...
You can define and authenticate your admin users remotely, where all users and their accounts are authenticated and authorized for their roles and privileges through an external server such as RADIUS or LDAP. This chapter describes how to set up local authentication services in NetMRI. For remote configurations, see see NetMRI User Authentication and Authorization. You can also define and authenticate all of your admin users locally, where all user accounts and their assigned roles and privileges are defined in the NetMRI system.
...
You define user administration functions in the Settings window (Settings icon –> > User Admin section), performing the following tasks:
...
| Note | ||
|---|---|---|
| ||
Device groups are a NetMRI organizational unit that gathers devices in related groups—routers in a Routers group, Ethernet switches in a Switches group, and so on. For related information on device groups, see see Devices and Interfaces. |
- Create, edit, and delete user Roles. You assign Roles to each individual user account and define the privileges and tasks, and specific networks and network devices on which the NetMRI user can operate. A user account is ineffective without an assigned Role. A user account can use one or more Roles.
- Each Role is comprised of a set of access Privileges, which are the types of tasks that the user can carry out in their assigned Role.
- Review the Audit Log. The Audit Log provides records of all actions taken by all NetMRI users, showing the timestamp, event type, and associated descriptive messages.
Several advanced User Administration settings are located in the Advanced Settings section. For more information, see Advanced User Administration Settings.
User administration provides support from external authentication servers. Because NetMRI supports both external authentication and authorization features through remote groups, mirroring the Roles and Privileges provided in local NetMRI user provisioning, you can leverage remote AAA server configurations (from TACACS+, LDAP, Active Directory, and RADIUS) without having to directly provision significant numbers of users on NetMRI.
...
When a new user is authenticated and authorized through one of the remote services described in in NetMRI User Authentication and Authorization, . NetMRI automatically creates the new account locally and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.
...
For more information on remote authentication and authorization of NetMRI users, see see NetMRI User Authentication and Authorization and and its subsections.
Managing User Data
...
While it is possible to select the entire table's worth of data in the Users page (Settings icon –> > User Admin –> > Users), the admin user account can never be deleted; the default set of NetMRI Roles (Settings icon –> > User Admin –> > Roles) also may not be deleted (though they are otherwise editable) and the Delete option is ghosted for each of them in the Action menu. In all cases, NetMRI user accounts with read-only privileges will not be able to perform this action.
...
| Note | ||
|---|---|---|
| ||
Privileges play a key part in roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also, see Privilege Descriptions for details on the Privileges comprising user Roles. |
User accounts are the standard identities of all users of the NetMRI appliance.
...
You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance. See Defining and Editing Roles for more information.
The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.
...
You create, edit, and delete user accounts on the Users page (Settings icon –>> User Admin section–>section > Users). By default, the admin account is the single user account built into the appliance. You cannot remove this account.
...
When scheduling or running a job (see Creating and Scheduling Jobs for more information), if user credentials are required and the Use the requester's stored CLI credentials or Use the approver's stored CLI credentials job options are selected, then the CLI credentials associated with the given user account are used to login to the network devices that are part of the job. Admins can modify command-line execution credentials for any user account. For more information, see the account creation procedure further in this section.
...
A role defines what a user can do within NetMRI. Each role consists of a set of privileges, each of which specifies a distinct permitted activity. The Roles page (Settings icon –> > User Admin –> > Roles) enables an administrator to create, edit, and delete roles.
To create a new role, complete the following:
- Click Add (below the table).
- In the Add Role dialog –> > Users tab, enter a descriptive name in the Name field.
- In the Description field, describe the role.
Click Save. This adds the new role to the Roles table. The Users and Privileges tabs appear.
Note title Note You can assign one or more user accounts or privileges to the new role. It is not necessary to assign users to the role (this can be done in the user account), but privileges must be assigned for the new pole to be meaningful.
...
- In the Users tab, click Add. The Add User for <Username> Role dialog appears, displaying a Users drop-down list and the list of Device Groups in the appliance.
...
- In the Add User for <Username> Role dialog
...
- > User drop-down list, choose one or more users for the role.
7. In the Device Group table, select the device group check boxes to be associated with this role.
...
To specify privileges for the role, perform the following:
- In the Edit Role –> > Privileges tab, click Add.
- In the Add Privileges dialog, select the Privileges check boxes (see list below) to be associated with the role.
- Click OK.
- In the Edit Role dialog, click Save & Close.
...
Privilege | Description |
|---|---|
Configure Networks | A system privilege applied to SysAdmin roles. Allows adding of new networks, changing Network View mappings, and mapping local VRFs to networks. |
Switch Port Admin | A system privilege applied to Switch Port Administrator Roles. This Privilege allows the Role to perform the following tasks:
|
Collection: Poll On-Demand | Users with this privilege can perform on-demand polling of individual network devices for the admin account using this privilege. |
View: Non Sensitive | Ability to view all non-sensitive information in NetMRI, such as Issues, Changes, audit logs, and device states through the Device Viewer. Users with these privileges cannot carry out the following:
|
View: Sensitive | Ability to view all sensitive information in NetMRI, including policy compliance configurations, device configurations in Configuration Management, configuration of user accounts, and Setup, Licensing, and Database tasks otherwise not accessible by View: Non Sensitive privileges. |
View: NetMRI System Info | Ability to view NetMRI appliance settings. |
Custom Data: Input Data | A privilege allowing non-Admin user accounts to edit and enter information in custom data fields previously created by the Admin account. For example: for network devices, custom fields are useful for recording important contextual data such as asset tag numbers and physical location — information that NetMRI does not gather on its own. By default, the Admin account is the only account with permissions to edit such data fields. For more information, see Defining and Using Custom Fields and Enabling Custom Data Field Editing for Non-Admin Users. |
System Administrator | Allows the user complete access to the NetMRI appliance. |
Reset Passwords | A privilege that allows a user to change passwords other than their own. |
User Administration | A privilege that allows a user to create users, and assign roles and privileges. |
Issues: Modify Parameters | A privilege that allows a user to define and change analysis parameters, including analysis schedules. |
Issues: Modify Suppression Parameters | A privilege that allows a user to modify issue suppression parameters. |
Issues: Modify Priority | A privilege that allows a user to set the priority of issues. |
Issues: Define Notifications | A privilege that allows a user to define notifications for the issues. |
Scripts: Author | Author scripts and packaged commands, and save them for re-use by others. |
| Scripts: Approve 1 | Approve packaged scripts and commands designated level 1 (low risk). |
| Scripts: Approve 2 | Approve packaged scripts and commands designated level 2 (medium risk). |
| Scripts: Approve 3 | Approve packaged scripts and commands designated level 3 (high risk). |
| Scripts: Execute 1 | Execute packaged scripts and commands designated level 1 (low risk). |
| Scripts: Execute 2 | Execute packaged scripts and commands designated level 2 (medium risk). |
| Scripts: Execute 3 | Execute packaged scripts and commands designated level 3 (high or unknown risk). |
| Scripts: Schedule 1 | Schedule packaged scripts and commands designated level 1 (low risk). |
| Scripts: Schedule 2 | Schedule packaged scripts and commands designated level 2 (medium risk). |
| Scripts: Schedule 3 | Schedule packaged scripts and commands designated level 3 (high or unknown risk). |
Policy: Create, Edit, and Delete | Create, edit, and delete policies and policy rules. |
Policy: Deploy | Ability to assign the device groups against which a policy is checked. |
Events: Admin | Ability to create event symptoms. |
Groups: Create | Ability to create and edit device and/or interface groups in NetMRI. |
Groups: Result Sets | Ability to create and edit result sets. |
Groups: Delete | Ability to remove the device and/or interface groups. |
Terminal: Modify Credentials | Allow the user to modify their own CLI credentials. This privilege restricts/allows users with the given role to change their own CLI credentials (Settings –> > User Admin –> > edit User –> > CLI Credentials). By default, this tab is disabled for user accounts without this privilege. NetMRI roles that have this privilege by default include SysAdmin, UserAdmin, and ChangeEngineer High. For roles other than those noted, this privilege is manually assigned. |
| Allow users to activate Telnet/SSH sessions from the right-click menu. Should a user account not have this privilege, a popup message appears explaining that they do not have sufficient privileges to use this feature. NetMRI roles with this privilege include SysAdmin, UserAdmin, ChangeEngineer High, and ChangeEngineer Medium. For roles other than those noted, this privilege is assigned manually. |
Terminal: Use NetMRI Creds | Allow the user to log in to devices using the default login/enable credential associated to the device within NetMRI. These are not vendor default credentials. If a terminal session is opened and the user has the appropriate privileges, the terminal shell queries the device credentials based on status and connection type and attempts a login using those if they are available. If not, a username and password are requested from the user. |
Tools: All | Allows access to all available Network Tools in NetMRI. |
Tools: Ping/Traceroute | Allows access to the NetMRI Ping/Traceroute Tool. |
Tools: Path Diagnostics | Allows access to the NetMRI Path Diagnostic Tool. |
Tools: SNMP Walk | Allows access to the NetMRI SNMP Walk Tool. |
Tools: Cisco Cmd Tool | Allows access to the NetMRI Cisco Command Tool. |
Tools: Discovery Diag | Allows access to the NetMRI Discovery Diagnostics Tool. |
Tools: FindIT | Allows access to the NetMRI FindIT Tool. |
...
The Audit Log (Settings icon –> > User Admin –> > Audit Log) lists all actions taken by user accounts that result in changes to NetMRI or any of the data sets the account manages. Log entries include the timestamp in which the action was taken, the User name, a description of the action, and field change details when applicable.
Log entries are initially ordered by time, with the most recent at the top of the list. The table can be reordered, for example, to consolidate a particular user's actions. Alternatively, use quick searching to isolate specific log entries.
...
As an aid to track what NetMRI or its users are doing on the network, you can also view the audit logs for all events in which NetMRI or its users attempt to use SSH or Telnet sessions to network devices. The amount of data collected for such events can substantially impact the size of the collected event database, so you can switch this feature on and off when needed and change the duration of these events being held in the database. Connection events that are covered by this log category include SSH/Telnet connections for Config Collection, Credential Collection, terminal emulation, and Job Engine Run connections. Unknown connections may also be recorded, which will be events such as API calls.
To view and change these settings, go to Settings icon –> > General Settings –> > Advanced Settings –> > Notification category –> > Log All CLI Sessions. The default value is On. You can also choose the No Commands Logged option, which retains the session events but prevents any sensitive CLI data from being recorded.
An associated Advanced Setting, Prune CLI Session Duration, enables you to regularly prune the amount of CLI session data by setting the retention time for keeping that data in the Device Audit Log. The default setting is 7 days.
...
Several important global NetMRI user account settings are located in the Advanced Settings section. To access them, go to Settings icon –> > General Settings –> > Advanced Settings, and then use the Next Page button to get to the User Administration category. Advanced User Administration settings determine the following:
...