Versions Compared

Old Version 9

changes.mady.by.user Viktoryia Varapayeva

Saved on

compared with

New Version Current

changes.mady.by.user Uday Dubey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Create, edit, and delete user accounts. Each user account is assigned one or more Device Groups over which they have some administrative functions.
  • Define two primary types of users: local user and remote user.
    • Local users have their entire login credentials, user Roles, and device group permissions defined locally on the NetMRI appliance.
    • Remote users have Roles assignments and device group permissions defined in Authentication Service Properties, and those assignments and permissions are granted remotely through an external service.

...

titleNote
    • Device groups are a NetMRI organizational unit that gathers devices in related groups—routers in a Routers group, Ethernet switches in a Switches group, and so on. For related information on device groups, see Devices and Interfaces.
  • Create, edit, and delete user Roles. You assign Roles to each individual user account and define the privileges and tasks, and specific networks and network devices on which the NetMRI user can operate. A user account is ineffective without an assigned Role. A user account can use one or more Roles.
  • Each Role is comprised of a set of access Privileges, which are the types of tasks that the user can carry out in their assigned Role.
  • Review the Audit Log. The Audit Log provides records of all actions taken by all NetMRI users, showing the timestamp, event type, and associated descriptive messages.

...

Note
titleNote

Privileges play a key part in Roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also, see see Privilege Descriptions for  for details on the Privileges comprising user Roles.

...

NetMRI provides a set of pre-defined Roles with specific privileges in NetMRI, as follows:

Analysis AdminSpecializes in creating and managing NetMRI Issues. Assigned privileges include Issues: Modify Parameters, Issues: Modify Suppression Parameters, Issues: Modify Priority, Issues, Define Notifications, and View: Non Sensitive.
Change Engineer: High

Allowed to author, approve, execute, and schedule scripts designated High Level (Level 3) and lower.

Privileges include the following:

  • Collection: Poll On-Demand
  • Lists: Author
  • Scripts: Approve Level 1
  • Scripts: Approve Level 2
  • Scripts: Approve Level 3
  • Scripts: Author
  • Scripts: Execute Level 1
  • Scripts: Execute Level 2
  • Scripts: Execute Level 3
  • Scripts: Schedule Level 1
  • Scripts: Schedule Level 2
  • Scripts: Schedule Level 3
  • Switch Port Admin
  • Terminal: Modify Credentials
  • Terminal: Open Session
  • View: Audit Log
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive

This role can launch SSH and Telnet sessions using NetMRI's Telnet/SSH Proxy feature using User Credentials (Terminal: Open Session privilege). This role can modify CLI credentials (Terminal: Modify Credentials privilege).

Change Engineer: Medium

Allowed to author, approve, execute, and schedule scripts designated Medium Level (Level 2) and lower.

Privileges include the following:

  • Collection: Poll On-Demand
  • Lists: Author
  • Scripts: Approve Level 1
  • Scripts: Approve Level 2
  • Scripts: Author
  • Scripts: Execute Level 1
  • Scripts: Execute Level 2
  • Scripts: Schedule Level 1
  • Scripts: Schedule Level 2
  • Switch Port Admin
  • Terminal: Open Session
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive

This role can launch SSH and Telnet sessions using NetMRIs Telnet/SSH Proxy feature (Terminal: Open Session privilege) using NetMRI default credentials. By default, this role cannot modify CLI credentials.

Change Engineer: Low

Allowed to author, approve, execute, and schedule scripts designated Low Level (Level 1).

Privileges include the following:

  • Lists: Author
  • Scripts: Approve Level 1
  • Scripts: Author
  • Scripts: Execute Level 1
  • Scripts: Schedule Level 1
  • Switch Port Admin
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive

Users with this role cannot launch SSH or Telnet sessions and those options will not appear in the device shortcut menu (right-clicking on a device's IP address, a VLAN IP, and other elements in the NetMRI UI). By default, this role cannot modify CLI credentials.

Config AdminA read-only account that is allowed to view all sensitive data in NetMRI. Privileges include View: Audit Log, View: Sensitive, and View: Non-Sensitive.
Default View RoleA read-only account that is allowed to view only non-sensitive data. Privileges include View: Non-Sensitive.
Event AdminEvent system administrator. Privileges include Events: Admin which enables the creation of new Event Symptoms, and View: Non-Sensitive.

FindIT

Allows access only to the NetMRI FindIT tool.
Group ManagerCreates and manages interface groups, device groups, and related result sets. Privileges include Groups: Create, Groups: Delete, Groups: Result Sets, View: Non-Sensitive, and View: Sensitive.
Network Security Engineer

Allows users to provision ACL / firewall rules.

Privileges include the following:

  • Access Provision
  • Access Search
  • Scripts: Approve Level 1
  • Scripts: Approve Level 3
  • Scripts: Execute Level 1
  • Scripts: Execute Level 3
  • Scripts: Schedule Level 1
  • Scripts: Schedule Level 3
  • View: Job Sessions Log
  • View: Non Sensitive
  • View: Sensitive
Policy ManagerCreates and manages Policies for one or more Groups in NetMRI to standardize and lockdown configurations for networked devices such as routers, switches, and firewalls. Privileges include Policy: Deploy, Policy: Create, Edit and Delete, View: Audit Log, View: Non-Sensitive, and View: Sensitive.
Report AdminRole to allow the creation and editing of Report features in NetMRI. Associated privileges include Reports: Report Manager, View: Non-Sensitive, and View: Sensitive.
Switch Port Administrator

Allows users to make changes to switch port configurations.

Privileges include the following:

  • Collection: Poll On-Demand
  • Scripts: Approve Level 1
  • Scripts: Execute Level 1
  • Scripts: Schedule Level 1
  • Switch Port Admin
  • View: Non Sensitive
  • View: Sensitive
SysAdminThe global administrator account Role for NetMRI. Includes the System Administrator privilege and View: Audit Log. SysAdmins can manage, add, and remove scan interfaces and map them to networks, manage, add, and remove network views.
User AdminCreate and edit NetMRI user accounts and Roles, and assign privileges. Includes View: Audit Log, View: Non-Sensitive, User Administrator, Reset Passwords, and Issues: Define Notifications.

You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance. See Defining and Editing Roles for more information.

...

  1. Click Add User below the table.
  2. If you want the new account to be disabled by default, select the Account Disabled checkbox.
  3. If you want the user to be authenticated and authorized by the NetMRI appliance for their roles and device group assignments, select the Force Local Authorization checkbox. This enables the user to have a locally defined login that is separate from the remote one on the AAA server. Leaving this checkbox clear enables the user account to be subjected to authorization through a remote AAA server.

  4. On the User Details tab, enter values for the First Name, Last Name, Username, and Password fields. Fill in optional fields as needed.

    NotetitleNote


    User account names are case-sensitive. You can use some non-alphanumeric characters for naming including bracket characters, such as @!#$%^&*()[]{}. Punctuation characters (,.;'"), the equal sign =, vertical bar |, and spacebar characters are disallowed.

    Note
    titleNote

     
    If you use TACACS+ authentication and authorization with NetMRI, keep in mind that TACACS user names are case-insensitive. Therefore, the case must not be the only difference between NetMRI and TACACS user names.

  5. Click Save. The RolesCLI Credentials, and Database Credentials tabs become available.
  6. Click the Roles tab, and then click Add.
  7. In the Add Role to User dialog, choose a role from the drop-down list.
  8. Under In device groups, click to choose the device group(s) the user is allowed to access.
  9. Click OK. The new role settings are saved for the user account.
  10. On the CLI Credentials tab, define the command-line credentials as described in the procedure below.
  11. On the Database Credentials tab, define the database credentials as described in the procedure below.
  12. In the Add New User dialog, click Close.

...

  1. In the Add New User or Edit User dialog, click the Database Credentials tab. This tab allows giving access to the NetMRI database to a user.
  2. Select the Database Credentials Enabled checkbox. 

  3. Enter the user's Username and Password values, and confirm the password. NetMRI uses these credentials for a new SQL user to access the database.

    Note
    titleNote

    The SQL username should be from 8 to 16 characters long. It should not contain special symbols.

  4. Click Save.

To edit an existing user account, complete the following:

...

  1. Click Add (below the table).
  2. In the Add Role dialog > Users tab, enter a descriptive name in the Name field.
  3. In the Description field, describe the role.

  4. Click Save. This adds the new role to the Roles table. The Users and Privileges tabs appear.

...


...

  1. You can assign one or more user accounts or privileges to the new role. It is not necessary to assign users to the role (this can be done in the user account), but privileges must be assigned for the new pole to be meaningful.

...

  1. In the Users tab, click Add. The Add User for <Username> Role dialog appears, displaying a Users drop-down list and the list of Device Groups in the appliance.

...

  1. In the Add User for <Username> Role dialog > User drop-down list, choose one or more users for the role.

...

  1. In the Device Group table, select the device group checkboxes to be associated with this role.

...

  1. Click OK.

...

  1. As needed, repeat steps 5 through 8 for other accounts.

Note
titleNote

A role containing optional user/device group definitions can be assigned only to users listed in the Role Users tab. To allow a role to be assigned to any user, delete user/device group definitions in this tab.

...