- Preface
- Overview
- Overview of the VNMC GUI
- Configuring Primary Authentication
- Configuring RBAC
- Configuring Trusted Points
- Configuring VNMC Profiles
- Configuring VM Managers
- Configuring Tenants
- Configuring Service Policies and Profiles
- Configuring Device Policies and Profiles
- Configuring Managed Resources
- Configuring Administrative Operations
- Index
Configuring RBAC
This section contains the following topics:
- RBAC
- User Accounts
- User Roles
- Privileges
- User Locales
- Configuring User Roles
- Configuring User Locales
- Configuring Locally Authenticated User Accounts
- Monitoring User Sessions
RBAC
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales.
A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization but could not update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.
User Accounts
User accounts are used to access the system. Up to 128 local user accounts can be configured in each VNMC instance. Each user account must have a unique username.
A local user can be authenticated using a password or an SSH public key. The public key can be set in either of the two formats: OpenSSH and SECSH.
Default User Account
Each VNMC instance has a default user account, admin, which cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.
Expiration of User Accounts
User accounts can be configured to expire at a predefined time. When the expiration time is reached, the user account is disabled.
By default, user accounts do not expire.
Username Guidelines
The username is also used as the login ID for VNMC. When you assign usernames to VNMC user accounts, consider the following guidelines and restrictions:
- The login ID can contain from 1 to 32 characters, including the following:
- Neither the unique username nor a local user's username can consist solely of numbers.
- The unique username cannot start with a number.
- If an all-numeric username exists on a AAA server (LDAP) and is entered during login, VNMC cannot log in the user.
After you create a user account, you cannot change the username. You must delete the user account and create a new one.
Note |
You can create up to 128 user accounts in a VNMC instance. |
Password Guidelines
For authentication purposes, a password is required for each user account. To prevent users from choosing insecure passwords, each password must be strong. If the Password Strength Check option is enabled, VNMC rejects any password that does not meet the following requirements:
- Must contain a minimum of 8 characters.
-
Must contain at least three of the following: - Must not contain a character that is repeated more than three times consecutively, such as aaabbb.
- Must not be identical to the username or the reverse of the username.
- Must pass a password dictionary check. For example, the password must not be based on a standard dictionary word.
- Must not contain the following symbols: dollar sign ($), question mark (?), or equals sign (=).
- Should not be blank for local user and admin accounts.
Note |
The Password Strength Check option is enabled by default. You can disable it from the Locally Authenticated Users pane (Administration > Access Control > Locally Authenticated Users). |
Note |
If VNMC is configured to use remote authentication with LDAP, passwords for those remote accounts can be blank. With this configuration, the remote credentials store is used for authentication only, not authorization. The definition of the local user role definition applies to the remotely authenticated user. |
User Roles
User roles contain one or more privileges that define the operations allowed for the user who is assigned the role. A user can be assigned one or more roles. A user assigned multiple roles has the combined privileges of all assigned roles. For example, if Role1 has policy-related privileges, and Role2 has tenant-related privileges, users who are assigned to both Role1 and Role2 have policy- and tenant-related privileges.
All roles include read access to all configuration settings in the VNMC instance. The difference between the read-only role and other roles is that a user who is assigned only the read-only role cannot modify the system state. A user assigned another role can modify the system state in that user's assigned area or areas.
The system contains the following default user roles:
- aaa
-
Users have read and write access to users, roles, and AAA configuration, and read access to the rest of the system.
- admin
-
Users have read and write access to the entire system and has most privileges. However, users cannot create or delete files, or perform system upgrades. These functions can be done only through the default admin account. The default admin account is assigned this role by default, and it cannot be changed.
- network
-
Users can create organizations, security policies, and device profiles.
- operations
-
Users can acknowledge faults and perform some basic operations, such as logging configuration.
- read-only
-
Users have read-only access to system configuration and operational status with no privileges to perform any operations.
Roles can be created, modified to add new or remove existing privileges, or deleted. When a role is modified, the new privileges are applied to all users assigned to that role. Privilege assignment is not restricted to the privileges defined for the default roles. That is, you can use a custom set of privileges to create a unique role. For example, the default Network and Operations roles have different sets of privileges, but a new Network and Operations role can be created that combines the privileges of both roles.
If a role is deleted after it has been assigned to users, it is also deleted from those user accounts.
Privileges
User Privileges
Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and its description.
Privilege Name | Description |
---|---|
AAA |
System security and AAA. |
Admin |
System administration. |
read-only |
Read-only access. Read-only cannot be selected as a privilege; it is assigned to every user role. |
Resource Configuration |
Edge and compute firewall configuration. |
Policy Management |
Edge and compute firewall policies. |
Fault Management |
Alarms and alarm policies. |
Operations |
Logs, core file management, and show tech-support command. |
Tenant Management |
Create, delete, and modify tenants and organization containers. |
Privileges and Role Assignments
The following table lists the out-of-box default role name for each privilege.
Default Role Name | Privilege Name |
---|---|
aaa |
aaa |
admin |
admin |
network |
policy, res-config, tenant |
operations |
fault, operations |
read-only |
read-only |
User Locales
Note |
Users not assigned to a locale have access to all resources in all organizations. For users assigned to a locale, access is restricted to the objects that reside under the organizations that belong to that locale. |
Users with AAA privileges (AAA role) can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization, then a user assigned that locale can assign only the Engineering organization to other users.
Note |
AAA privileges must be carefully assigned because they allow a user to manage other users' privileges and role assignments. |
You can hierarchically manage organizations. A user who is assigned to a top-level organization has automatic access to all organizations under it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization; however, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Configuring User Roles
Creating a User Role
Editing a User Role
Step 1 | Choose Administration > Access Control > Roles. |
Step 2 | Select the role you want to edit, then click Edit. |
Step 3 | In the Edit dialog box, check or uncheck the boxes for the privileges you want to add to or remove from the role, then click OK. |
Deleting a User Role
Except for the admin and read-only roles, you can delete user roles that are not appropriate for your environment.
Step 1 | Choose Administration > Access Control > Roles. | ||
Step 2 |
Select the user role you want to delete, then click Delete.
|
||
Step 3 | In the Confirm dialog box, click Yes. |
Configuring User Locales
Creating a Locale
Verify that one or more organizations (tenants) exist; if none exist, create one. For information on creating tenants, see Creating a Tenant.
Step 1 | Choose Administration > Access Control > Locales. | ||||||||||||
Step 2 | Click Create Locale. | ||||||||||||
Step 3 |
In the Create Locale dialog box, complete the following fields, then click OK:
|
What to Do Next
Add the locale to one or more user accounts. For more information, see Changing the Locales or Roles Assigned to a Locally Authenticated User.
Editing a Locale
Step 1 | Choose Administration > Access Control > Locales. |
Step 2 | In the list of locales, select the locale you want to edit, then click Edit. |
Step 3 | In the Description field, change the description as appropriate. |
Step 4 | Click Assign Organization. |
Step 5 | In the Assign Organization dialog box: |
Step 6 | Click OK in the open dialog boxes to save your changes. |
Deleting a Locale
Caution |
If the locale you want to delete is assigned to any user/s, remove the locale from the user list of locales. |
Step 1 | In the Navigation pane, click the Administration tab. |
Step 2 | In the Navigation pane, click the Access Control subtab. |
Step 3 | In the Navigation pane, click the Locales node. |
Step 4 | In the Work pane, click the locale you want to delete. |
Step 5 | Click Delete. |
Step 6 | In the Confirm dialog box, click Yes. |
Assigning an Organization to a Locale
Step 1 | Choose Administration > Access Control > Locales > locale. |
Step 2 | Click Assign Organization. |
Step 3 | In the Assign Organization dialog box: |
Step 4 | Click OK in the open dialog boxes, then click Save to save the locale. |
Deleting an Organization from a Locale
Step 1 | Choose Administration > Access Control > Locales > locale. |
Step 2 | In the content pane, click the General tab. |
Step 3 | In the Assigned Organizations area, select the organization you want to delete, then click Delete Organization. |
Step 4 | When prompted, confirm the deletion. |
Step 5 | Click Save. |
Configuring Locally Authenticated User Accounts
Creating a User Account
Step 1 | Choose Administration > Access Control > Locally Authenticated Users. | ||||||||||||||||||||||||
Step 2 | Click Create Locally Authenticated Users. | ||||||||||||||||||||||||
Step 3 |
In the Properties area, complete the following fields:
|
||||||||||||||||||||||||
Step 4 |
In the Roles/Locales tab area, complete the following fields:
|
||||||||||||||||||||||||
Step 5 |
In the SSH tab area, complete the following fields:
|
||||||||||||||||||||||||
Step 6 | Click OK. |
Changing the Locales or Roles Assigned to a Locally Authenticated User
Step 1 | Choose Administration > Access Control > Locally Authenticated Users > user. |
Step 2 | In the General tab, click the Roles/Locales tab. |
Step 3 | Check or uncheck the appropriate check boxes to assign or remove a locale or role. |
Step 4 | Click Save. |
Changing the Roles Assigned to a Locally Authenticated User Account
Step 1 | In the Navigation pane, click the Administration tab. |
Step 2 | In the Navigation pane, click the Access Control subtab. |
Step 3 | In the Navigation pane, expand the Locally Authenticated Users node. |
Step 4 | Click the User_name you want to modify. |
Step 5 | In the Work pane, click the General tab. |
Step 6 | Click the Roles/Locales tab. |
Step 7 | In the Assigned Role(s) area, do the following: |
Step 8 | Click Save. |
Monitoring User Sessions
You can monitor sessions for both locally and remotely authenticated users.
Step 1 | Choose Administration > Access Control, then choose one of the following: | ||||||||||
Step 2 |
Click the Sessions tab to view the user session.
|