark196
    bookmark196
    Anchor
    bookmark197
    bookmark197
    Understanding Users and Roles




    Note: Privileges play a key part in roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also see Privilege Descriptions for details on the Privileges comprising user Roles.

    User accounts are the standard identities of all users of the NetMRI appliance.
    You assign roles to each user account, after assigning the privileges that each user account is allowed to perform. User accounts are granular to individuals, while roles apply across different accounts. NetMRI provides a set of pre-defined Roles with specific privileges in NetMRI, as follows:

    AnalysisAdmin

    Specializes in creating and managing NetMRI Issues. Assigned privileges include Issues: Modify Parameters, Issues: Modify Suppression Parameters, Issues: Modify Priority, Issues, Define Notifications, and View: Non Sensitive.

    ChangeEngineer: High

    Allowed to write, schedule and execute job scripts of any degree of risk sensitivity. Privileges include Switch Port Admin, Scripts:Author; Scripts:Level1 (low risk), Scripts, Level2 (medium risk), Scripts, Level3 (high risk), View: Audit Log, View: Sensitive and View: Non-Sensitive. This role also can launch SSH and Telnet sessions using NetMRI's Telnet/SSH Proxy feature, using User Credentials (Terminal: Open Session). This Role can also modify CLI credentials (Terminal: Modify Credentials). The Collection: Poll On Demand privilege provides the ability to perform on-demand polling of individual network devices.

    Change Engineer: Medium

    Allowed to write, schedule and execute job scripts. Privileges include Switch Port Admin, Scripts:Author, Scripts:Level1, (low risk); Scripts, Level2 (medium risk), View: Sensitive and View: Non-Sensitive. This role can launch SSH and Telnet sessions using NetMRIs Telnet/SSH Proxy feature (Terminal: Open Session), using NetMRI default credentials. By default, this role cannot modify CLI credentials. The Collection: Poll On Demand role provides the ability to perform on-demand polling of individual network devices

    Change Engineer: Low

    Allowed to write, schedule and execute job scripts with a low sensitivity to risk. Privileges include Switch Port Admin, Scripts:Author, Scripts:Level1 (low risk), View: Sensitive and View:
    Non-Sensitive. Users with this role cannot launch SSH or Telnet sessions and those options will not appear in the device shortcut menu (right-clicking on a device's IP address, a VLAN IP and other elements in the NetMRI UI). By default, users with this role also cannot modify CLI credentials.

    Config Admin

    Read-only account that is allowed to view all sensitive data in NetMRI. Privileges include View: Audit Log, View: Sensitive; and View: Non-Sensitive.

    Default View Role

    Read-only account that is allowed to view only non-sensitive data. Privileges include View: Non-Sensitive.

    Event Admin

    Event system administrator. Privileges include Events: Admin which enables creation of new Event Symptoms, and View: Non-Sensitive.

    FindIT

    Allows access only to the NetMRI FindIT tool.

    GroupManager

    Creates and manages interface groups, device groups and related result sets. Privileges include Groups: Create, Groups: Delete, Groups: Result Sets, View: Non-Sensitive. and View: Sensitive.

    Policy Manager

    Creates and manages Policies for one or more Groups in NetMRI to standardize and lock down configurations for networked devices such as routers, switches and firewalls. Privileges include Policy: Deploy, Policy: Create, Edit and Delete, View: Audit Log, View: Non-Sensitive, and View: Sensitive.

    Report Admin

    Role to allow the creation and editing of Report features in NetMRI. Associated privileges include Reports: Report Manager, View: Non-Sensitive, and View: Sensitive.


     

     

    Switch Port Administrator

    Switch port administrator. Privileges include Switch Port Admin which enables changes to switch port configurations such as VLAN assignment and port activation, and View: Non-Sensitive.

    SysAdmin

    The global administrator account Role for NetMRI. Includes the System Administrator privilege and View: Audit Log. SysAdmins can manage, add and remove scan interfaces and map them to networks; manage, add and remove network views.

    UserAdmin

    Create and edit NetMRI user accounts and Roles, and assign privileges. Includes View: Audit Log, View: Non-Sensitive, User Administrator, Reset Passwords and Issues: Define Notifications.


    You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance.
    See Defining and Editing Roles for more information.
    The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.



    Anchor
    Creating User Accounts
    Creating User Accounts
    Anchor
    bookmark198
    bookmark198
    Anchor
    bookmark199
    bookmark199
    Creating User
    Anchor
    bookmark200
    bookmark200
    Account
    Anchor
    bookmark201
    bookmark201
    s

    Wiki Markup
    \\
\\
\\
*Note:*  User account names are case-sensitive. You can use some non-alphanumeric characters for naming, including bracket characters, such as @!#$%^&*()=\[\]\{\}. Punctuation characters (,.;'") and spacebar characters are disallowed.
\\
\\
You create, edit and delete user accounts in the *Users* page (Settings icon *->* *User* *Admin* section *->* *Users{*}). By default, the *admin* account is the single user account built in to the appliance. You cannot remove this account.
In the Users window, each user account lists its the following:

  • User Name: the network identity of the user;
  • First Name and Last Name: the configured first name and surname for the user;
  • Last Login: the time and date of last login;
  • Last Authentication: shows the authentication service that granted the last login;
  • Last Authorization: This field is updated at each user login; possible values include the following:
    • Remote when the user logs in using their remote password, and their Force Local Authorization setting is set to False for their User account. The user is granted the roles defined from the remote group assignment in the authentication service properties.
    • Local in cases where the user simply logs in using their local appliance password; or, when the user logs in to the remote authentication service using their remote password, and the Disable Authorization checkbox is enabled for that service. is disabled for their account
    • Forced Local when the user logs-in using their remote password and their Force Local Authorization setting is set to False in their User properties. The user is granted the local Roles and access to their device groups.

...