Identity and Access Management is an important part of network and data security for any organization. It helps you ensure compliance with policies, password management and acts as a means to administer access control to users.
The AD Authentication feature in OpManager helps you with just this. It allows you to authenticate users from within OpManager without using an external third party identity management tool. It allows you to grant / revoke access & security restrictions to users and also allows you to provide role based access control for accessing OpManager within your organization.
You can make Active Directory's password policy work for you if you have a Windows domain. Users login to OpManager using their domain login name and password. This will greatly minimize the risk of making others using your password to access the OpManager Web interface, thereby not just improving the security but also making it easier for users to login/create accounts. You can define a scope for users (AD groups, remote offices or all users), thereby restricting their access based on their roles.
With the increase in software applications, each with their own authentication and password complexity levels, this feature also saves you the trouble of having to remember way too many passwords.
You can create Domains in OpManager and users manually in OpManager with the AD Authentication and User Management features.
To add a domain:
1. Go to Settings → General Settings → User Management → AD Authentication → Add Domain.
2. Enter the Domain Name and the Domain Controller name in the respective fields.
3. If you are on builds 125111 and above, you can see that LDAPS authentication is mandatory when you add a new domain, to ensure secure communication with the domain controllers. Simply click on the 'Import Certificate' button and select your domain controller's certificate to add it to OpManager.
To know more on how to export a certificate from your domain controller, check out these articles:
4. Auto Login* is disabled by default.
5. Save the Settings.
6. Once the domain is added, you can manually add users in the Users tab.
The auto-login feature allows you to add all/individual users or selected AD groups to any domain, and assign user permissions to them.
1. Select Add/Edit under Actions for the domain you want to configure.
2. Select the Enable Auto Login check box.
By enabling auto-login, the scope defined for the selected domain will be auto-assigned to users logging-in for the first time. If Auto-login is not enabled, then the users must be added manually.
3. Configuring Auto-login for
4. Once you enable Auto-login, select the Users and User Permissions for the domain, edit the Time zone if required, and click Next.
5. To configure Scope,
Monitor - You can provide this user access to either All Devices, or only Selected Business Views. If All Devices is selected, the user will have access to all the devices in OpManager module. If Selected Business Views is selected, you can give the access to all business views with "Select All" option and business views without title with Untitled option.
6. Save the settings.
Once you create a domain and assign users, you can edit the configurations as required any time. You can add or delete AD users/groups, edit the user permissions, and also edit the scope settings.
To add AD groups:
Click on the 'Plus' icon next to the domain of your choice to add new AD groups to it.
To edit timezone:
Select Edit under Actions for the domain you want to edit, change the timezone as per your requirement, and click 'Save'.
To Edit/Delete AD groups:
1. Click on the arrow mark next to the name of your domain to display all AD groups under it.
2. Click on the 'Edit' icon next to the group you wish to edit, select the Users and User Permissions for the domain, and click Next.
3. To edit a particular user/group in a domain, select Edit under Actions for the domain you want to edit.
4. User Permissions for the AD groups can be edited by selecting either Read Only (Operator User) or Full Control (Administrator User).
5. To configure Scope,
Monitor - You can provide this user access to either All Devices, or only Selected Business Views. If All Devices is selected, the user will have access to all the devices of NetFlow, NCM, and Firewall. If Selected Business Views is selected, you can give the access to all business views with Select All option and business views without title with Untitled option.
6. Save the settings.
7. To delete a group, just click on the 'Delete' icon next to it.
For AD Authentication, we support on-premise AD with LDAP query access to the domain controller in the network.