...
| Note | ||
|---|---|---|
| ||
For external authentication and authorization services, NetMRI receives the login requests from the user and forwards them to the Authentication/Authorization server, which performs the actual transaction. In this chapter, you configure authentication based only on the local appliance. |
...
User Administration in NetMRI
You define user administration functions in the Settings window (Settings icon –> User Admin section), performing the following tasks:
...
Several advanced User Administration settings are located in the Advanced Settings section. For more information, see Advanced User Administration Settings.
User administration provides support from external authentication servers. Because NetMRI supports both external authentication and authorization features through remote groups, mirroring the Roles and Privileges provided in local NetMRI user provisioning, you can leverage remote AAA server configurations (from TACACS+, LDAP, Active Directory, and RADIUS) without having to directly provision significant numbers of users on NetMRI.
...
...
Advantages of Remote Authentication and Authorization for Users
When a new user is authenticated and authorized through one of the remote services described in NetMRI User Authentication and Authorization, NetMRI automatically creates the new account locally and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.
...
For more information on remote authentication and authorization of NetMRI users, see NetMRI User Authentication and Authorization and its subsections.
...
Managing User Data
For the Users and Roles pages, the Select check box is to the left of an Action icon. When you select multiple rows of a table, a whole page, or multiple pages of either data type, you can choose Delete from the Action menu for any selected row. You cannot edit multiple rows of data. The Delete option is the only available option after selecting multiple rows.
...
- You can change the local user password.
- You can disable a user account at any time.
- You can change assigned Roles and device groups for an account, but changes will persist only when the account is locally authenticated and authorized, with the Local authentication service taking the highest Priority setting and the Force Local Authentication check box enabled for the account.
- You can define CLI and database credentials, notes, and email settings.
...
Understanding Users and Roles
...
| Note | ||
|---|---|---|
| ||
| Note | ||
| ||
Privileges play a key part in roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also, see Privilege Descriptions for details on the Privileges comprising user Roles. |
...
NetMRI provides a set of pre-defined Roles with specific privileges in NetMRI, as follows:
| AnalysisAdmin | Specializes in creating and managing NetMRI Issues. Assigned privileges include Issues: Modify Parameters, Issues: Modify Suppression Parameters, Issues: Modify Priority, Issues, Define Notifications, and View: Non Sensitive. |
| ChangeEngineer: High | Allowed to author, approve, execute, and schedule scripts designated High Level (Level 3) and lower. Privileges include the following:
This role can launch SSH and Telnet sessions using NetMRI's Telnet/SSH Proxy feature using User Credentials (Terminal: Open Session privilege). This role can modify CLI credentials (Terminal: Modify Credentials privilege). |
| ChangeEngineer: Medium | Allowed to author, approve, execute, and schedule scripts designated Medium Level (Level 2) and lower. Privileges include the following:
This role can launch SSH and Telnet sessions using NetMRIs Telnet/SSH Proxy feature (Terminal: Open Session privilege) using NetMRI default credentials. By default, this role cannot modify CLI credentials. |
| ChangeEngineer: Low | Allowed to author, approve, execute, and schedule scripts designated Low Level (Level 1). Privileges include the following:
Users with this role cannot launch SSH or Telnet sessions and those options will not appear in the device shortcut menu (right-clicking on a device's IP address, a VLAN IP, and other elements in the NetMRI UI). By default, this role cannot modify |
CLI credentials. | |
| Config Admin | Read-only account that is allowed to view all sensitive data in NetMRI. Privileges include View: Audit Log, View: Sensitive, and View: Non-Sensitive. |
| Default View Role | Read-only account that is allowed to view only non-sensitive data. Privileges include View: Non-Sensitive. |
| Event Admin | Event system administrator. Privileges include Events: Admin which enables the creation of new Event Symptoms, and View: Non-Sensitive. |
| FindIT | Allows access only to the NetMRI FindIT tool. |
| GroupManager | Creates and manages interface groups, device groups, and related result sets. Privileges include Groups: Create, Groups: Delete, Groups: Result Sets, View: Non-Sensitive, and View: Sensitive. |
| Network Security Engineer | Allows users to provision ACL / firewall rules. Privileges include the following:
|
| |
| Policy Manager | Creates and manages Policies for one or more Groups in NetMRI to standardize and lock down configurations for networked devices such as routers, switches, and firewalls. Privileges include Policy: Deploy, Policy: Create, Edit and Delete, View: Audit Log, View: Non-Sensitive, and View: Sensitive. |
| Report Admin | Role to allow the creation and editing of Report features in NetMRI. Associated privileges include Reports: Report Manager, View: Non-Sensitive, and View: Sensitive. |
| Switch Port Administrator | Allows users to make changes to switch port configurations. Privileges include the following:
|
| SysAdmin | The global administrator account Role for NetMRI. Includes the System Administrator privilege and View: Audit Log. SysAdmins can manage, add, and remove scan interfaces and map them to networks, manage, add, and remove network views. |
| UserAdmin | Create and edit NetMRI user accounts and Roles, and assign privileges. Includes View: Audit Log, View: Non-Sensitive, User Administrator, Reset Passwords, and Issues: Define Notifications. |
You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance. See Defining and Editing Roles for more information.
The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.
...
Creating User Accounts
...
...
You create, edit, and delete user accounts on the Users page (Settings icon –> User Admin section–> Users). By default, the admin account is the single user account built into the appliance. You cannot remove this account.
...
- Click Add User below the table.
- If you want the new account to be disabled by default, check the Account Disabled check box.
- If you want the user to be authenticated and authorized by the NetMRI appliance for their roles and device group assignments, check the Force Local Authorization check box. This enables the user to have a locally defined login that is separate from the remote one on the AAA server. Leaving this check box clear enables the user account to be subjected to authorization through a remote AAA server.
On the User Details tab, enter values for the First Name, Last Name, Username, and Password fields. Fill in optional fields as needed.
Note title Note User account names are case-sensitive. You can use some non-alphanumeric characters for naming including bracket characters, such as @!#$%^&*()[]{}. Punctuation characters (,.;'"), the equal sign =, vertical bar |, and spacebar characters are disallowed.
Note title Note
If you use TACACS+ authentication and authorization with NetMRI, keep in mind that TACACS user names are case-insensitive. Therefore, the case must not be the only difference between NetMRI and TACACS user names.- Click Save. The Roles, CLI Credentials, and Database Credentials tabs become available.
- Click the Roles tab, and then click Add.
- In the Add Role to User dialog, choose a role from the drop-down list.
- Under In device groups, click to choose the device group(s) the user is allowed to access.
- Click OK. The new role settings are saved for the user account.
- On the CLI Credentials tab, define the command-line credentials as described in the procedure below.
- On the Database Credentials tab, define the database credentials as described in the procedure below.
- In the Add New User dialog, click Close.
...
- In the Add New User or Edit User dialog, click the Database Credentials tab. This tab allows giving access to the NetMRI database to a user.
- Select the Database Credentials Enabled check box.
Enter the user's Username and Password values, and confirm the password. NetMRI uses these credentials for a new SQL user to access the database.
- Click Save.
| Note | ||
|---|---|---|
| ||
The SQL username should be from 8 to 16 characters long. It should not contain special symbols. |
...
To edit an existing user account, complete the following:
...
- Click the Delete icon for the account.
- Confirm the deletion.
...
...
Defining and Editing Roles
...
...
| Note | ||
|---|---|---|
| ||
Roles are also limited by a chosen user's permitted access to device groups. Device groups accessible to a user are specified in the user's account. |
...
- In the Edit Role –> Privileges tab, click Add.
- In the Add Privileges dialog, select the Privileges check boxes (see list below) to be associated with the role.
- Click OK.
- In the Edit Role dialog, click Save & Close.
...
Editing Roles
...
To edit a role, perform the following:
...
- Click Delete for the role.
- Confirm the deletion.
...
- deletion.
Privilege Descriptions
The following NetMRI system privileges can be assigned to Roles:
...
| Note | ||
|---|---|---|
| ||
Privileges cannot be edited or deleted, and new Privileges cannot be created. |
...
...
Viewing the User Audit Log
...
The Audit Log (Settings icon –> User Admin –> Audit Log) lists all actions taken by user accounts that result in changes to NetMRI or any of the data sets the account manages. Log entries include the timestamp in which the action was taken, the User name, a description of the action, and field change details when applicable.
Log entries are initially ordered by time, with the most recent at the top of the list. The table can be reordered, for example, to consolidate a particular user's actions. Alternatively, use quick searching to isolate specific log entries.
...
...
Managing User Audit Logs for SSH Connection Attempts to Devices
As an aid to track what NetMRI or its users are doing on the network, you can also view the audit logs for all events in which NetMRI or its users attempt to use SSH or Telnet sessions to network devices. The amount of data collected for such events can substantially impact the size of the collected event database, so you can switch this feature on and off when needed and change the duration of these events being held in the database. Connection events that are covered by this log category include SSH/Telnet connections for Config Collection, Credential Collection, terminal emulation, and Job Engine Run connections. Unknown connections may also be recorded, which will be events such as API calls.
To view and change these settings, go to Settings icon –> General Settings –> Advanced Settings –> Notification category –> Log All CLI Sessions. The default value is On. You can also choose the No Commands Logged option, which retains the session events but prevents any sensitive CLI data from being recorded.
An associated Advanced Setting, Prune CLI Session Duration, enables you to regularly prune the amount of CLI session data by setting the retention time for keeping that data in the Device Audit Log. The default setting is 7 days.
...
Avanced User Administration Settings
Several important global NetMRI user account settings are located in the Advanced Settings section. To access them, go to Settings icon –> General Settings –> Advanced Settings, and then use the Next Page button to get to the User Administration category. Advanced User Administration settings determine the following:
...