Associating user rights with a group

When the administrator has enabled the static group access control under Admin > System Parameters, you can restrict which users are allowed to perform span actions on the group and its member devices. You can restrict access to span actions, telnet or SSH session, endpoint actions, custom actions, and external script actions.

Restrictions on action rights affect the following:

• Which actions users can add to jobs, predefined jobs, and policies
• Which realms, groups, and devices users are allowed to choose from when adding or editing an action

When the group access control is enabled, for a user to select a particular network span, the user must have been granted:

• for a realm, auto-group, or combo group — role-level network right to run the action on the realm and right to run the action on every member device.
• for a static group with a default ACL — role-level network right to run the action on the realm and right to run the action on every member device.
• for a static group with a custom ACL — group ACL right to run the action in the group's custom ACL.
• for a device that belongs to no static groups — role-level network right to run the action on the realm.
• for a device that belongs to one or more static groups — role-level network right to run the action (when the owning static group has a default ACL) or group ACL right to run the action in the group's custom ACL (when the owning static group has a custom ACL).

Do the following to set up user rights for a group:

1. Log on to the The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. application server as an administrator.
2. Open the Edit System Parameters page by navigating to Admin > System Parameters.
   
   
3. Select the Enable Static Group Access Control Lists parameter.
4. Click Save.
    The fine-grained access control capabilities are enabled.
5. On the Network tab, select Spans > Groups.
6. Click Add to add a new group, or select Edit .
7. Select the Access Control tab, as shown in the following figure. You must have the Manage Group Rights system right to access this tab.
   
    
8. The Role menu lists all The referenced document [xwiki:Automation-DevSecOps.Network-Automation.TrueSight-Network-Automation.tsna251.TrueSight Network Automation 25\.1._Inclusion-Library._Common-terminology.WebHome] was not found. roles except the Reporting system related roles and the root role. For each role:
   • Select Default Rights to apply the network rights from the user's role(s) to this group. That is, all users who belong to the selected role will be allowed access to this group based on network rights in this role for the realm the group belongs to.
   • Select Custom Rights to grant specific rights that override the role's network rights for this group. As shown in the figure, you can expand the hierarchy of rights to select fine-grained access control. Any right that is checked grants the right. A right may be dimmed out and cannot be checked or unchecked when you do not have the right yourself and are not allowed to grant it to others.
9. Click Save.