Chapter 4 Managing Administrators

This chapter describes the various tasks associated with setting up admin groups, admin roles, admin accounts, and permissions. It contains the following sections:

• About Admin Accounts
• About Admin Groups
  • Creating Superuser Admin Groups
  • Creating Limited-Access Admin Groups
• About Admin Roles
  • Creating Admin Roles
• Managing Admin Groups and Admin Roles
  • Modifying Admin Groups and Roles
  • Deleting Admin Groups and Roles
  • Viewing Admin Groups
  • Viewing Admin Roles
  • Viewing Admin Group Assignments
• About Administrative Permissions
  • Defining Global Permissions
  • Defining Object Permissions
  • Defining DNS and DHCP Permissions on Grid Members
  • Applying Permissions and Managing Overlaps
  • Managing Permissions
• Authenticating Administrators
• Creating Local Admins
  • Managing Passwords
  • Modifying and Deleting Admin Accounts
• About Remote Admins
• Authenticating Admins Using RADIUS
  • Authentication Protocols
  • Accounting Activities Using RADIUS
  • Configuring Remote RADIUS Servers
  • Configuring RADIUS Authentication
  • Configuring a RADIUS Authentication Server Group
  • Authenticating Admins Using Active Directory
    • Configuring an Active Directory Authentication Service Group
    • Enabling Active Directory Authentication for Nested Groups
  • Authenticating Admin Accounts Using TACACS+
    • TACACS+ Accounting
    • Configuring TACACS+
    • Configuring a TACACS+ Authentication Server Group
  • Authenticating Admins Using LDAP
    • Authentication Protocols
    • Configuring LDAP
    • Configuring an LDAP Server Group
  • Defining the Authentication Policy
    • Configuring a List of Authentication Server Groups
    • Configuring a List of Remote Admin Groups
  • Authenticating Admins Using Two-Factor Authentication
    • Best Practices for Configuring Two-Factor Authentication
    • Configuring Certificate Authentication Services
    • Enabling Certificate Authentication Service for a User
    • Viewing Certificate Authentication Services
    • Modifying Certificate Authentication Services
    • Deleting Certificate Authentication Services
  • Changing Password Length Requirements
  • Notifying Administrators
  • Administrative Permissions for Common Tasks
  • Administrative Permission for the Grid
    • Administrative Permissions for Grid Members
    • Administrative Permissions for Network Discovery
    • Administrative Permissions for Scheduling Tasks
    • Administrative Permissions for Microsoft Servers
  • Administrative Permissions for IPAM Resources
    • Administrative Permissions for IPv4 and IPv6 Networks
    • Administrative Permissions for Hosts
  • Administrative Permissions for DNS Resources
    • Administrative Permissions for DNS Views
    • Administrative Permissions for Zones
    • Administrative Permissions for Resource Records
    • Administrative Permissions for Adding Blank A or AAAA Records
    • Administrative Permissions for Shared Record Groups
    • Administrative Permissions for DNS64 Synthesis Groups
  • Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges on page252
    • Best Practices for Configuring Permissions in Networks and Ranges
    • Changes to Default Behavior
    • Enabling Permissions for DNS Resources in Networks and Ranges
    • Configuring Permissions for DNS Resources in Networks and Ranges
    • Administrative Permissions for DHCP Resources
      • Administrative Permissions for Network Views
      • Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks
      • Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations
      • Administrative Permissions for IPv4 or IPv6 DHCP Enabled Host Addresses
      • Administrative Permissions for IPv4 and IPv6 DHCP Ranges
      • Administrative Permissions for IPv4 or IPv6 DHCP Templates
      • Administrative Permissions for Roaming Hosts
      • Administrative Permissions for MAC Address Filters
      • Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories
  • Administrative Permissions for File Distribution Services
  • Administrative Permissions for Dashboard Tasks
  • Administrative Permissions for Certificate Authentication Services and CA Certificates
  • Administrative Permissions for Object Change Tracking
  • Administrative Permissions for Named ACLs
  • Administrative Permissions for DNS Threat Protection
  • Administrative Permissions for Threat Analytics service
  • Administrative Permissions for Cloud Objects
  • Administrative Permissions for Reporting

About Admin Accounts
A user must have an admin account to log in to the NIOS appliance. Each admin account belongs to an admin group, which contains roles and permissions that determine the tasks a user can perform. For information, see About Admin Groups.
When an admin connects to the appliance and logs in with a username and password, the appliance starts a two-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the username and password. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process.
The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller, a RADIUS server, a TACACS+ server or an LDAP server. The group from which the admin receives privileges and properties is stored locally.
NIOS can authenticate users based on X.509 client certificates irrespective of the client certificate source. For example, smart card holders such as U.S. Department of Defense CAC users and PIV card holders. The status of these certificates is stored remotely on OCSP (Online Certificate Status Protocol) responders. NIOS uses two-factor authentication to validate these users. For more information about two-factor authentication and how to configure it, see Authenticating Admins Using Two-Factor Authentication.
The tasks involved in configuring administrator accounts locally and remotely are listed in Table 4.1. Table 4.1 Storing Admin Accounts Locally and Remotely

The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, Active Directory, TACACS+, or LDAP. You must add RADIUS, Active Directory, TACACS+, or LDAP as one of the authentication methods in the admin policy to enable that authentication method for admins. See Defining the Authentication Policy for more information about configuring the admin policy.

Figure 4.1 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and permissions and properties.
Figure 4.1 Privileges and Properties Applied to Local and Remote Admin Accounts

Complete the following tasks to create an admin account:

1. Use the default admin group or create an admin group. See About Admin Groups.
2. Define the administrative permissions of the admin group. See About Administrative Permissions.
3. Create the admin account and assign it to the admin group.
   • To add the admin account to the local database, see Creating Local Admins.
   • To configure the appliance to authenticate the admin account stored remotely, see About Remote Admins