Create User Accounts and User Groups

Contents
casp1032
 
 
When you create a new user or user group, OneClick assigns an Operator license and the OperatorRW privilege role to the new user or user group by default. When you create a new user or group you can choose to assign an Administrator license in addition to the Operator license. When you assign an Administrator license to users or groups, the users automatically inherit all of the privileges associated with both the OperatorRW and the AdministratorRW privilege roles.
To start administering user accounts in OneClick, create users with OneClick default settings. When you create a user or a user group, OneClick assigns an Operator license and the ADMIN security community by default. You can selectively replace the ADMIN security community by modifying users to give them access only to the devices and containers that they manage.
By default, no security is applied to models. To restrict access to a model, add a security string to that model. You can create administrators by adding the ADMIN security string to a universe model and verifying that the appropriate users have access to the ADMIN security community.
Create a new user account or user group using the default privileges that the operator or administrator license provides.
 
Follow these steps:
 
  1. In the Users tab of the Navigation panel, take 
    one
     of the following steps:
    •  
      Create a stand-alone user.
       Select the top-level Users node and click the Create New User button.
      The Create User dialog opens.
    •  
      Create a user group.
       Select the top-level Users node and click the Create New User Group button.
      The Create Group dialog opens.
    •  
      Create a user within a group.
       Select an existing user group in which you want to create a user and click the Create New User button.
      The Create User dialog opens.
  2. Specify the appropriate user information for the user or user group.
    •  
      Name
      Specifies the user name for the new user or group. For OneClick users that are present in the configured LDAP directory, this name must match the LDAP user logon name of the user.
    •  
      Full Name (Create User only)
      Specifies the full name of the user.
    •  
      Web Password (Create User only)
      Specifies a web password for this user. This password is used by OneClick to authenticate this user. For OneClick users that are present in the configured LDAP directory, this password is not used.
    •  
      Confirm Web Password (Create User only)
      Confirms the web password you entered when you enter it again in this field.
  3. In the Licenses tab, select the licenses that you want to assign to this user or group in the appropriate Member Of check box. By default, new users receive an Operator license and the OperatorRW privilege role.
  4. Click the Landscapes tab to configure landscapes for this user or group.
     By default, all available landscapes are selected. In a distributed environment, you can choose additional landscapes in which you want this user to be present. At least one landscape must be selected.
  5. Click the Access tab to edit the default model security setting for this user or group.
    At least one security community, such as the default ADMIN community, must be specified here. By default, the user or user group receives the read/write ADMIN access group, which gives them access to all models.
  6. (Optional) Create additional access groups for the user.
     Models have blank security strings by default. We recommend adding security strings to individual models or containers and using the corresponding security communities to selectively grant user access to models.
  7. Click OK in the Create User or Create Group dialog.
    The new user or group is created and displayed in the Users tab of the Navigation panel.
About Creating, Editing, and Assigning Roles and Privileges
You can individually disable and enable privileges for a user or user group. You can also use roles to grant a set of privileges to a user or user group. You can use the default privilege roles in OneClick, or you can create your own custom privilege roles; however, you cannot edit the default privilege roles themselves. After users are assigned a license category, they can have access privileges provided by the predefined roles.
There are six default roles:
  •  
    AdministratorRW
    (Read/write) Grants privileges required to set up 
    DX NetOps Spectrum
     and its users, as well as perform all network management tasks. This is the least restrictive role. Some examples include the ability to perform device discovery, model management, topology configuration, eHealth integration management, device certification, and user configuration.
  •  
    AdministratorRO
    (Read-only) Grants privileges required to access 
    DX NetOps Spectrum
     modeling and attribute information. Some examples include the ability to view SNMP community strings and SNMPv3 security profiles.
  •  
    OperatorRW
    (Read/write) Grants privileges required to perform most typical tasks for network management using 
    DX NetOps Spectrum
    . Some examples include alarm management tasks, Service Performance Manager tasks, and most Network Configuration Manager tasks.
  •  
    OperatorRO
    (Read-only) Grants privileges that allow the user to monitor network activity and perform limited network management tasks. Some examples include the ability to snooze alarms and to view topology information.
  •  
    Service ManagerRW
    (Read/write) Grants privileges that allow access to the Service dashboard, as well as the ability to edit Service Outages.
  •  
    Service ManagerRO
    (Read-only) Grants privileges that allow access to the Service dashboard.
If these predefined roles do not meet your requirements, you can create custom roles. Although you cannot modify the predefined roles, you can modify individual privileges.
 
Note: 
When you upgrade to a newer version of 
DX NetOps Spectrum
, any new privileges available in the newer version are automatically added to the appropriate default roles. However, you will need to explicitly add them to any custom roles you may have created, as applicable.
When you edit privileges for an individual user, the changes only affect that user. When you edit the privileges granted by a user group, the changes affect all of the users within that user group. Users within a user group inherit privileges from the group level.
To edit privileges and roles, you modify settings in the Privileges tab and/or the Roles tab for a selected user, as shown in the following image.
In addition to editing individual privileges, you can also grant multiple privileges at one time by assigning a privilege role using the Roles tab, as shown in the following figure.
  spec--ocadmin_accestab_addremove_OTH  
The default roles included with OneClick and the custom roles that you create are reusable and can be assigned to one or more users. The OperatorRW privilege role automatically grants the privileges provided with the Operator license.
Create and Assign Roles to Users or User Groups
You can create a custom privilege role and then associate it with a user or group. The role has no effect until it is associated with a user account or user group.
You can create a custom privilege role.
 
Follow these steps:
 
  1. Select a user in the Users tab of the Navigation panel.
     To create an Administrator-licensed privilege role, select a user with the Administrator license. To create a privilege role based on the Operator license, select a user with the Operator license.
  2. Click the Access tab in the Contents panel.
    The Privileges and Roles tabs appear in the Component Detail panel.
  3. Click the Roles tab, and click New.
    The Add Privilege Role dialog opens.
  spec_ocadmin--addprivroledialog_SCR  
  1. Type a descriptive name for the new role in the Name field.
  2. (Optional) Type a full description of this role in the Description field.
  3. Select the appropriate license from the License drop-down list.
    The license chosen here determines the privileges that can be enabled with this role.
  4. Select the privileges you want this role to grant by selecting or clearing the Enabled check boxes.
  5. Click OK.
    The new role appears as an option in the Roles tab of the Component Detail panel. This role is now ready to be used with any user or user group that has the appropriate license.
You can also assign a privilege role. Assigning a privilege role lets you assign an existing role to a user.
 
Follow these steps:
 
  1. Select the user you want to apply the role to in the Users tab of the Navigation panel.
  2. Click the Access tab and select an access group.
    The Privileges and Roles tabs appear in the Component Detail panel.
  3. Click the Roles tab and click the Add/Remove button.
    The Assign Roles dialog opens.
     For users in a group, this step must be done at the group level. Assigning a role at the group level affects all users in the group.
  4. Move the role you want to assign to the Exists in/Create in column using the arrow buttons.
  5. Click OK.
    The role is automatically assigned to the access group selected in Step 2.
Create a Super User
As the OneClick administrator, you can easily grant all possible privileges and access to a user. A 
super user
 in 
DX NetOps Spectrum
 has all available 
DX NetOps Spectrum
 license roles, privileges, and access in OneClick. Because access groups and privilege roles do not apply to super users, the Access tab is disabled when a user designated as super user is selected in OneClick.
When you install 
DX NetOps Spectrum
, the initial 
DX NetOps Spectrum
 user that is created is a super user. This initial user (also referred to as the Installation Owner user) remains a super user and must always exist in 
DX NetOps Spectrum
. The existence of this account is verified each time the SpectroSERVER starts. The value for the initial_user_model_name setting in the 
$SPECROOT
/SS/.vnmrc file stores the setting for the initial 
DX NetOps Spectrum
 super user. The default password for the initial user is ‘spectrum’.
Consider creating an administrator user with user management privileges to manage users. This user is in addition to the user that installed OneClick (the initial user) and can even manage the initial user account. To ensure that a OneClick administrator has all possible privileges, set the value of 'Is Super User' for that administrator (user) to 
true
.
 
Follow these steps:
 
  1. Select a user from the Users List in the Contents panel.
    The Details tab displays information about the user account.
  2. Click set in the 'Is Super User' field, and select Yes from the list.
  3. Press Enter.
    The user account is now a super user.
Manage User Access with LDAP Configuration
For environments where LDAP is used for authentication, you can allow or restrict local logins from OneClick users who are not present in the LDAP directory. For example, non-LDAP users, such as non-employees who provide support, training, or troubleshooting with no access to LDAP, require log-in access to OneClick.
 Super users with passwords set in OneClick can log in locally, regardless of this setting.
 
Follow these steps:
 
  1. Select the user or user group to edit in the Users tab of the Navigation panel.
  2. Navigate to the Details tab of the Component Detail panel for that user or user group.
  3. Expand the LDAP Configuration subview.
  4. Set the option to 'Allow User to Log In if either the LDAP Password is Invalid or the User does not exist in LDAP' to Yes.
     For security reasons, we recommend saving the LDAP user password to the 
    DX NetOps Spectrum
     database. If the option to 'Allow User to Log In if either the LDAP Password is Invalid or the User does not exist in LDAP' is enabled, you can use the LDAP password for user authentication against the 
    DX NetOps Spectrum
     database.
    Non-LDAP users can log in to OneClick even when they are not present in the designated LDAP directory. Setting this option to No prevents the user from logging in without an LDAP account.
 If LDAP is configured to search for User by Pattern and no match is found during lookup, your attempt to log in fails. In such cases, verify that LDAP is configured to authenticate User by Search.
Change Details Displayed for a User or User Group
You can modify user or group attributes from the Component Detail panel.
 
Follow these steps:
 
  1. Select the user or user group to edit in the Users tab of the Navigation panel.
  2. Navigate to the Details tab of the Component Detail panel for that user or group.
  3. Use the 'set' link to edit attributes such as the password and security string of an existing user or group.
Change the Licenses of a User or Group
The default settings for a new user account include an Operator license that offers operator privileges. To perform administrative tasks such as user management, discovery, and modeling in OneClick, users must have administrator privileges. The default Operator license does not provide any administrative privileges.
 
Example:
 A user group of operators in a Network Operations Center (NOC staff group) with OperatorRW should also see the modeling information of Component detail pane.
 
Solution:
 Users in the NOC staff group cannot access the modeling information as this privilege is included in the Administrator license only. To give them access to modeling information, add the Administrator license to this group.
The Administrator license provides the privileges required to perform the following OneClick administrative tasks:
  • User Management
  • Collection Management
  • Discovery
  • Topology Editing
  • Pipe Management
  • Create and Destroy Models
  • Search Management
If you are configuring a user account that requires administrator privileges, you must assign the account an Administrator license. You do this by clicking the Add/Remove button in the License tab of the Component Detail panel, shown in the following figure.
  spec--ocadmin_changelicenses_SCR  
When a user logs in, that user consumes assigned licenses from the pool of available licenses. For example, when a user with both Operator and Administrator licenses logs in, one of each license is used.
You can change the licenses that are assigned to a user or to a user group.
 
Follow these steps:
 
  1. Select the user or user group in the Users tab of the Navigation panel.
  2. Click the Licenses tab of the Component Detail panel.
  3. Click the Add/Remove button to select licenses for this user or group.
Change the Landscapes for a User
In a distributed 
DX NetOps Spectrum
 environment, you can change the landscape membership of users and groups. Use the Landscapes tab of the Component Detail panel. A distributed environment has multiple SpectroSERVERs, each with its own 
DX NetOps Spectrum
 landscape. For a OneClick user to have access to an additional 
DX NetOps Spectrum
 landscape, the user must be a member of that landscape.
The following image displays the Landscapes tab for a fictitious admin-west user. This tab displays the state and name of each known 
DX NetOps Spectrum
 landscape. The check marks in the Member Of column indicate landscapes in which the user is present.
  spec--ocadmin_landscapestab_SCR  
 
Tips
 
  • You cannot edit membership in landscapes that are in the “down” state.
  • We recommend changing user group landscape membership while the group contains no users. Add users to the group once the empty user group is a member of the desired landscapes.
 
Follow these steps:
 
  1. Click the Landscapes tab of the Component Detail panel.
  2. Click the Add/Remove button.
  3. Choose the landscapes where you want this user or group to be present.
  4. Click OK.
Change Individual Privileges for a User or User Group
User and user group privileges can be added and removed individually.
 
Follow these steps:
 
  1. Navigate to the Access tab of the Contents panel for the selected user.
  2. Select the access group whose privileges you want to modify.
  3. Navigate to the Privileges tab of the Component Detail panel for the selected access group.
  4. Click the Add/Remove button.
  5. Enable or disable the privileges that you want for this access group by selecting or clearing the Enabled check box.