Role-based User Access Control

Contents

 

Overview

Network Configuration Manager deals with the sensitive configuration files of devices and in a multi-member work environment, it becomes necessary to restrict access to sensitive information. Fine-grained access restrictions are critical for the secure usage of the product. Network Configuration Manager provides role based access control (RBAC) to achieve this.

Network Configuration Manager comes with two pre-defined access levels:

Access Level (Role)

Definition

Administrator

With all privileges to access, edit and push configuration of all devices. Only administrator can add devices to the inventory, add users, assign roles and assign devices. In addition, administrator can approve or reject requests pertaining to configuration upload (pushing configuration) by operators.

Operator

With privileges to access and edit configuration of specified devices. Can send requests for configuration upload (pushing configuration) to Administrators/Power Users.


This section explains how to create users and assign roles for them.

 

User Management

User Management Operations such as adding new users and assigning them roles, editing the existing users and deleting the user could be performed only by the Administrators. Other three types of users do not have this privilege.

Administrators can create as many users as required and define appropriate roles for the user. From Admin >> General Settings >> User Management, administrators can

  1. View all the existing users
  2. Create new users
  3. Change the access level, device list of existing users
  4. Delete an existing user

 

To view the existing list of users

  • Go to Settings >> User Management. The list of users will be displayed with respective login names, access levels and email IDs

 

Note: The default login name and password  for fresh Network Configuration Manager installation is 'admin' and 'admin' respectively. The default email ID has been configured as admin@manageengine.com. After logging in to the Network Configuration Manager, change the email ID for admin user. Otherwise, when you invoke 'forgot password' email would be sent to admin@manageengine.com.

 

Adding New Users

 

To Add New Users

  1. Go to Settings >> User Management. Click "Add"

  2. Provide the user's email ID. This email ID will be used in the 'Forgot Password' feature to intimate the password to the user when the user invokes 'Forgot Password'. While invoking 'Forgot Password' link in the login UI of Network Configuration Manager, the users will have to provide the username and the email ID. Network Configuration Manager will reset the password of the user and it would be mailed to the user's ID

  3. Enter "password"; the password should be at least 6 characters long

  4. Confirm the new password

  5. If you wish to send account creation notification (with login information) to the user, select the checkbox  

  6. Define the "Access Level" (role) for the new user - Administrator/Operator; Users falling under "Administrator" category shall have unlimited privilege and access over all functionalities of Network Configuration Manager. 

  7. Assign the list of devices to be managed by the user. Select the desired devices and assign them to the user (When you create a user with access level as 'Administrator', assigning devices will not arise as administrators have privilege to access all devices)

  8. For users with the role 'Operator', designate 'Approving Authorities' - the user(s) who could review the configuration changes made by the Operator. When the operator requests approval for a configuration change, email notifications will be sent to all the approving authorities designated above.  However, all users with the role 'Administrator' will have the permission to approve the changes whether they are designated as approving authorities or not. But, they will receive email notification only if they are designated as approving authority in the list above.

  9. Click "Save". new user account has been created

 

To Edit existing Users

  1. Go to Settings >> User Management

  2. In the UI that opens, click on the respective username

  3. Change the access level and device list of the user as desired and Click "Save"

 

To Delete existing Users

  1. Go to Settings >> User Management

  2. In the UI that opens, click the delete icon present against the respective username. The user will be removed from Network Configuration Manager once and for all

 

Privileges for Configuration and other Operations

The following table explains the privileges associated with each access level for performing various device configuration operations:

 

Access Level

Configuration & Other Operations

Device Addition

Upload (Pushing configuration into the device)

Authority for approving various requests

Compliance

Admin Operations

User Management

Administrator


(create, associate compliance policies)

 

Operator


(only for authorized devices, subject to approval by administrator / Power User)

 

Approving Configuration Upload Requests

Only Administrators have the absolute privilege to perform all configuration operations. Other users in the hierarchy have restricted privileges.

Any operation that involves pushing configuration into the device (upload) requires the approval of Administrators. When operators perform any such upload operation, a request is filed for the approval by the Administrators or designated Power Users. Email notification regarding the request is also sent to the designated Administrators. The request would be evaluated by the Administratorsand they have the privilege to approve or reject the request. If the request is approved, the upload operation requested by the user gets executed.

To approve/reject a request,

  • Click on the "Change Management" tab from the UI
  • Click "Pending requests". The list of all requests pending for approval are listed. Details such as the type of request, name of the user who made the request and requested time are all listed
  • Upon clicking a request, all details pertaining to that particular request are listed. You can view the proposed configuration change. Click "Approve" or "Reject" after providing your comment for the decision

[Operators can view the status of their request by following the above procedure].

 

Note:

  1. When Administrators approve a upload that is scheduled to be executed at periodic intervals, the following will be the behaviour:

    Once approved, the upload schedule will not be sent for re-approval during the subsequent executions. For example, consider that a schedule has been created by an operator to upload configuration at a periodic interval of one hour. In this case, the schedule would be submitted for approval only once. If the administrator approves it, it will get executed every hour. From the second schedule onwards, it will not be sent for approval each time.

  2. In case, the Administrator rejects an upload request based on a Schedule, the respective request will be deleted from the database.

 


 

Was this article helpful?