Page Comparison

Effective use of NetMRI requires an efficient and logical plan for user accounts. User account administration is a straightforward, but fundamentally important part of a NetMRI rollout.

...

...

To define user administration functions, click the Settings icon > User Admin section and then complete the following:

• Create, edit, and delete user accounts. Each user account is assigned one or more Device Groups over which they have some administrative functions.
• Define two primary types of users: local user and remote user.
  • Local users have their entire login credentials, user Roles, and device group permissions defined locally on the NetMRI appliance.
  • Remote users have Roles assignments and device group permissions defined in Authentication Service Properties, and those assignments and permissions are granted remotely through an external service.

• Create, edit, and delete user Roles. You assign Roles to each individual user account and define the privileges and tasks, and specific networks and network devices on which the NetMRI user can operate. A user account is ineffective without an assigned Role. A user account can use one or more Roles.
• Each Role is comprised of a set of access Privileges, which are the types of tasks that the user can carry out in their assigned Role.
• Review the Audit Log. The Audit Log provides records of all actions taken by all NetMRI users, showing the timestamp, event type, and associated descriptive messages.

...

When a new user is authenticated and authorized through one of the remote services described in NetMRI User Authentication and Authorization, NetMRI automatically creates the new account locally and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.

• User Roles and privileges are learned from the remote group assignment that is defined on the Authentication Service.
• Passwords, whether encrypted or plaintext, are not stored on the NetMRI appliance and are consistently checked against the external server.
• On occasions when no external service is available, the user will be asked to use local login credentials. This requires enabling the Local authentication service.

For more information on remote authentication and authorization of NetMRI users, see NetMRI User Authentication and Authorization and its subsections.

...

For the Users and Roles pages, the Select checkbox is to the left of an Action icon. When you select multiple rows of a table, a whole page, or multiple pages of either data type, you can choose Delete from the Action menu for any selected row. You cannot edit multiple rows of data. The Delete option is the only available option after selecting multiple rows.

Doing so enables you to delete all selected records from the table. Exercise caution when performing this action, as you may unintentionally delete rows of data that you did not wish to select.

While it is possible to select the entire table's worth of data on the Users page (Settings icon > User Admin > Users), the admin user account can never be deleted; the default set of NetMRI Roles (Settings icon > User Admin > Roles) also may not be deleted (though they are otherwise editable) and the Delete option is ghosted for each of them in the Action menu. In all cases, NetMRI user accounts with read-only privileges will not be able to perform this action.

You can use a feature called Force Local Authentication for any user account in your appliance:

• Administrators can enable the Force Local Authentication checkbox for local user accounts to provide a specific profile to users that also exist on a remote authentication/authorization service. In the user configuration, you enable the Force Local Authorization option and its read-only Last Login value will show the external service name. Locally created user accounts automatically enable this option, which can be disabled at any time. If the user is learned by NetMRI through a remote authentication/authorization service, this option is automatically disabled.
• When a user is learned by NetMRI through a remote authentication/authorization service, the administration cannot then re-create the user account. You may activate the Force Local Authentication checkbox for an externally learned account and redefine its password and other user details. The Local authentication service also must be placed first in the Authentication Services list. Taking these steps, you can ensure that an account is verified and authorized locally, without using the same login defined on the external service. An alternative is to define a different local login credential for the user.
• The Force Local Authentication setting is automatically enabled for all new locally created users.

You can change local user accounts settings at any time:

• You can change the local user password.
• You can disable a user account at any time.
• You can change assigned roles and device groups for an account, but changes will persist only when the account is locally authenticated and authorized, with the Local authentication service taking the highest Priority setting and the Force Local Authentication checkbox enabled for the account.
• You can define CLI and database credentials, notes, and email settings.

...

User accounts are the standard identities of all users of the NetMRI appliance.

You assign roles to each user account, after assigning the privileges that each user account is allowed to perform. User accounts are granular to individuals, while roles apply across different accounts.

NetMRI provides a set of pre-defined Roles with specific privileges in NetMRI, as follows:

...

AnalysisAdmin

...

Specializes in creating and managing NetMRI Issues. Assigned privileges include Issues: Modify Parameters, Issues: Modify Suppression Parameters, Issues: Modify Priority, Issues, Define Notifications, and View: Non Sensitive.

...

ChangeEngineer: High

...

Allowed to author, approve, execute, and schedule scripts designated High Level (Level 3) and lower.

Privileges include the following:

• Collection: Poll On-Demand
• Lists: Author
• Scripts: Approve Level 1
• Scripts: Approve Level 2
• Scripts: Approve Level 3
• Scripts: Author
• Scripts: Execute Level 1
• Scripts: Execute Level 2
• Scripts: Execute Level 3
• Scripts: Schedule Level 1
• Scripts: Schedule Level 2
• Scripts: Schedule Level 3
• Switch Port Admin
• Terminal: Modify Credentials
• Terminal: Open Session
• View: Audit Log
• View: Job Sessions Log
• View: Non Sensitive
• View: Sensitive

This role can launch SSH and Telnet sessions using NetMRI's Telnet/SSH Proxy feature using User Credentials (Terminal: Open Session privilege). This role can modify CLI credentials (Terminal: Modify Credentials privilege).

...

Change Engineer: Medium

...

Allowed to author, approve, execute, and schedule scripts designated Medium Level (Level 2) and lower.

Privileges include the following:

• Collection: Poll On-Demand
• Lists: Author
• Scripts: Approve Level 1
• Scripts: Approve Level 2
• Scripts: Author
• Scripts: Execute Level 1
• Scripts: Execute Level 2
• Scripts: Schedule Level 1
• Scripts: Schedule Level 2
• Switch Port Admin
• Terminal: Open Session
• View: Job Sessions Log
• View: Non Sensitive
• View: Sensitive

This role can launch SSH and Telnet sessions using NetMRIs Telnet/SSH Proxy feature (Terminal: Open Session privilege) using NetMRI default credentials. By default, this role cannot modify CLI credentials.

...

Change Engineer: Low

...

Allowed to author, approve, execute, and schedule scripts designated Low Level (Level 1).

Privileges include the following:

• Lists: Author
• Scripts: Approve Level 1
• Scripts: Author
• Scripts: Execute Level 1
• Scripts: Schedule Level 1
• Switch Port Admin
• View: Job Sessions Log
• View: Non Sensitive
• View: Sensitive

Users with this role cannot launch SSH or Telnet sessions and those options will not appear in the device shortcut menu (right-clicking on a device's IP address, a VLAN IP, and other elements in the NetMRI UI). By default, this role cannot modify CLI credentials.

...

Config Admin

...

A read-only account that is allowed to view all sensitive data in NetMRI. Privileges include View: Audit Log, View: Sensitive, and View: Non-Sensitive.

...

Default View Role

...

...

Event Admin

...

Event system administrator. Privileges include Events: Admin which enables the creation of new Event Symptoms, and View: Non-Sensitive.

...

FindIT

...

Allows access only to the NetMRI FindIT tool.

...

GroupManager

...

Creates and manages interface groups, device groups, and related result sets. Privileges include Groups: Create, Groups: Delete, Groups: Result Sets, View: Non-Sensitive, and View: Sensitive.

...

Allows users to provision ACL / firewall rules.

Privileges include the following:

• Access Provision
• Access Search
• Scripts: Approve Level 1
• Scripts: Approve Level 3
• Scripts: Execute Level 1
• Scripts: Execute Level 3
• Scripts: Schedule Level 1
• Scripts: Schedule Level 3
• View: Job Sessions Log
• View: Non Sensitive
• View: Sensitive

...

Policy Manager

...

Creates and manages Policies for one or more Groups in NetMRI to standardize and lockdown configurations for networked devices such as routers, switches, and firewalls. Privileges include Policy: Deploy, Policy: Create, Edit and Delete, View: Audit Log, View: Non-Sensitive, and View: Sensitive.

...

Report Admin

...

Role to allow the creation and editing of Report features in NetMRI. Associated privileges include Reports: Report Manager, View: Non-Sensitive, and View: Sensitive.

...

Switch Port Administrator

...

Allows users to make changes to switch port configurations.

Privileges include the following:

• Collection: Poll On-Demand
• Scripts: Approve Level 1
• Scripts: Execute Level 1
• Scripts: Schedule Level 1
• Switch Port Admin
• View: Non Sensitive
• View: Sensitive

...

SysAdmin

...

The global administrator account Role for NetMRI. Includes the System Administrator privilege and View: Audit Log. SysAdmins can manage, add, and remove scan interfaces and map them to networks, manage, add, and remove network views.

...

UserAdmin

...

Create and edit NetMRI user accounts and Roles, and assign privileges. Includes View: Audit Log, View: Non-Sensitive, User Administrator, Reset Passwords, and Issues: Define Notifications.

...

The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.

...

To create, edit, and delete user accounts on the Users page, click the Settings icon > User Admin section> Users. By default, the admin account is the single user account built into the appliance. You cannot remove this account.

In the Users window, each user account lists the following:

• User Name: The network identity of the user.
• First Name and Last Name: The configured first name and surname for the user.
• Last Login: The time and date of the last login.
• Last Authentication: This shows the authentication service that granted the last login.
• Last Authorization: This field is updated at each user login. Possible values are as follows:
  • Remote: When the user logs in using their remote password, and their Force Local Authorization setting is set to False for their user account. The user is granted the roles defined from the remote group assignment in the authentication service properties.
  • Local: In cases where the user simply logs in using their local appliance password, or when the user logs in to the remote authentication service using their remote password, and the Disable Authorization checkbox is enabled for that service is disabled for their account.
  • Forced Local: When the user logs in using their remote password and their Force Local Authorization setting is set to False in their User properties. The user is granted the local roles and access to their device groups.
    For remotely authenticated users, including new accounts learned from logins to a configured remote service, the field will show No and the service will show the service name.

• Roles: The role(s) assigned to the account.
• Account Status (active or disabled): An admin can disable a user account by enabling its Account Disabled checkbox. When you do so, the user will receive a User Disabled or Locked message upon the subsequent login.

The Actions menu for each account in the Users list represents the actions that the admin user can take on that user account. For example, Edit or Delete.

When scheduling or running a job, if user credentials are required and the Use the requester's stored CLI credentials or Use the approver's stored CLI credentials job options are selected, then the CLI credentials associated with the given user account are used to login to the network devices that are part of the job. For more information, see Creating and Scheduling Jobs. Admins can modify command-line execution credentials for any user account.

Additionally, admins can enable credentials for a user to access the NetMRI database using SQL queries. This allows quick retrieval of specific data from the database tables. For more information about SQL database access, see Accessing the NetMRI Database Using SQL. For information on defining database credentials for a user, see the corresponding procedure further in this section.

To create a new user account, complete the following:

...

...

...

To define CLI credentials for a user account, complete the following:

1. In the Add New User or Edit User dialog, click the CLI Credentials tab. This tab allows CLI credentials (username, password, and Enable password for devices) to be associated with specific user accounts.
2. Select the User CLI Credentials Enabled checkbox. The admin account can log in to network devices using the CLI credentials associated with the given account, instead of the admin credentials associated with devices during their Discovery.
3. Enter the user's Username and Password values, and confirm the password.
4. Enter the admin account's Enable Password and confirm it.
5. Click Save.

To define database credentials for a user account, complete the following:

...

...

To edit an existing user account, complete the following:

1. Click the Edit icon for the account.
2. In the Edit User dialog, make the necessary changes, and then click Close.

To delete a user account, complete the following:

1. Click the Delete icon for the account.
2. Confirm the deletion.

...

...

1. Click Add (below the table).
2. In the Add Role dialog > Users tab, enter a descriptive name in the Name field.
3. In the Description field, describe the role.
4. Click Save. This adds the new role to the Roles table. The Users and Privileges tabs appear.

5. In the Users tab, click Add. The Add User for <Username> Role dialog appears, displaying a Users drop-down list and the list of Device Groups in the appliance.

6. In the Add User for <Username> Role dialog > User drop-down list, choose one or more users for the role.

7. In the Device Group table, select the device group checkboxes to be associated with this role.

8. Click OK.

9. As needed, repeat steps 5 through 8 for other accounts.

To specify privileges for the role, perform the following:

1. In the Edit Role > Privileges tab, click Add.
2. In the Add Privileges dialog, select the Privileges checkboxes (see list below) to be associated with the role.
3. Click OK.
4. In the Edit Role dialog, click Save & Close.

...

To edit a role, perform the following:

1. Click Edit for the role.
2. In the Edit Role dialog, as needed, edit the Name or Description.
3. Add or delete users/device groups in the Users tab and add or delete privileges in the Privileges tab.
4. Click Save.

To copy a role, perform the following:

1. Click Copy for the role.
2. Confirm the copy.

...

...

1. Click Delete for the role.
2. Confirm the deletion.

...

The following NetMRI system privileges can be assigned to Roles:

...

Privilege

...

Description

...

Configure Networks

...

...

Switch Port Admin

A system privilege applied to Switch Port Administrator Roles. This Privilege allows the Role to perform the following tasks:

...

Collection: Poll On-Demand

...

Users with this privilege can perform on-demand polling of individual network devices for the admin account using this privilege.

...

View: Non Sensitive

Ability to view all non-sensitive information in NetMRI, such as Issues, Changes, audit logs, and device states through the Device Viewer. Users with these privileges cannot carry out the following:

...

View: Sensitive

...

Ability to view all sensitive information in NetMRI, including policy compliance configurations, device configurations in Configuration Management, configuration of user accounts, and Setup, Licensing, and Database tasks otherwise not accessible by View: Non Sensitive privileges.

...

View: NetMRI System Info

...

Ability to view NetMRI appliance settings.

...

Custom Data: Input Data

...

System Administrator

...

...

Reset Passwords

...

A privilege that allows a user to change passwords other than their own.

...

User Administration

...

A privilege that allows a user to create users, and assign roles and privileges.

...

Issues: Modify Parameters

...

A privilege that allows a user to define and change analysis parameters, including analysis schedules.

...

Issues: Modify Suppression Parameters

...

A privilege that allows a user to modify issue suppression parameters.

...

Issues: Modify Priority

...

A privilege that allows a user to set the priority of issues.

...

Issues: Define Notifications

...

A privilege that allows a user to define notifications for the issues.

...

Scripts: Author

...

Author scripts and packaged commands, and save them for re-use by others.

...

Policy: Create, Edit, and Delete

...

Create, edit, and delete policies and policy rules.

...

Policy: Deploy

...

Ability to assign the device groups against which a policy is checked.

...

Events: Admin

...

Ability to create event symptoms.

...

Groups: Create

...

Ability to create and edit device and/or interface groups in NetMRI.

...

Groups: Result Sets

...

Ability to create and edit result sets.

...

Groups: Delete

...

Ability to remove the device and/or interface groups.

...

Terminal: Modify Credentials

...

Allow the user to modify their own CLI credentials. This privilege restricts/allows users with the given role to change their own CLI credentials (Settings > User Admin > edit User > CLI Credentials). By default, this tab is disabled for user accounts without this privilege. NetMRI roles that have this privilege by default include SysAdmin, UserAdmin, and ChangeEngineer High. For roles other than those noted, this privilege is manually assigned.

...

Allow users to activate Telnet/SSH sessions from the right-click menu. Should a user account not have this privilege, a popup message appears explaining that they do not have sufficient privileges to use this feature. NetMRI roles with this privilege include SysAdmin, UserAdmin, ChangeEngineer High, and ChangeEngineer Medium. For roles other than those noted, this privilege is assigned manually.

...

Terminal: Use NetMRI Creds

...

Allow the user to log in to devices using the default login/enable credential associated with the device within NetMRI. These are not vendor default credentials. If a terminal session is opened and the user has the appropriate privileges, the terminal shell queries the device credentials based on status and connection type and attempts a login using those if they are available. If not, a username and password are requested from the user.

...

Tools: All

...

Allows access to all available Network Tools in NetMRI.

...

Tools: Ping/Traceroute

...

Allows access to the NetMRI Ping/Traceroute Tool.

...

Tools: Path Diagnostics

...

Allows access to the NetMRI Path Diagnostic Tool.

...

Tools: SNMP Walk

...

Allows access to the NetMRI SNMP Walk Tool.

...

Tools: Cisco Cmd Tool

...

Allows access to the NetMRI Cisco Command Tool.

...

Tools: Discovery Diag

...

Allows access to the NetMRI Discovery Diagnostics Tool.

...

Tools: FindIT

...

Allows access to the NetMRI FindIT Tool.

...

Several important global NetMRI user account settings are located in the Advanced Settings section. To access them, click the Settings icon > General Settings > Advanced Settings, and then use the Next Page button to get to the User Administration category. Advanced User Administration settings determine the following:

...

Password Expiration

...

The number of days that a password is valid before requiring a new password for each account. The default is 90 days. Setting this value to zero sets any password to never expire.

For passwords to existing accounts, this setting only applies after a password is changed. For new account passwords, this setting applies immediately.

...

Consecutive Failed Login Limit

...

Determines the number of successive failed login attempts allowed for any user account before the NetMRI UI account is locked. The number of successive failed login attempts is set to zero by default. Infoblox recommends setting Consecutive Failed Login Limit to a nonzero number. Note that the user is only locked out of their NetMRI UI account but can still log in to the administrative shell with the correct password. For more information, see the description of the Lockout Duration feature below.

...

Lockout Duration

...

Determines the number of minutes that a locked-out NetMRI UI account remains locked out before automatically becoming unlocked. The lockout duration is set to zero by default, which indicates that there is no lockout time period. Infoblox recommends setting the lockout duration to 15 minutes or more.

...

Password Length

...

Determines the minimum permissible length of a password for admin accounts in NetMRI. The default minimum value is 8 characters.

...

Password Numeric

...

Determines whether passwords are required to have at least one numeric character in their composition. Default is On.

...

Password Non-Alpha-Numeric

...

Determines whether passwords are required to have at least one non-alpha-numeric character (&^%$#@!~) in their composition. Default is *Off.

...

Password Mixed-Case

...

Determines whether passwords are required to have mixed upper/lower-case composition. Default is Off.

...