Controlling User Access
This chapter contains the following sections:
•
Changing User Group Privileges
Managing Users
All Prime Infrastructure users have basic parameters such as user name and password. Users with admin privileges can view active user sessions.
To view active sessions:
Step 1 Choose Administration > Users, Roles & AAA, then click Active Sessions.
Step 2 Click the Audit Trail icon to for the username for which you want to see the following data:
•User—User login name
•Operation—Type of operation audited
•Time—Time operation was audited
•Status—Success or failure
•Reason—Failure reason when the user login failed
•Configuration Changes—This field provides a Details link if there are any configuration changes. Click on the Details link for more information on the configuration changes done by an individual user.
Note The audit trail entries could be logged for individual device changes. For example, If a template is applied on multiple switches, then there will be multiple audit entries for each switch to which the template has been applied.
Adding a User
You can add a user and assign predefined static roles. Besides complete access, you can give administrative access with differentiated privileges to certain user groups. Prime Infrastructure supports external user authentication using these access restrictions and authenticates the users against the TACACS+ and RADIUS servers.
Step 1 Choose Administration > Users, Roles & AAA, then click Users.
Step 2 Choose Add a User, then click Go.
Step 3 Enter the username, password, and confirm password for the new user, then choose the groups to which this user belongs.
Step 4 Click the Virtual Domains tab to assign a virtual domain to this user. See Changing Virtual Domains.
Step 5 Click Save.
Changing User Passwords
To change the password for a user:
Step 1 Choose Administration > Users, Roles & AAA, then click Users.
Step 2 Select the user name who's password you want to change.
Step 3 Complete password fields, then click Save.
Changing User Group Privileges
Prime Infrastructure uses a list of tasks to control which part of Prime Infrastructure users can access and the functions they can perform in those parts. You change user privileges in Prime Infrastructure by changing the User Group to which each user belongs. You use the User Group Task List to change what users in each group are authorized to do and the screens they can access.
You can also assign the sites or devices to which a virtual domains has access.
To edit the task list for a user group:
Step 1 Choose Administration > Users, Roles & AAA, then click User Groups.
Step 2 Click on a group name to change the tasks this group is allowed to perform.
Step 3 Click the Members tab to view the users of this group.
User Groups
Prime Infrastructure has pre-defined user groups described in Table 22-1 . You can change the privileges for the users, but you cannot add additional users. When you create a new user, you assign that user to a group.
Managing User Groups
To manage user groups and view their associated tasks:
Step 1 Choose Administration > Users, Roles & AAA, then click User Groups.
Step 2 Click on a group name to change the tasks this group is allowed to perform.
Step 3 Click the Members tab to view the users of this group.
Changing Virtual Domain Access
To edit the sites or devices to which a virtual domains has access:
Step 1 Choose Administration > Virtual Domains.
Step 2 Select the domain to which you want to assign sites or devices.
Step 3 Click the Sites or Devices tab, then move the necessary items from the Available list to the Selected list.
Step 4 Click Submit.
To associate users to Virtual Domains, choose Administration > Users, Roles & AAA, then click Users. See Assigning Users to a Virtual Domain.
Changing Password Policy
Prime Infrastructure supports various password policy controls, such as minimum length, repeated characters, etc.
To change password policies:
Step 1 Choose Administration > Users, Roles & AAA, then click Local Password Policy.
Step 2 Chose the necessary policies, then click Save.
Setting the AAA Mode
Prime Infrastructure supports local as well as TACACS+ and RADIUS, but you must specify a TACACS+ or RADIUS server first.
To specify a TACACS+ server and then change the AAA mode to TACACS+:
Step 1 Choose Administration > Users, Roles & AAA, then click TACACS+.
Step 2 From the command pull-down menu, choose Add TACACS+ Server, then click Go.
Step 3 Enter the TACACS+ server parameters, then click Save.
Step 4 Click AAA Mode.
Step 5 Select TACACS+ and specify whether to enable fallback to the local condition.
Step 6 Click Save.
Changing Virtual Domains
A Prime Infrastructure Virtual Domain consists of a set of Prime Infrastructure devices and/or maps and restricts a user view to information relevant to these managed objects.
Through a virtual domain, an administrator can ensure that users are only able to view the devices and maps for which they are responsible. In addition, because of the virtual domain filters, users are able to configure, view alarms, generate reports for only their assigned part of the network.
The administrator specifies for each user a set of allowed virtual domains. Only one of these can be active for that user at login. The user can change the current virtual domain by selecting a different allowed virtual domain from the Virtual Domain drop-down list at the top of the page. All reports, alarms, and other functionality are now filtered by that virtual domain.
If there is only one virtual domain defined ("root") in the system AND the user does not have any virtual domains in the custom attributes fields in the TACACS+/RADIUS server, the user is assigned the "root" virtual domain by default. If there is more than one virtual domain, and the user does not have any specified attributes, then the user is blocked from logging in.
Adding Sites and Devices to Virtual Domains
To add sites and devices to a virtual domain:
Step 1 Choose Administration > Virtual Domains.
Step 2 From the left Virtual Domain Hierarchy sidebar menu, click the virtual domain to which you want to add a site or device.
Step 3 Move the sites and devices from the Available to the Selected column, then click Submit.
Related Topic
•Adding Users to Virtual Domains
Adding Users to Virtual Domains
To add a user to a virtual domain:
Step 1 Choose Administration > Users, Roles & AAA, then click Users.
Step 2 Click on the user you want to add to a virtual domain.
Step 3 Click the Virtual Domains tab.
Step 4 Move the virtual domain to which you want to add the user from the Available Virtual Domains column to the Selected Virtual Domains column, then click Save.
Note Each virtual domain may contain a subset of the elements included with its parent virtual domain. When a user is assigned a virtual domain, that user can view the devices that are assigned to its virtual domain.
Related Topic
•Adding Sites and Devices to Virtual Domains
Auditing Access
Prime Infrastructure maintains an audit record of user access as described in the following sections:
•Viewing User Group Audit Trail
Viewing User Audit Trail
To access the audit trail for a user or user's active sessions:
Step 1 Choose Administration > Users, Roles & AAA, then click Active Sessions.
Step 2 Click the Audit Trail icon to for the username for which you want to see details.
The Configuration Changes field provides a Details link if there are any configuration changes. Click on the Details link for more information on the configuration changes done by an individual user.
Note The audit trail entries could be logged for individual device changes. For example, If a template is applied on multiple switches, then there will be multiple audit entries for each switch to which the template has been applied.
Viewing User Group Audit Trail
To access the audit trail for a user group:
Step 1 Choose Administration > Users, Roles & AAA, then click User Groups.
Step 2 Click the Audit Trail icon to for the username for which you want to see details.
The Configuration Changes field provides a Details link if there are any configuration changes. Click on the Details link for more information on the configuration changes done by an individual user.
Note The audit trail entries could be logged for individual device changes. For example, If a template is applied on multiple switches, then there will be multiple audit entries for each switch to which the template has been applied.
Audit Logs
Prime Infrastructure provides two types of audit logs under Administration > Audit Logs:
•Application Audit logs—Logs events that pertain to the Prime Infrastructure features. For example, you can view the application audit log to see when a particular user logged in and what actions were taken.
Note For Application Audit, the User Group column is blank for TACACS+/RADIUS users.
•Network Audit logs—Logs events related to the devices in your network. For example, you can view the network audit logs to see which user deployed a specific template and the date and time the template was deployed.
Adding a TACACS+ Server
To configure Prime Infrastructure so it can communicate with the TACACS+ server:
Step 1 Choose Administration > Users, Roles & AAA, then click TACACS+.
Step 2 Choose Add TACACS+ Server, then click Go.
Step 3 Enter the TACACS+ server information, then click Save.
Note For Prime Infrastructure to communicate with the TACACS+ server, the shared secret you enter on this page must match the shared secret configured on the TACACS+ server.
Adding a RADIUS Server
To configure Prime Infrastructure so it can communicate with the RADIUS server:
Step 1 Choose Administration > Users, Roles & AAA, then click RADIUS Servers.
Step 2 Choose Add Radius Server, then click Go.
Step 3 Enter the RADIUS server information, then click Save.
Note For Prime Infrastructure to communicate with the RADIUS server, the shared secret you enter on this page must match the shared secret configured on the RADIUS server.
Feedback