Securing access through user roles

This topic describes how to secure access through user roles.

Roles are used to define user access rights. Users can be assigned to one or more roles where rights are aggregated.

A role has a set of system rights and network rights. System rights are rights that are not related to managing specific network devices. Network rights grant access to realms (when more than one realm has been defined) and specify the rights for each realm.

System and network rights intersect in the areas listed in the following table:

Intersection of system and network rights

To add a user or a role, you must have system rights to do so. To then add a user or a role associated with a particular realm (through the role's network rights), you must have the right to add a network for that realm.

To understand how system and network rights intersect, the following examples focus on jobs.

Access the application server

You can control the login access to the TrueSight Network Automation application server through GUI, Web Services, and SSH Proxy individually by using roles. When the following system rights are assigned to a user through a role, then only the user can log on to the application server:

  • Login Using GUI
  • Login Using Web Services
  • Login Using SSH Proxy

Access jobs (View)

When the system right Access Jobs and the network rights Access Associated Jobs are enabled, the user can view jobs. However, the user can only view jobs that contain at least one associated action for a network span for which he has access to.

Job add, approve, delete, edit and terminate rights

The system rights determine whether a user can add, approve, delete, edit and terminate jobs. The network rights determine which job actions can be included in a job and for which realms.

Examples:

  • A user can approve a job when the user has the system right Approve Jobs and the network rights to all actions and associated network span (that is realm) in the job.
  • A user can delete a job when the user has the system rights Delete Jobs and the network rights to all actions and associated network span (that is realm) in the job.
  • A user can edit jobs when he/she has the system right Edit Jobs and the network rights to the all actions and associated network span (that is realm) in the job.
  • A user can terminate jobs when he/she has the system right Terminate Jobs and the network rights to all actions and associated network span (that is realm) in the job.

The order that rights are checked for actions within jobs is controlled not only by the network right Run Associated Action and the access right for the network span involved, but also potentially by the access right for the script (for example, Template1) involved. For instance, say User1 belonging to Role1 has drafted a job involving an action to Deploy to Active Template1 to a Device1 in Realm1. User2 belonging to Role2 navigates to the Jobs list page and wants to edit the job. User2 is only able to do so if Role2 grants the network right Run Associated Deploy to Active Action in Realm1, and the network right to access devices in Realm1, and the system right or access list right to access Template1. If Template1 contains sensitive data (for example, a password), Role2 must also have the system right Access Sensitive Data to view sensitive data.

Editing users

The following rules apply to editing users:

  • If the Add Users system right is enabled, the user can add users and associate them only with roles that have no system rights.
  • If the Add Associated Users network right and the Add Users system right are enabled, the user can add users and associate them with roles that either have no network rights, or have network rights in the realm(s) where the add right is enabled.
  • If the Edit Users With No Network Rights system right is enabled, the user can edit users who are associated only with roles that have no network rights.
  • If the Delete Users With No Network Rights system right is enabled, the user can delete users who are associated only with roles that have no network rights.
  • If the Edit Associated Users network right is enabled for a realm, the user can edit users associated with roles that have network rights on that realm. The user must have the edit network right in each realm that the target user can access.
  • If the Delete Associated Users network right is enabled for a realm, the user can delete users associated with roles that have network rights on that realm. The user must have the delete network right in each realm that the target user can access.
  • If the Allow Rights Promotion right is enabled, the user can associate a new or edited user with any role. When the Allow Rights Promotion right is disabled, the user can associate only roles he belongs to.
  • If the Unlock Users right is enabled, the users associated with the roles that have this right can unlock other users.

Editing roles

The following rules apply to editing roles:

  • If the Add Roles system right is enabled, the user can add roles that grant system rights.
  • If the Add Associated Roles network right and the Add Roles system right are enabled, the user can add roles that grant system rights and/or grant network rights in the realm(s) where the add right is enabled.
  • If the Edit Roles With No Network Rights system right is enabled, the user can edit roles that grant no network rights (that is, grant only system rights).
  • If the Delete Roles With No Network Rights system right is enabled, the user can delete roles that grant no network rights.
  • If the Edit Associated Roles network right is enabled for a realm, the user can edit roles that grant network rights on that realm. The user must have the edit network right in each realm the target role can access.
  • If the Delete Associated Roles network right is enabled for a realm, the user can delete roles that grant network rights on that realm. The user must have the Delete Network right in each realm the target role can access.
  • If the Allow Rights Promotion system right is enabled, the user can grant and revoke any system right and any network right. When the user lacks Allow Rights Promotion, he can grant and revoke only rights he possesses (via roles he belongs to and custom ACLs for those roles), and can change ACKs only in roles he belongs to.

Template and rule set access

To access templates and rule sets, you must enable system rights Access Templates and Access Rule Sets.

When the access control lists (ACLs) are enabled under Admin > System Parameters, these rights supersede the Add, Delete, Edit Templates and Rule Sets system rights. See Managing-system-parameters.

Realm access

When the network rights for a user is set to Full Rights, the user has access to all realms and all network rights. System rights apply independently of network rights.

The Full Rights network right grants all network rights in all realms that exist and all realms that are created in the future. This means that when a new realm is added in the future, users in this role automatically have all rights granted in that realm.

With Full Rights, the user has access in the Network Span selector to the Entire Network for conditions, configuration profiled dynamic fields, device security profiles, and rule sets. In reports, however, the Entire Network option is always presented regardless of the network rights of the user, but it means the entire network that is accessible.

EditRole_NetworkRights.png

Span and action access

When creating a job or a policy, you are restricted by your network rights and, when enabled, static group rights as to which actions you can choose and which spans you can run those actions on.

When static group access control lists are disabled, the network rights for your role or roles determine your action access rights.

When static group access control lists are enabled, the following rules apply:

  • To access any span (realm, group, or device), you must have the Network Tab > Spans Menu > Access Associated Realms network right for the realm.
     Then, to execute a particular action on that span:

  • If a device belongs to multiple static groups, it must have the right granted in at least one group (not in every group). Denying access in one group but granting access in another results in granting access.

    Note

    Group rights override network rights. If, for example, you have network rights granting access to all actions, but a particular group denies all actions, you are denied access to those actions on that group and its member devices.

Root Role and Root User

Network Automation has a factory-installed administrator role that is categorized by Network Automation as the Root Role. The Root Role cannot be deleted from Network Automation. This role is assigned full system rights and network rights and this cannot be changed, so be very careful which users are assigned the Root Role.

Network Automation has a factory-installed system administrator user that is categorized by Network Automation as the Root User. If the system is running with local authentication, the user is called sysadmin; otherwise the name of the user is specified during installation. You cannot change the name of this user or delete the user from Network Automation. The Root User is assigned the Root Role and this cannot be changed. So be very careful on who has access to the Root User account.

Warning

Be careful when assigning system rights that are realm-neutral to general users. BMC strongly recommends restricting the following rights to administrators only:

  • System Rights Admin
  • Policy
  • Network > Import/Export Configurations and Rules
  • Home > Event

Related topic

Configuring-system-wide-attributes

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*