Document toolboxDocument toolbox

Creating Admin and User Accounts

Owned by Aliaksei Shautsou (Deactivated)
Sept 09, 2019
18 min read

Effective use of NetMRI requires an efficient and logical plan for user accounts. User account administration is a straightforward but fundamentally important part of a NetMRI rollout.

The two administrative concepts that are involved for NetMRI users include the user accounts themselves, and each account's associated Role.

You can define and authenticate your admin users remotely, where all users and their accounts are authenticated and authorized for their roles and privileges through an external server such as RADIUS or LDAP. This chapter describes how to set up local authentication services in NetMRI. For remote configurations, see NetMRI User Authentication and Authorization. You can also define and authenticate all of your admin users locally, where all user accounts and their assigned roles and privileges are defined in the NetMRI system.

Note

For external authentication and authorization services, NetMRI receives the login requests from the user and forwards them to the Authentication/Authorization server, which performs the actual transaction. In this chapter, you configure authentication based only in the local appliance.

User Administration in NetMRI

You define user administration functions in the Settings window (Settings icon –> User Admin section), performing the following tasks:

  • Create, edit, and delete user accounts. Each user account is assigned one or more Device Groups over which they have some administrative functions.
  • Define two primary types of users: local user and remote user.
    • Local users have their entire login credentials, user Roles, and device group permissions defined locally on the NetMRI appliance.
    • Remote users have Roles assignments and device group permissions defined in Authentication Service Properties, and those assignments and permissions are granted remotely through an external service.

Note

Device groups are a NetMRI organizational unit that gathers devices in related groups—routers in a Routers group, Ethernet switches in a Switches group, and so on. For related information on device groups, see Devices and Interfaces.

  • Create, edit, and delete user Roles. You assign Roles to each individual user account and define the privileges and tasks, and specific networks and network devices on which the NetMRI user can operate. A user account is ineffective without an assigned Role. A user account can use one or more Roles.
  • Each Role is comprised of a set of access Privileges, which are the types of tasks that the user can carry out in their assigned Role.
  • Review the Audit Log. The Audit Log provides records of all actions taken by all NetMRI users, showing the timestamp, event type and associated descriptive messages.

Several advanced User Administration settings are located in the Advanced Settings section. For more information, see Advanced User Administration Settings.

User administration provides support from external authentication servers. Because NetMRI supports both external authentication and authorization features through remote groups, mirroring the Roles and Privileges provided in local NetMRI user provisioning, you can leverage remote AAA server configurations (from TACACS+, LDAP, Active Directory, and RADIUS) without having to directly provision significant numbers of users on NetMRI.

Advantages of Remote Authentication and Authorization for Users

When a new user is authenticated and authorized through one of the remote services described in NetMRI User Authentication and Authorization, NetMRI automatically creates the new account locally and learns the Roles and device group assignments from the remote service. If there happens to be an established local user account, and the account login is authenticated and authorized by an external service, NetMRI will update its local profile to reflect the Roles and device group assignments granted by the last external authorization.

  • User Roles and privileges are learned from the remote group assignment that is defined on the Authentication Service.
  • Passwords, whether encrypted or plaintext, are not stored on the NetMRI appliance, and are consistently checked against the external server.
  • On occasions when no external service is available, the user will be asked to use local login credentials. This requires enabling of the Local authentication service.

For more information on remote authentication and authorization of NetMRI users, see NetMRI User Authentication and Authorization and its subsections.

Managing User Data

For the Users and Roles pages, the Select check box is to the left of an Action icon. When you select multiple rows of a table, a whole page, or multiple pages of either data type, you can choose Delete from the Action menu for any selected row. You cannot edit multiple rows of data. The Delete option is the only available option after selecting multiple rows.

Doing so enables you to delete all selected records from the table. Exercise caution when performing this action, as you may unintentionally delete rows of data that you did not wish to select.

While it is possible to select the entire table's worth of data in the Users page (Settings icon –> User Admin –> Users), the admin user account can never be deleted; the default set of NetMRI Roles (Settings icon –> User Admin –> Roles) also may not be deleted (though they are otherwise editable) and the Delete option is ghosted for each of them in the Action menu. In all cases, NetMRI user accounts with read-only privileges will not be able to perform this action.

You can use a feature called Force Local Authentication for any user account in your appliance:

  • Administrators can enable the Force Local Authentication check box for local user accounts to provide a specific profile to users that also exist on a remote authentication/authorization service. In the user configuration, you enable the Force Local Authorization option and its read-only Last Login value will show the external service name. Locally created user accounts automatically enable this option, which can be disabled at any time. If the user is learned by NetMRI through a remote authentication/authorization service, this option is automatically disabled.
  • When a user is learned by NetMRI through a remote authentication/authorization service, the administration cannot then re-create the user account. You may activate the Force Local Authentication check box for an externally learned account and redefine its password and other user details. The Local authentication service also must be placed first in the Authentication Services list. Taking these steps, you can ensure that an account is verified and authorized locally, without using the same login defined on the external service. An alternative is to define a different local login credential for the user.
  • The Force Local Authentication setting is automatically enabled for all new locally created users.

You can change local user accounts settings at any time:

  • You can change the local user password.
  • You can disable a user account at any time.
  • You can change assigned Roles and device groups for an account, but changes will persist only when the account is locally authenticated and authorized, with the Local authentication service taking the highest Priority setting and the Force Local Authentication check box enabled for the account.
  • You can define CLI credentials, notes, and Email settings for all users in the User database.

Understanding Users and Roles

Note

Privileges play a key part in roles configuration. Each of the pre-defined roles uses a specific collection of Privileges, which are pre-defined administrative functions that cannot be edited or changed. You can delete Privileges from a defined Role and create new Roles with custom sets of Privileges. Also, see Privilege Descriptions for details on the Privileges comprising user Roles.




User accounts are the standard identities of all users of the NetMRI appliance.

You assign roles to each user account, after assigning the privileges that each user account is allowed to perform. User accounts are granular to individuals, while roles apply across different accounts.

NetMRI provides a set of pre-defined Roles with specific privileges in NetMRI, as follows:

AnalysisAdmin

Specializes in creating and managing NetMRI Issues. Assigned privileges include Issues: Modify Parameters, Issues: Modify Suppression Parameters, Issues: Modify Priority, Issues, Define Notifications, and View: Non Sensitive.

ChangeEngineer: High

Allowed to write, schedule and execute job scripts of any degree of risk sensitivity. Privileges include Switch Port Admin, Scripts: Author, Scripts: Level1 (low risk), Scripts, Level 2 (medium risk), Scripts, Level 3 (high risk), View: Audit Log, View: Sensitive, and View: Non-Sensitive. This role also can launch SSH and Telnet sessions using NetMRI's Telnet/SSH Proxy feature, using User Credentials (Terminal: Open Session). This Role can also modify CLI credentials (Terminal: Modify Credentials). The Collection: Poll On Demand privilege provides the ability to perform on-demand polling of individual network devices.

Change Engineer: Medium

Allowed to write, schedule and execute job scripts. Privileges include Switch Port Admin, Scripts: Author, Scripts: Level 1, (low risk); Scripts, Level 2 (medium risk), View: Sensitive, and View: Non-Sensitive. This role can launch SSH and Telnet sessions using NetMRIs Telnet/SSH Proxy feature (Terminal: Open Session), using NetMRI default credentials. By default, this role cannot modify CLI credentials. The Collection: Poll On Demand role provides the ability to perform on-demand polling of individual network devices

Change Engineer: Low

Allowed to write, schedule and execute job scripts with a low sensitivity to risk. Privileges include Switch Port Admin, Scripts: Author, Scripts: Level 1 (low risk), View: Sensitive, and View: Non-Sensitive. Users with this role cannot launch SSH or Telnet sessions and those options will not appear in the device shortcut menu (right-clicking on a device's IP address, a VLAN IP and other elements in the NetMRI UI). By default, users with this role also cannot modify CLI credentials.

Config Admin

Read-only account that is allowed to view all sensitive data in NetMRI. Privileges include View: Audit Log, View: Sensitive, and View: Non-Sensitive.

Default View Role

Read-only account that is allowed to view only non-sensitive data. Privileges include View: Non-Sensitive.

Event Admin

Event system administrator. Privileges include Events: Admin which enables the creation of new Event Symptoms, and View: Non-Sensitive.

FindIT

Allows access only to the NetMRI FindIT tool.

GroupManager

Creates and manages interface groups, device groups, and related result sets. Privileges include Groups: Create, Groups: Delete, Groups: Result Sets, View: Non-Sensitive. and View: Sensitive.

Policy Manager

Creates and manages Policies for one or more Groups in NetMRI to standardize and lock down configurations for networked devices such as routers, switches, and firewalls. Privileges include Policy: Deploy, Policy: Create, Edit and Delete, View: Audit Log, View: Non-Sensitive, and View: Sensitive.

Report Admin

Role to allow the creation and editing of Report features in NetMRI. Associated privileges include Reports: Report Manager, View: Non-Sensitive, and View: Sensitive.

Switch Port Administrator

Switch port administrator. Privileges include Switch Port Admin which enables changes to switch port configurations such as VLAN assignment and port activation, and View: Non-Sensitive.

SysAdmin

The global administrator account Role for NetMRI. Includes the System Administrator privilege and View: Audit Log. SysAdmins can manage, add and remove scan interfaces and map them to networks, manage, add, and remove network views.

UserAdmin

Create and edit NetMRI user accounts and Roles, and assign privileges. Includes View: Audit Log, View: Non-Sensitive, User Administrator, Reset Passwords, and Issues: Define Notifications.

You can create custom Roles, with custom sets of privileges to suit the needs of your organization. You can add and remove privileges and user accounts from each of the pre-defined Roles in the NetMRI appliance.

See Defining and Editing Roles for more information.

The 17 default Roles built into the system cannot be deleted from the appliance. Custom Roles can be deleted and edited.

Creating User Account s


You create, edit, and delete user accounts in the Users page (Settings icon –> User Admin section –> Users). By default, the admin account is the single user account built into the appliance. You cannot remove this account.

In the Users window, each user account lists the following:

  • User Name: The network identity of the user.
  • First Name and Last Name: The configured first name and surname for the user.
  • Last Login: The time and date of the last login.
  • Last Authentication: Shows the authentication service that granted the last login.
  • Last Authorization: This field is updated at each user login. Possible values are as follows:
    • Remote: When the user logs in using their remote password, and their Force Local Authorization setting is set to False for their user account. The user is granted the roles defined from the remote group assignment in the authentication service properties.
    • Local: In cases where the user simply logs in using their local appliance password or, when the user logs in to the remote authentication service using their remote password, and the Disable Authorization checkbox is enabled for that service is disabled for their account.
    • Forced Local: When the user logs-in using their remote password and their Force Local Authorization setting is set to False in their User properties. The user is granted the local roles and access to their device groups.

      For remotely authenticated users, including new accounts learned from logins to a configured remote service, the field will show No and the service will show the service name.
  • Roles: The role(s) assigned to the account.
  • Account Status (active or disabled): An admin can disable a user account by enabling its Account Disabled check box. When you do so, the user will receive a User Disabled or Locked message upon the subsequent login.

When scheduling or running a job (see Creating and Scheduling Jobs for more information), if user credentials are required and the Use the requester's stored CLI credentials or Use the approver's stored CLI credentials job options are selected, then the CLI credentials associated with the given user account are used to login to the network devices that are part of the job. Admins can modify command-line execution credentials for each created user account through the CLI Credentials tab. For more information, see the corresponding procedure further in this section.

Note

The Actions for each account in the Users list represent the actions that the admin user can take on that user account (Edit, Delete, etc.).

Note

User account names are case-sensitive. You can use some non-alphanumeric characters for naming, including bracket characters, such as @!#$%^&*()[]{}. Punctuation characters (,.;'"), the equal sign =, vertical bar |, and spacebar characters are disallowed.

If you use TACACS+ authentication and authorization with NetMRI, you should keep in mind that TACACS user names are case-insensitive. Therefore, the case must not be the only difference between NetMRI and TACACS user names.

To create a new user account, complete the following:

  1. Click Add User (below the table).
  2. In the Add New User dialog –>User Details tab, enter values for the First Name, Last Name, Username, and Password fields. Fill in optional fields as needed.
    • If you want the new account to be disabled by default, check the Account Disabled check box.
    • If you want the user to be authenticated and authorized by the NetMRI appliance for their roles and device group assignments, check the Force Local Authorization check box. This enables the user to have a locally defined login that is separate from the remote one on the AAA server. Leaving this check box clear enables the user account to be subjected to authorization through a remote AAA server.
  3. Click Save. The Roles and CLI Credentials tabs activate, allowing you to assign Roles to the account.
  4. In the Roles tab, click Add.
  5. In the Add Role to User <username> dialog, choose a role from the drop-down list.
  6. In the Device Groups list, click to choose the device group(s) the user is allowed to access. Click All (the first item in the list) to allow the user account to access all device groups.
  7. Click OK. The new Role settings are saved for the user account.
  8. In the Add New User dialog, click the Close button.

To edit an existing user account, complete the following:

  1. Click the Edit icon for the account.
  2. In the Edit User dialog, make the necessary changes, and then click the Close button.

To delete a user account, complete the following:

  1. Click the Delete icon for the account.
  2. Confirm the deletion.

To define command-line credentials for a user account, complete the following:

  1. In the Edit User dialog, click the CLI Credentials tab for the user account. This tab allows CLI credentials (username, password, and Enable password for devices) to be associated with specific user accounts.
  2. If desired, enable the User CLI Credentials Enabled check box. The admin account can log in to network devices using the CLI credentials associated with the given account, instead of the admin credentials associated with devices during their Discovery.
  3. Enter the user's Username and Password values, and confirm the password.
  4. Enter the admin account's Enable Password and confirm it.

Defining and Editing Role s

Note

Roles are also limited by a chosen user's permitted access to device groups. Device groups accessible to a user are specified in the user's account.

A role defines what a user can do within NetMRI. Each role consists of a set of privileges, each of which specifies a distinct permitted activity. The Roles page (Settings icon –> User Admin –> Roles) enables an administrator to create, edit, and delete roles.

To create a new role, complete the following:

  1. Click Add (below the table).
  2. In the Add Role dialog –> Users tab, enter a descriptive name in the Name field.
  3. In the Description field, describe the role.
  4. Click Save. This adds the new role to the Roles table. Users and Privileges tabs appear.

Note

You can assign one or more user accounts or privileges to the new role. It is not necessary to assign users to the role (this can be done in the user account), but privileges must be assigned for the new pole to be meaningful.

5. In the Users tab, click Add. The Add User for <Username> Role dialog appears, displaying a Users drop-down list and the list of Device Groups in the appliance.

6. In the Add User for <Username> Role dialog –> User drop-down list, choose one or more users for the role.

7. In the Device Group table, select the device group check boxes to be associated with this role.

8. Click OK.

9. As needed, repeat steps 5 through 8 for other accounts.

Note

A role containing optional user/device group definitions can be assigned only to users listed in the Role Users tab. To allow a role to be assigned to any user, delete user/device group definitions in this tab.

To specify privileges for the role, perform the following:

  1. In the Edit Role –> Privileges tab, click Add.
  2. In the Add Privileges dialog, select the Privileges check boxes (see list below) to be associated with the role.
  3. Click OK.
  4. In the Edit Role dialog, click Save & Close.

Editing Roles

To edit a role, perform the following:

  1. Click the Edit button for the role.
  2. In the Edit Role dialog, as needed, edit the Name and/or Description.
  3. Add or delete users/device groups in the Users tab and add or delete privileges in the Privileges tab.
  4. Click Save.

To copy a role, perform the following:

  1. Click the Copy button for the role.
  2. Confirm the copy.

The copied role appears in the list as "<previous name Copy>." To delete a role, complete the following:

  1. Click the Delete button for the role.
  2. Confirm the deletion.

Privilege Descriptions

The following NetMRI system privileges can be assigned to Roles:

Privilege

Description

Configure Networks

A system privilege applied to SysAdmin roles. Allows adding of new networks, changing Network View mappings and mapping local VRFs to networks.

Switch Port Admin

A system privilege applied to Switch Port Administrator Roles. This Privilege allows the Role to perform the following tasks:

Modify port descriptions (Interface Viewer –> Settings –> Port Control Settings).

Set a switch port to Administratively UP or Administratively Down (Interface Viewer –> Settings –> Port Control Settings).

Change a port's VLAN assignment (Interface Viewer –> Settings –> Port Control Settings).

Specify ports to exclude from Switch Port Management page views (Interface Viewer -> Settings –> General Settings).

View system feedback for their most recent action.

Collection: Poll On Demand

Users with this privilege can perform on-demand polling of individual network devices for the admin account using this privilege.

View: Non Sensitive

Ability to view all non-sensitive information in NetMRI, such as Issues, Changes, audit logs and device states through the Device Viewer. Users with these privileges cannot carry out the following:

Setup tasks beyond Setup Summaries (Settings –> Setup –> Settings Summary).

License management and many other NetMRI Settings configurations (Settings –> Setup –> General Settings).

Database settings beyond viewing statistics Settings –> Setup –> Database Settings). View: Non-Sensitive also cannot view or modify device configuration files, CLI and SNMP credentials, or NetMRI user accounts.

Users with View: Non Sensitive privileges can schedule and run reports.

View: Sensitive

Ability to view all sensitive information in NetMRI, including policy compliance configurations, device configurations in Configuration Management, configuration of user accounts, and Setup, Licensing and Database tasks otherwise not accessible by View: Non Sensitive privileges.

View: NetMRI System Info

Ability to view NetMRI appliance settings.

Custom Data: Input Data

A privilege allowing non-Admin user accounts to edit and enter information in custom data fields previously created by the Admin account. Example: for network devices, custom fields are useful for recording important contextual data such as asset tag numbers and physical location — information that NetMRI does not gather on its own. By default, the Admin account is the only account with permissions to edit such data fields. For more information, see Defining and Using Custom Fields and Enabling Custom Data Field Editing for Non-Admin Users.

System Administrator

Allows user complete access to the NetMRI appliance.

Reset Passwords

Privilege that allows a user to change passwords other than their own.

User Administration

Privilege that allows a user to create users, and assign roles and privileges.

Issues: Modify Parameters

Privilege that allows a user to define and change analysis parameters, including analysis schedules.

Issues: Modify Suppression Parameters

Privilege that allows a user to modify issue suppression parameters.

Issues: Modify Priority

Privilege that allows a user to set priority of issues.

Issues: Define Notifications

Privilege that allows a user to define notifications for the issues

Scripts: Level 1

Execute and schedule packaged scripts and commands designated level 1 (low risk)

Scripts: Level 2

Execute and schedule medium-risk packaged scripts and commands.

Scripts: level 3

Execute and schedule high-risk packaged scripts and commands.

Scripts: Author

Author scripts and packaged commands, and save them for re-use by others.

Policy: Create, Edit, and Delete

Create, edit, and delete policies and policy rules.

Policy: Deploy

Ability to assign the device groups against which a policy is checked.

Events: Admin

Ability to create event symptoms.

Groups: Create

Ability to create and edit device and/or interface groups in NetMRI.

Groups: Result Sets

Ability to create and edit result sets.

Groups: Delete

Ability to remove the device and/or interface groups.

Terminal: Modify Credentials

Allow the user to modify their own CLI credentials. This privilege restricts/allows users with the given role to change their own CLI credentials (Settings –> User Admin –> edit User –> CLI Credentials). By default, this tab is disabled for user accounts without this privilege. NetMRI roles that have this privilege by default include SysAdmin, UserAdmin, and ChangeEngineer High. For roles other than those noted, this privilege is manually assigned.


Terminal: Open Session

Allow users to activate Telnet/SSH sessions from the right-click menu. Should a user account not have this privilege, a popup message appears explaining that they do not have sufficient privileges to use this feature. NetMRI roles with this privilege include SysAdmin, UserAdmin, ChangeEngineer High, and ChangeEngineer Medium. For roles other than those noted, this privilege is assigned manually.

Terminal: Use NetMRI Creds

Allow the user to log in to devices using the default login/enable credential associated to the device within NetMRI. These are not vendor default credentials. If a terminal session is opened and the user has the appropriate privileges, the terminal shell queries the device credentials based on status and connection type and attempts a login using those if they are available; if not, a username and password are requested from the user.

Tools: All

Allows access to all available Network Tools in NetMRI.

Tools: Ping/Traceroute

Allows access to the NetMRI Ping/Traceroute Tool.

Tools: Path Diagnostics

Allows access to the NetMRI Path Diagnostic Tool.

Tools: SNMP Walk

Allows access to the NetMRI SNMP Walk Tool.

Tools: Cisco Cmd Tool

Allows access to the NetMRI Cisco Command Tool.

Tools: Discovery Diag

Allows access to the NetMRI Discovery Diagnostics Tool.

Tools: FindIT

Allows access to the NetMRI FindIT Tool.

Note

Privileges cannot be edited or deleted, and new Privileges cannot be created.

Viewing the User Audit Lo g

The Audit Log (Settings icon –> User Admin –> Audit Log) lists all actions taken by user accounts that result in changes to NetMRI or any of the data sets the account manages. Log entries include the timestamp in which the action was taken, the User name, a description of the action, and field change details when applicable.

Log entries are initially ordered by time, with the most recent at the top of the list. The table can be reordered to, for example, consolidate a particular user's actions. Alternatively, use quick searching to isolate specific log entries.

Managing User Audit Logs for SSH Connection Attempts to Devices

As an aid to track what NetMRI or its users are doing on the network, you can also view the audit logs for all events in which NetMRI or its users attempt to use SSH or Telnet sessions to network devices. The amount of data collected for such events can substantially impact the size of the collected event database, so you can switch this feature on and off when needed and change the duration of these events being held in the database. Connection events that are covered by this log category include SSH/Telnet connections for Config Collection, Credential Collection, terminal emulation, and Job Engine Run connections. Unknown connections may also be recorded, which will be events such as API calls.

To view and change these settings, go to Settings icon –> General Settings –> Advanced Settings –> Notification category –> Log All CLI Sessions. The default value is On. You can also choose the No Commands Logged option, which retains the session events but prevents any sensitive CLI data from being recorded.

An associated Advanced Setting, Prune CLI Session Duration, enables you to regularly prune the amount of CLI session data by setting the retention time for keeping that data in the Device Audit Log. The default setting is 7 days.

Advanced User Administration Settings

Several important global NetMRI user account settings are located in the Advanced Settings section. To access them, go to Settings icon –> General Settings –> Advanced Settings, and then use the Next Page button to get to the User Administration category. Advanced User Administration settings determine the following:

Password Expiration

The number of days that a password is valid before requiring a new password for each account. The default is 90 days. Setting this value to zero sets any password to never expire.

For passwords to existing accounts, this setting only applies after a password is changed. For new account passwords, this setting applies immediately.

Consecutive Failed Login Limit

The number of successive failed login attempts allowed for any user account before the account is locked out. The default is zero—which allows an indefinite number of login attempts. Infoblox recommends setting Consecutive Failed Login Limit to a non-zero value. Ties to the Lockout Duration feature (below).

Lockout Duration

Determines the length of time that elapses before NetMRI accounts that experienced a failed series of logins can attempt once again to log in to the appliance. The default is zero, which indicates that there is no lockout time period. Infoblox recommends a value of 15 minutes or more.

Password Length

Determines the minimum permissible length of a password for admin accounts in NetMRI. Default minimum value is 8 characters.

Password Numeric

Determines whether passwords are required to have at least one numeric character in their composition. Default is On.

Password Non Alpha-Numeric

Determines whether passwords are required to have at least one non-alpha-numeric character (&^%$#@!~) in their composition. Default is *Off.

Password Mixed-Case

Determines whether passwords are required to have mixed upper/lower-case composition. Default is Off.

Hide the system banners from non-admin usersHides the System Health and Capacity Limit banners from non-admin users.