Versions Compared

Old Version 1

changes.mady.by.user Youlia Ushakova

Saved on

compared with

New Version Current

changes.mady.by.user Uday Dubey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can define and authenticate your admin users remotely, where all users and their accounts are authenticated and authorized for their roles and privileges through an external server such as RADIUS or LDAP. This chapter describes how to set up local authentication services in NetMRI. For remote configurations, see see NetMRI User Authentication and Authorization. You can also define and authenticate all of your admin users locally, where all user accounts and their assigned roles and privileges are defined in the NetMRI system.

Note
titleNote

For external authentication and authorization services, NetMRI receives the login requests from the user and forwards them to the Authentication/Authorization server, which performs the actual transaction. In this chapter, you configure authentication based only on the local appliance.

...

User Administration in NetMRI

You define user administration functions in the Settings window (Settings icon –> > User Admin section), performing the following tasks:

...

Note
titleNote

Device groups are a NetMRI organizational unit that gathers devices in related groups—routers in a Routers group, Ethernet switches in a Switches group, and so on. For related information on device groups, see see Devices and Interfaces.

  • Create, edit, and delete user Roles. You assign Roles to each individual user account and define the privileges and tasks, and specific networks and network devices on which the NetMRI user can operate. A user account is ineffective without an assigned Role. A user account can use one or more Roles.
  • Each Role is comprised of a set of access Privileges, which are the types of tasks that the user can carry out in their assigned Role.
  • Review the Audit Log. The Audit Log provides records of all actions taken by all NetMRI users, showing the timestamp, event type, and associated descriptive messages.

Several advanced User Administration settings are located in the Advanced Settings section. For more information, see Advanced User Administration Settings. 

User administration provides support from external authentication servers. Because NetMRI supports both external authentication and authorization features through remote groups, mirroring the Roles and Privileges provided in local NetMRI user provisioning, you can leverage remote AAA server configurations (from TACACS+, LDAP, Active Directory, and RADIUS) without having to directly provision significant numbers of users on NetMRI.

...

Advantages of Remote Authentication and Authorization for Users

When a new user is authenticated and authorized through one of the remote services described in in NetMRI User Authentication and Authorization, NetMRI automatically creates the new account locally and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.

...

For more information on remote authentication and authorization of NetMRI users, see see NetMRI User Authentication and Authorization and  and its subsections.

...

Managing User Data

...

For the Users and For the Users and Roles pages, the Select check box is to the left of an Action icon. When you select multiple rows of a table, a whole page, or multiple pages of either data type, you can choose Delete from the Action menu for any selected row. You cannot edit multiple rows of data. The Delete option is the only available option after selecting multiple rows.

...

While it is possible to select the entire table's worth of data in the Users page (Settings icon –> > User Admin –>  > Users), the admin user account can never be deleted; the default set of NetMRI Roles (Settings icon –> > User Admin –>  > Roles) also may not be deleted (though they are otherwise editable) and the Delete option is ghosted for each of them in the Action menu. In all cases, NetMRI user accounts with read-only privileges will not be able to perform this action.

...

  • You can change the local user password.
  • You can disable a user account at any time.
  • You can change assigned Roles and device groups for an account, but changes will persist only when the account is locally authenticated and authorized, with the Local authentication service taking the highest Priority setting and the Force Local Authentication check box enabled for the account.
  • You can define CLI and database credentials, notes, and email settings.

...

Understanding Users and Roles


Note
titleNote

Privileges play a key part in Roles roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also, see Privilege Descriptions for details on the Privileges comprising user Roles.

User accounts are the standard identities of all users of the NetMRI appliance.

...

NetMRI provides a set of pre-defined Roles with specific privileges in NetMRI, as follows:

AnalysisAdminSpecializes in creating and managing NetMRI Issues. Assigned privileges include Issues: Modify Parameters, Issues: Modify Suppression Parameters, Issues: Modify Priority, Issues, Define Notifications, and View: Non Sensitive.
ChangeEngineer: High

Allowed to author, approve, execute, and schedule scripts designated High Level (Level 3) and lower.

Privileges include the following:

  • Collection: Poll On-Demand
  • Lists: Author
  • Scripts: Approve Level 1
  • Scripts: Approve Level 2
  • Scripts: Approve Level 3
  • Scripts: Author
  • Scripts: Execute Level 1
  • Scripts: Execute Level 2
  • Scripts: Execute Level 3
  • Scripts: Schedule Level 1
  • Scripts: Schedule Level 2
  • Scripts: Schedule Level 3
  • Switch Port Admin
  • Terminal: Modify Credentials
  • Terminal: Open Session
  • View: Audit Log
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive

This role can launch SSH and Telnet sessions using NetMRI's Telnet/SSH Proxy feature using User Credentials (Terminal: Open Session privilege). This role can modify CLI credentials (Terminal: Modify Credentials privilege).

Change Engineer
ChangeEngineer: Medium

Allowed to author, approve, execute, and schedule scripts designated Medium Level (Level 2) and lower.

Privileges include the following:

  • Collection: Poll On-Demand
  • Lists: Author
  • Scripts: Approve Level 1
  • Scripts: Approve Level 2
  • Scripts: Author
  • Scripts: Execute Level 1
  • Scripts: Execute Level 2
  • Scripts: Schedule Level 1
  • Scripts: Schedule Level 2
  • Switch Port Admin
  • Terminal: Open Session
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive

This role can launch SSH and Telnet sessions using NetMRIs Telnet/SSH Proxy feature (Terminal: Open Session privilege) using NetMRI default credentials. By default, this role cannot modify CLI credentials.

Change Engineer
ChangeEngineer: Low

Allowed to author, approve, execute, and schedule scripts designated Low Level (Level 1).

Privileges include the following:

  • Lists: Author
  • Scripts: Approve Level 1
  • Scripts: Author
  • Scripts: Execute Level 1
  • Scripts: Schedule Level 1
  • Switch Port Admin
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive

Users with this role cannot launch SSH or Telnet sessions and those options will not appear in the device shortcut menu (right-clicking on a device's IP address, a VLAN IP, and other elements in the NetMRI UI). By default, this role cannot modify

CLI credentials

CLI credentials.

Config AdminRead-only account that is allowed to view all sensitive data in NetMRI. Privileges include View: Audit Log, View: Sensitive, and View: Non-Sensitive.
Default View RoleRead-only account that is allowed to view only non-sensitive data. Privileges include View: Non-Sensitive.
Event AdminEvent system administrator. Privileges include Events: Admin which enables the creation of new Event Symptoms, and View: Non-Sensitive.
FindITAllows access only to the NetMRI FindIT tool.
GroupManagerCreates and manages interface groups, device groups, and related result sets. Privileges include Groups: Create, Groups: Delete, Groups: Result Sets, View: Non-Sensitive, and View: Sensitive.
Network Security Engineer

Allows users to provision ACL / firewall rules.

Privileges include the following:

  • Access Provision
  • Access Search
  • Scripts: Approve Level 1
  • Scripts: Approve Level 3
  • Scripts: Execute Level 1
  • Scripts: Execute Level 3
  • Scripts: Schedule Level 1
  • Scripts: Schedule Level 3
  • View: Job Sessions Log
  • View: Non Sensitive
  • View:
Sensitive
  • Sensitive 
Policy ManagerCreates and manages Policies for one or more Groups in NetMRI to standardize and lock down configurations for networked devices such as routers, switches, and firewalls. Privileges include Policy: Deploy, Policy: Create, Edit and Delete, View: Audit Log, View: Non-Sensitive, and View: Sensitive.
Report AdminRole to allow the creation and editing of Report features in NetMRI. Associated privileges include Reports: Report Manager, View: Non-Sensitive, and View: Sensitive.
Switch Port Administrator

Allows users to make changes to switch port configurations.

Privileges include the following:

  • Collection: Poll On-Demand
  • Scripts: Approve Level 1
  • Scripts: Execute Level 1
  • Scripts: Schedule Level 1
  • Switch Port Admin
  • View: Non Sensitive
  • View: Sensitive
SysAdminThe global administrator account Role for NetMRI. Includes the System Administrator privilege and View: Audit Log. SysAdmins can manage, add, and remove scan interfaces and map them to networks, manage, add, and remove network views.
UserAdminCreate and edit NetMRI user accounts and Roles, and assign privileges. Includes View: Audit Log, View: Non-Sensitive, User Administrator, Reset Passwords, and Issues: Define Notifications.


You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance. See Defining and Editing Roles for more information.The  

The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.

...

Creating User Accounts

...

You create, edit, and delete user accounts on the Users page (Settings icon –>> User Admin section–>section > Users). By default, the admin account is the single user account built into the appliance. You cannot remove this account.

...

When scheduling or running a job (see Creating and Scheduling Jobs for more information), if user credentials are required and the Use the requester's stored CLI credentials or Use the approver's stored CLI credentials job options are selected, then the CLI credentials associated with the given user account are used to login to the network devices that are part of the job. Admins can modify command-line execution credentials for any user account. For more information, see the account creation procedure further in this section.

...

  1. Click Add User below the table.
  2. If you want the new account to be disabled by default, check the Account Disabled check box.
  3. If you want the user to be authenticated and authorized by the NetMRI appliance for their roles and device group assignments, check the Force Local Authorization check box. This enables the user to have a locally defined login that is separate from the remote one on the AAA server. Leaving this check box clear enables the user account to be subjected to authorization through a remote AAA server.

  4. On the User Details tab, enter values for the First Name, Last Name, Username, and Password fields. Fill in optional fields as needed.

    Note
    titleNote
    User

     User account names are case-sensitive. You can use some non-alphanumeric characters for naming including bracket characters, such as @!#$%^&*()[]{}. Punctuation characters (,.;'"), the equal sign =, vertical bar |, and spacebar characters are disallowed.

    NotetitleNote

     
    If you use TACACS+ authentication and authorization with NetMRI, keep in mind that TACACS user names are case-insensitive. Therefore, the case must not be the only difference between NetMRI and TACACS user names.

  5. Click Save. The RolesCLI Credentials, and Database Credentials tabs become available.
  6. Click the Roles tab, and then click Add.
  7. In the Add Role to User dialog, choose a role from the drop-down list.
  8. Under In device groups, click to choose the device group(s) the user is allowed to access.
  9. Click OK. The new role settings are saved for the user account.
  10. On the CLI Credentials tab, define the command-line credentials as described in the procedure below.
  11. On the Database Credentials tab, define the database credentials as described in the procedure below.
  12. In the Add New User dialog, click Close.

...

  1. In the Add New User or Edit User dialog, click the Database Credentials tab. This tab allows giving access to the NetMRI database to a user.
  2. Select the Database Credentials Enabled check box. 

  3. Enter the user's Username and Password values, and confirm the password. NetMRI uses these credentials for a new SQL user to access the database.

  4. noteClick Save.

Note
titleNote

The SQL username should be from 8 to 16 characters long. It should not contain special symbols

...

.

To edit an existing user account, complete the following:

...

  1. Click the Delete icon for the account.
  2. Confirm the deletion.

...

Defining and Editing Roles

...


Note
titleNote

Roles are also limited by a chosen user's permitted access to device groups. Device groups accessible to a user are specified in the user's account.

A role defines what a user can do within NetMRI. Each role consists of a set of privileges, each of which specifies a distinct permitted activity. The Roles page (Settings icon –> > User Admin –>  > Roles) enables an administrator to create, edit, and delete roles.

To create a new role, complete the following:

  1. Click Add (below the table).
  2. In the Add Role dialog –> Users tab, enter a descriptive name in the Name field.
  3. In the Description field, describe the role.

  4. Click Save. This adds the new role to the Roles table. The Users and Privileges tabs appear.

    Note
    titleNote

    You can assign one or more user accounts or privileges to the new role. It is not necessary to assign users to the role (this can be done in the user account), but privileges must be assigned for the new pole to be meaningful.

...


  2. In the Users tab, click Add. The Add User for <Username> Role dialog appears, displaying a Users drop-down list and the list of Device Groups in the appliance.

...

  1. In the Add User for <Username> Role dialog

...

  1. User drop-down list, choose one or more users for the role.

7. In the Device Group table, select the device group check boxes to be associated with this role.

...

To specify privileges for the role, perform the following:

  1. In the Edit Role –>  > Privileges tab, click Add.
  2. In the Add Privileges dialog, select the Privileges check boxes (see list below) to be associated with the role.
  3. Click OK.
  4. In the Edit Role dialog, click Save & Close.

...

Editing Roles

To edit a role, perform the following:

...

  1. Click Delete for the role.
  2. Confirm the deletion.

...

...

Privilege Descriptions

The following NetMRI system privileges can be assigned to Roles:

Privilege

Description

Configure Networks

A system privilege applied to SysAdmin roles. Allows adding of new networks, changing Network View mappings, and mapping local VRFs to networks.

Switch Port Admin

A system privilege applied to Switch Port Administrator Roles. This Privilege allows the Role to perform the following tasks:

  • Modify port descriptions (Interface Viewer –> > Settings –> > Port Control Settings).
  • Set a switch port to Administratively UP or Administratively Down (Interface Viewer –> > Settings –> > Port Control Settings).
  • Change a port's VLAN assignment (Interface Viewer –> > Settings –> > Port Control Settings).
  • Specify ports to exclude from Switch Port Management page views (Interface Viewer - > Settings > Settings –> General Settings).
  • View system feedback for their most recent action.

Collection: Poll On-Demand

Users with this privilege can perform on-demand polling of individual network devices for the admin account using this privilege.

View: Non Sensitive

Ability to view all non-sensitive information in NetMRI, such as Issues, Changes, audit logs, and device states through the Device Viewer. Users with these privileges cannot carry out the following:

  • Setup tasks beyond Setup Summaries (Settings –>  > Setup –>  > Settings Summary).
  • License management and many other NetMRI Settings configurations (Settings –> > Setup –>  > General Settings).
  • Database settings beyond viewing statistics (Settings –>  > Setup –>  > Database Settings).
  • View: Non-Sensitive also cannot view or modify device configuration files, CLI and SNMP credentials, or NetMRI user accounts.
  • Users with View: Non Sensitive privileges can schedule and run reports.

View: Sensitive

Ability to view all sensitive information in NetMRI, including policy compliance configurations, device configurations in Configuration Management, configuration of user accounts, and Setup, Licensing, and Database tasks otherwise not accessible by View: Non Sensitive privileges.

View: NetMRI System Info

Ability to view NetMRI appliance settings.

Custom Data: Input Data

A privilege allowing non-Admin user accounts to edit and enter information in custom data fields previously created by the Admin account. For example: for network devices, custom fields are useful for recording important contextual data such as asset tag numbers and physical location — information that NetMRI does not gather on its own. By default, the Admin account is the only account with permissions to edit such data fields. For more information, see Defining and Using Custom Fields and Enabling Custom Data Field Editing for Non-Admin Users. 

System Administrator

Allows the user complete access to the NetMRI appliance.

Reset Passwords

A privilege that allows a user to change passwords other than their own.

User Administration

A privilege that allows a user to create users, and assign roles and privileges.

Issues: Modify Parameters

A privilege that allows a user to define and change analysis parameters, including analysis schedules.

Issues: Modify Suppression Parameters

A privilege that allows a user to modify issue suppression parameters.

Issues: Modify Priority

A privilege that allows a user to set the priority of issues.

Issues: Define Notifications

A privilege that allows a user to define notifications for the issues.

Scripts: Author

Author scripts and packaged commands, and save them for re-use by others.

Scripts: Approve 1Approve packaged scripts and commands designated level 1 (low risk).
Scripts: Approve 2Approve packaged scripts and commands designated level 2 (medium risk).
Scripts: Approve 3Approve packaged scripts and commands designated level 3 (high risk).
Scripts: Execute 1Execute packaged scripts and commands designated level 1 (low risk).
Scripts: Execute 2Execute packaged scripts and commands designated level 2 (medium risk).
Scripts: Execute 3Execute packaged scripts and commands designated level 3 (high or unknown risk).
Scripts: Schedule 1Schedule packaged scripts and commands designated level 1 (low risk).
Scripts: Schedule 2Schedule packaged scripts and commands designated level 2 (medium risk).
Scripts: Schedule 3Schedule packaged scripts and commands designated level 3 (high or unknown risk).

Policy: Create, Edit, and Delete

Create, edit, and delete policies and policy rules.

Policy: Deploy

Ability to assign the device groups against which a policy is checked.

Events: Admin

Ability to create event symptoms.

Groups: Create

Ability to create and edit device and/or interface groups in NetMRI.

Groups: Result Sets

Ability to create and edit result sets.

Groups: Delete

Ability to remove the device and/or interface groups.

Terminal: Modify Credentials

Allow the user to modify their own CLI credentials. This privilege restricts/allows users with the given role to change their own CLI credentials (Settings –>  > User Admin –>  > edit User –>  > CLI Credentials). By default, this tab is disabled for user accounts without this privilege. NetMRI roles that have this privilege by default include SysAdmin, UserAdmin, and ChangeEngineer High. For roles other than those noted, this privilege is manually assigned.


Terminal: Open Session

Allow users to activate Telnet/SSH sessions from the right-click menu. Should a user account not have this privilege, a popup message appears explaining that they do not have sufficient privileges to use this feature. NetMRI roles with this privilege include SysAdmin, UserAdmin, ChangeEngineer High, and ChangeEngineer Medium. For roles other than those noted, this privilege is assigned manually.

Terminal: Use NetMRI Creds

Allow the user to log in to devices using the default login/enable credential associated to the device within NetMRI. These are not vendor default credentials. If a terminal session is opened and the user has the appropriate privileges, the terminal shell queries the device credentials based on status and connection type and attempts a login using those if they are available. If not, a username and password are requested from the user.

Tools: All

Allows access to all available Network Tools in NetMRI.

Tools: Ping/Traceroute

Allows access to the NetMRI Ping/Traceroute Tool.

Tools: Path Diagnostics

Allows access to the NetMRI Path Diagnostic Tool.

Tools: SNMP Walk

Allows access to the NetMRI SNMP Walk Tool.

Tools: Cisco Cmd Tool

Allows access to the NetMRI Cisco Command Tool.

Tools: Discovery Diag

Allows access to the NetMRI Discovery Diagnostics Tool.

Tools: FindIT

Allows access to the NetMRI FindIT Tool.

...

Note
titleNote

Privileges cannot be edited or deleted, and new Privileges cannot be created.

...

Viewing the User Audit Log

...

...

The Audit Log (Settings icon –> > User Admin –>  > Audit Log) lists all actions taken by user accounts that result in changes to NetMRI or any of the data sets the account manages. Log entries include the timestamp in which the action was taken, the User name, a description of the action, and field change details when applicable.

Log entries are initially ordered by time, with the most recent at the top of the list. The table can be reordered, for example, to consolidate a particular user's actions. Alternatively, use quick searching to isolate specific log entries.

...

Managing User Audit Logs for SSH

...

Connection Attempts to Devices

As an aid to track what NetMRI or its users are doing on the network, you can also view the audit logs for all events in which NetMRI or its users attempt to use SSH or Telnet sessions to network devices. The amount of data collected for such events can substantially impact the size of the collected event database, so you can switch this feature on and off when needed and change the duration of these events being held in the database. Connection events that are covered by this log category include SSH/Telnet connections for Config Collection, Credential Collection, terminal emulation, and Job Engine Run connections. Unknown connections may also be recorded, which will be events such as API calls.

To view and change these settings, go to Settings icon –> > General Settings –>  > Advanced Settings –>  > Notification category –> > Log All CLI Sessions. The default value is On. You can also choose the No Commands Logged option, which retains the session events but prevents any sensitive CLI data from being recorded.

An associated Advanced Setting, Prune CLI Session Duration, enables you to regularly prune the amount of CLI session data by setting the retention time for keeping that data in the Device Audit Log. The default setting is 7 days.

...

Avanced User Administration Settings

...

Several important global NetMRI user account settings are located in the Advanced Settings section. To access them, go to Settings icon –> > General Settings –>  > Advanced Settings, and then use the Next Page button to get to the User Administration category. Advanced User Administration settings determine the following:

...