...
You can define and authenticate your admin users remotely, where all users and their accounts are authenticated and authorized for their roles and privileges through an external server such as RADIUS or LDAP. This chapter describes how to set up local authentication services in NetMRI. For remote configurations, see see NetMRI User Authentication and Authorization. You can also define and authenticate all of your admin users locally, where all user accounts and their assigned roles and privileges are defined in the NetMRI system.
...
| Note | ||
|---|---|---|
| ||
Device groups are a NetMRI organizational unit that gathers devices in related groups—routers in a Routers group, Ethernet switches in a Switches group, and so on. For related information on device groups, see see Devices and Interfaces. |
- Create, edit, and delete user Roles. You assign Roles to each individual user account and define the privileges and tasks, and specific networks and network devices on which the NetMRI user can operate. A user account is ineffective without an assigned Role. A user account can use one or more Roles.
- Each Role is comprised of a set of access Privileges, which are the types of tasks that the user can carry out in their assigned Role.
- Review the Audit Log. The Audit Log provides records of all actions taken by all NetMRI users, showing the timestamp, event type, and associated descriptive messages.
Several advanced User Administration settings are located in the Advanced Settings section. For more information, see Advanced User Administration Settings.
User administration provides support from external authentication servers. Because NetMRI supports both external authentication and authorization features through remote groups, mirroring the Roles and Privileges provided in local NetMRI user provisioning, you can leverage remote AAA server configurations (from TACACS+, LDAP, Active Directory, and RADIUS) without having to directly provision significant numbers of users on NetMRI.
...
When a new user is authenticated and authorized through one of the remote services described in in NetMRI User Authentication and Authorization, . NetMRI automatically creates the new account locally and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.
...
For more information on remote authentication and authorization of NetMRI users, see see NetMRI User Authentication and Authorization and and its subsections.
Managing User Data
...
| Note | ||
|---|---|---|
| ||
Privileges play a key part in roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also, see Privilege Descriptions for details on the Privileges comprising user Roles. |
User accounts are the standard identities of all users of the NetMRI appliance.
...
You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance. See Defining and Editing Roles for more information.
The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.
...
When scheduling or running a job (see Creating and Scheduling Jobs for more information), if user credentials are required and the Use the requester's stored CLI credentials or Use the approver's stored CLI credentials job options are selected, then the CLI credentials associated with the given user account are used to login to the network devices that are part of the job. Admins can modify command-line execution credentials for any user account. For more information, see the account creation procedure further in this section.
...
Privilege | Description |
|---|---|
Configure Networks | A system privilege applied to SysAdmin roles. Allows adding of new networks, changing Network View mappings, and mapping local VRFs to networks. |
Switch Port Admin | A system privilege applied to Switch Port Administrator Roles. This Privilege allows the Role to perform the following tasks:
|
Collection: Poll On-Demand | Users with this privilege can perform on-demand polling of individual network devices for the admin account using this privilege. |
View: Non Sensitive | Ability to view all non-sensitive information in NetMRI, such as Issues, Changes, audit logs, and device states through the Device Viewer. Users with these privileges cannot carry out the following:
|
View: Sensitive | Ability to view all sensitive information in NetMRI, including policy compliance configurations, device configurations in Configuration Management, configuration of user accounts, and Setup, Licensing, and Database tasks otherwise not accessible by View: Non Sensitive privileges. |
View: NetMRI System Info | Ability to view NetMRI appliance settings. |
Custom Data: Input Data | A privilege allowing non-Admin user accounts to edit and enter information in custom data fields previously created by the Admin account. For example: for network devices, custom fields are useful for recording important contextual data such as asset tag numbers and physical location — information that NetMRI does not gather on its own. By default, the Admin account is the only account with permissions to edit such data fields. For more information, see Defining and Using Custom Fields and Enabling Custom Data Field Editing for Non-Admin Users. |
System Administrator | Allows the user complete access to the NetMRI appliance. |
Reset Passwords | A privilege that allows a user to change passwords other than their own. |
User Administration | A privilege that allows a user to create users, and assign roles and privileges. |
Issues: Modify Parameters | A privilege that allows a user to define and change analysis parameters, including analysis schedules. |
Issues: Modify Suppression Parameters | A privilege that allows a user to modify issue suppression parameters. |
Issues: Modify Priority | A privilege that allows a user to set the priority of issues. |
Issues: Define Notifications | A privilege that allows a user to define notifications for the issues. |
Scripts: Author | Author scripts and packaged commands, and save them for re-use by others. |
| Scripts: Approve 1 | Approve packaged scripts and commands designated level 1 (low risk). |
| Scripts: Approve 2 | Approve packaged scripts and commands designated level 2 (medium risk). |
| Scripts: Approve 3 | Approve packaged scripts and commands designated level 3 (high risk). |
| Scripts: Execute 1 | Execute packaged scripts and commands designated level 1 (low risk). |
| Scripts: Execute 2 | Execute packaged scripts and commands designated level 2 (medium risk). |
| Scripts: Execute 3 | Execute packaged scripts and commands designated level 3 (high or unknown risk). |
| Scripts: Schedule 1 | Schedule packaged scripts and commands designated level 1 (low risk). |
| Scripts: Schedule 2 | Schedule packaged scripts and commands designated level 2 (medium risk). |
| Scripts: Schedule 3 | Schedule packaged scripts and commands designated level 3 (high or unknown risk). |
Policy: Create, Edit, and Delete | Create, edit, and delete policies and policy rules. |
Policy: Deploy | Ability to assign the device groups against which a policy is checked. |
Events: Admin | Ability to create event symptoms. |
Groups: Create | Ability to create and edit device and/or interface groups in NetMRI. |
Groups: Result Sets | Ability to create and edit result sets. |
Groups: Delete | Ability to remove the device and/or interface groups. |
Terminal: Modify Credentials | Allow the user to modify their own CLI credentials. This privilege restricts/allows users with the given role to change their own CLI credentials (Settings –> User Admin –> edit User –> CLI Credentials). By default, this tab is disabled for user accounts without this privilege. NetMRI roles that have this privilege by default include SysAdmin, UserAdmin, and ChangeEngineer High. For roles other than those noted, this privilege is manually assigned. |
| Allow users to activate Telnet/SSH sessions from the right-click menu. Should a user account not have this privilege, a popup message appears explaining that they do not have sufficient privileges to use this feature. NetMRI roles with this privilege include SysAdmin, UserAdmin, ChangeEngineer High, and ChangeEngineer Medium. For roles other than those noted, this privilege is assigned manually. |
Terminal: Use NetMRI Creds | Allow the user to log in to devices using the default login/enable credential associated to the device within NetMRI. These are not vendor default credentials. If a terminal session is opened and the user has the appropriate privileges, the terminal shell queries the device credentials based on status and connection type and attempts a login using those if they are available. If not, a username and password are requested from the user. |
Tools: All | Allows access to all available Network Tools in NetMRI. |
Tools: Ping/Traceroute | Allows access to the NetMRI Ping/Traceroute Tool. |
Tools: Path Diagnostics | Allows access to the NetMRI Path Diagnostic Tool. |
Tools: SNMP Walk | Allows access to the NetMRI SNMP Walk Tool. |
Tools: Cisco Cmd Tool | Allows access to the NetMRI Cisco Command Tool. |
Tools: Discovery Diag | Allows access to the NetMRI Discovery Diagnostics Tool. |
Tools: FindIT | Allows access to the NetMRI FindIT Tool. |
...