NetMRI admins can determine whether creators of configuration management jobs can self-approve their Perl/CCS script jobs, or require a NetMRI super admin to approve jobs execution. For a quick refresher on administrator accounts and the Roles they inhabit, see Understanding Users and Roles, as user accounts have a close relationship to job execution.
You can define the minimum script run level at which the appliance requires user-provided CLI credentials when scheduling or running a job.
Note
Through job execution credentials, the user-provided CLI credentials are used to log in to the network devices that are part of the job (in lieu of the CLI credentials associated with the network devices at discovery).
NetMRI provides Configuration Management settings (under the Settings icon > General Settings > Advanced Settings) to enforce organization policies for securely executing script jobs:
- Job Self Approval — Controls the ability of the script creator to approve the jobs they create and execute in the appliance. This setting is global to all users and can be set to True or False;
- Job Requires User Credentials — Defines the global minimum script "risk level" at which user-provided CLI credentials are required to execute a script job. Risk levels are stated as None (the default), Low, Medium, and High.
The correlation between NetMRI account types, their Roles and privileges, and script execution privileges is as follows:
Risk Level: None | None means the user will never be asked to provide alternate CLI credentials and the CLI credentials associated with the network devices at discovery are used. |
Risk Level: Low | Corresponds to admin accounts using the Change Engineer:Low Role associated with Scripts:Author and Scripts:Level1 (low risk) privileges |
Risk Level: Medium | Corresponds to admin accounts using the Change Engineer:Medium Role associated with Scripts:Author, Scripts:Level1 (low risk) and Scripts:Level2 (medium risk) privileges |
Risk Level: High | Corresponds to admin accounts using the Change Engineer:High Role associated with Scripts:Author, Scripts:Level1 (low risk), Scripts:Level2 (medium risk) and Scripts, Level3 (high or unknown risk) privileges |
Note: By default, execution privileges are set to None. If the Job Requires User Credentials advanced setting is changed from "None" to a higher setting, you must update scheduled jobs to take advantage of this feature.
If the Job Requires User Credentials run level is greater than or equal to the run level of the target script, the admin user scheduling and/or running the job is prompted to provide CLI credentials from the following options:
- Use the requester's stored CLI credentials;
- Use the approver's stored CLI credentials;
- Manually specify new CLI credentials.
If the Job Requires User Credentials run level is less than the run level of the target script, the admin user scheduling and/or running the job is not prompted to provide CLI credentials; the job uses the CLI credentials associated with the network devices at Discovery.
Note
See Creating User Accounts for more information on setting up admins with properly defined user names, passwords, and Enable passwords.
To set job approval settings for all NetMRI admin accounts, do the following:
- On the Settings icon > General Settings > Advanced Settings page, under the Configuration Management category, click the Edit icon for Job Self Approval.
- To allow all user accounts to self-approve running automated jobs that use CCS and Perl scripts, choose True. Otherwise, choose False.
- Click OK to commit the setting.
To require NetMRI admin accounts to use CLI credentials when executing scripts of a specific risk level, do the following:
1. On the Settings icon > General Settings > Advanced Settings page, under the Configuration Management category, click the Edit icon for Job Requires User Credentials.