Document toolboxDocument toolbox

Managing Admin Groups and Admin Roles

Owned by Panna .
Aug 06, 2024
9 min read

After you create an admin group or an admin role, you can view, modify, and delete it.

Modifying Admin Groups and Roles

To modify an admin group:

  1. From the Administration tab, select the Administrators tab -> Groups tab -> admin_group checkbox, and then click the Edit icon.

  2. The Admin Group editor provides the following tabs from which you can modify data:

  • General: You can modify the following data.

    • Name: Modify the name of the admin group.

    • Comment: Enter useful information about the group, such as location or department.

    • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.

    • Allow Access from: To control access to the GUI and API, select one of the following. You can restrict access using a named ACL or define individual ACEs. For information about named ACLs, see Configuring Access Control.
      Note this group-based authentication is applicable for Grid-wide settings only. NIOS authenticates user credentials only after it authenticates the Grid-wide settings.

    • Any: Select this to allow any clients to access the GUI and API. This is selected by default.

    • Named ACL: Select this and click Select Named ACL to select a named ACL that contains only IPv4 and IPv6 addresses and networks. When you select this, the appliance allows GUI and API access for all ACEs in the named ACL. You can click Clear to remove the selected named ACL.

    • Set of ACEs: Select this to configure individual access control entries (ACEs). You can define ACEs for selected admin groups from which users can log in to the application. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding.

    • IPv4 Address and IPv6 Address: Select this to add an IPv4 address or an IPv6 address. The Type column displays either IPv4 address or IPv6 address based on the item you select from the drop-down list. Click the Value field and enter the IP address. The appliance allows this client to access the GUI and API and restricts others.

    • IPv4 Network and IPv6 Network: Select this to add an IPv4 network or IPv6 network. The Type column displays either IPv4 address or IPv6 address based on the item you select from the drop-down list. Click the Value field and enter the network. The appliance allows this network to access the GUI and API and restricts others.

  • After you have added access control entries, you can do the following:

    • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.

    • Reorder the list of ACEs using the up and down arrows next to the table.Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.

  • Roles: Modify the data as described in Creating Limited-Access Admin Groups, see About Admin Groups.

  • Extensible Attributes: Add and delete extensible attributes that are associated with the admin group. You can also modify the values of the extensible attributes. For information, see AboutManaging Extensible AttributesExtensibleManaging Extensible AttributesAttributes.

   3. Save the configuration and click Restart if it appears at the top of the screen.

Configuring Account Lockout for Admin Groups

You can enable password security such that if a group user tries to log in to Grid Manager by using an incorrect password, NIOS locks the account for a configured time period after the configured number of failed login attempts. Only superusers can enable and configure this feature.

To configure account lockout for admin groups:

  1. From the Administration tab, select the Administrators tab -> Groups tab -> admin_group checkbox, and then click the Edit icon

  2. In the Admin Group editor, select the Security tab -> Basic tab.

  3. NIOS automatically populates some field values based on account lockout configurations for the Grid. For more information, see Managing Security Operations. Click the Override button to modify the following data:

    • Enable Account Lockout: Select the checkbox to enable account lockout for the group user. This option is disabled by default.

    • Maximum number of attempts: Enter the maximum number of invalid login attempts to Grid Manager after which NIOS locks the account. You can specify a value from 1 to 99. The default value is 5. 

    • Lockout duration: Enter the time duration in minutes for which the account must be locked. You can specify a value from 1 to 1440. The default value is 5.

    • Never Unlock: Select the checkbox to permanently lock a group user account, which is already locked. Only a superuser can clear the checkbox to unlock the account. This option is not applicable to superuser accounts because you cannot permanently lock a superuser account. This option is disabled by default.

Note

NIOS displays an error on Save & Close, if the Never Unlock option is enabled for superusers.

Deleting Admin Groups and Roles

You can remove any default or custom admin group as long as it is not your own admin group or the last admin group. You can also delete any default or custom admin role. The appliance puts the deleted roles in the Recycle Bin, if enabled.

Note

You cannot delete the cloud-api-only and splunk-reporting-group admin groups. These admin groups are automatically created when you configure your Grid for Cloud Network Automation and Reporting and Analytics respectively. For information about Cloud Network Automation and Reporting and Analytics, see   and  .

To delete an admin group:

  1. From the Administration tab, select the Administrators tab -> Groups tab -> admin_group checkbox, and then click the Delete icon.

  2. In the Delete Confirmation dialog box, click Yes.
    To delete an admin role:

  3. From the Administration tab, select the Administrators tab -> Roles tab -> admin_role checkbox, and then click the Delete icon.

  4. In the Delete Confirmation dialog box, click Yes.

Configuring Password Duration for Admin Groups

You can set a time duration for the password for each admin group such that the password is valid only for that duration. After the specified duration expires, the password for the users of the group expires. 

Warning

The password expiry settings are applicable only to users with a local account.

To set the time duration for a password for each admin group:

  1. Go to the Administration tab, Administrators tab -> Groups tab, and select the checkbox next to the group for which you want to set the password time duration, and then click the Edit icon.

  2. Click the Password tab.

  3. Click the Override button if you want the time duration that specify here to override the time duration you set when specifying admin passwords using Grid Properties Editor.
    Note that the options in the screen are enabled only if you click the Override button. If you do not click Override, the time duration you set when specifying admin passwords using Grid Properties Editor applies.

  4. Select the Password must expire checkbox.

  5. In the Password must expire every _ days field, enter the number of days for which the password must be valid. For example, if you enter 11, the password is valid for 11 days.

  6. In the Reminder _ days prior to expiration field, enter the number of days before the expiry that NIOS sends a reminder. The range of days is from 1 to 30. The number that you enter here must always be lower than the number you enter in the Password must expire every _ days field.

  7. Click Save & Close.

Viewing Admin Groups

You can view the list of admin groups that are currently in the Grid. To view admin groups, from the Administration tab, select the Administrators tab -> Groups tab.

Grid Manager displays the following information:

  • Name: The name of the admin group.

  • Superuser: Indicates whether the admin accounts that you assign to this group have full authority to view and configure all types of data. The value can be Yes or No.

  • Comment: The information about the admin group.
    You can select the additional fields, Disabled and Site, for display.
    You can also do the following:

  • Sort the data in ascending or descending order by column.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Create a quick filter to save frequently used filter criteria. For information about using quick filters, see Finding and Restoring Data.

  • Modify some of the data in the table. Double click a row of data, and either edit the data in the field or select an item from a drop-down list. Note that some fields are read-only. For more information about this feature, see About the Grid Manager Interface.

  • Print or export the data.

Viewing Admin Roles

You can view the list of admin roles that are currently in the Grid. To view admin roles, from the Administration tab, select the Administrators tab -> Roles tab.

Grid Manager displays the following information:

  • Name: The name of the admin role.

  • System: Indicates whether the admin role is system defined or not. The value can be Yes or No.

  • Comment: The information about the admin role.

You can select the additional fields, Disabled and Site, for display. You can also do the following:

  • Sort the data in ascending or descending order by column.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Create a quick filter to save frequently used filter criteria. For information about using quick filters, see Finding and Restoring Data.

  • Modify some of the data in the table. Double click a row of data, and either edit the data in the field or select an item from a drop-down list. Note that some fields are read-only. For more information about this feature, see About the Grid Manager Interface.

  • Print or export the data.

Viewing Admin Group Assignments

After you define permissions for an admin role, you can assign it to multiple admin groups. You can view the list of admin groups to which an admin role is assigned, as follows:

  1. From the Administration tab, select the Administrators tab -> Roles tab -> admin_group checkbox, and then click the Edit icon.

  2. In the Role editor, select the Admin Groups tab.

Grid Manager displays the list of admin groups to which the role is assigned.

Disabling Multiple Login Sessions

You can disallow multiple logins for the same NIOS session. That is, if one user in the group has logged on to a NIOS session, for example https://255.255.255.0, no other users in the group can log on to the same IP address from another browser or from another system.

To do this:

  1. Go to the Administration tab, Administrators tab -> Groups tab, and select the checkbox next to the group for which you want to disallow multiple logins and click the Edit icon.

  2. Click the Security tab.

  3. Click the Override button if you want the override the multiple login sessions setting that you specified for the Grid. 

  4. Select the Disable Concurrent Login checkbox to disallow a member of the group to log on to multiple sessions of the same NIOS system; that is to disallow multiple login sessions per user. 
    Note that Before you disable multiple logins for a group in a NIOS system, ensure that all existing sessions (if any) of members of that group in that NIOS system are logged out. If not, the existing sessions will continue to remain active even after you disable multiple logins.

  5. Click Save & Close.

Disabling Inactive Users

You can disable a group of users who have not logged in to NIOS for a specified duration of time.

To do this:

  1. Go to the Administration tab, Administrators tab -> Groups tab, and select the checkbox next to the group for which you want to disable users.

  2. Click the Security tab.

  3. Click the Override button if you want to override the disable setting that you specified for the Grid. 

  4. Select the Disable Inactive Users checkbox.  

  5. In the Disable account if user has not logged in for <time period> days field, specify the time period (in days) after which users who have not logged in must be disabled. The range of days is from 2 to 9999. You can also specify a reminder to be sent in the Remind <days> prior to expiration field. The range of days is from 1 to 30. The number of days you specify in this field is the time from which users start getting daily email reminders that their account will be disabled. NIOS sends the email reminder only if an email address has been configured for the user.

  6. Select the Allow user to reactivate account via serial console and Allow user to reactivate account via remote console checkboxes if you want users to activate their account after it has been disabled. To reactivate using the serial console, see Deploying a Single Independent Appliance. To reactivate using the remote console, type ssh <user name>@<ip address>.
    Note that reactivating the account using the serial console or the remote console is possible only for superusers.

  7. Click Save & Close.