3.2.2.1.5. Security
In the Security section, we can create administrator users, that is to say, we will manage those users who will have access to the OpenNAC Enterprise Administration Portal.
The Security section is divided in Admin users, Roles, and Local users.
3.2.2.1.5.1. Admin users
In the Admin Users section you can create different users and configure parameters such as email, role, phone, etc. The Password expiration date column displayed in this view was previously configured in the Configuration > Configuration vars section.
3.2.2.1.5.1.1. Creating a new admin user
To create a new admin user, click on Create new button. It will display the following window:
These users can be created on different user data sources and you can assign them different roles. These roles are used to manage access to the OpenNAC Enterprise Administration Portal, so that each user can have different permissions when navigating through the different sections of the Portal. The following section will provide details about roles.
Warning
All passwords must comply with the following password policy:
Password length: minimum 8 characters.
One or more lowercase characters.
One or more uppercase characters.
One or more numbers.
One or more special characters.
It cannot be the user’s name.
It cannot be a car license plate.
None of the last 3 passwords used can be reused.
3.2.2.1.5.2. Roles
From the Roles section you can generate console profiles (roles) and associate them to the web console users. This functionally allows administrators to provide different console views for particular uses, by customizing the console access and the permissions that are given to a particular user.
If a user with a specific role switches to another role, they will automatically be logged out to renew their permissions. The next time the user logs in, the new permission for the assigned role will apply.
In this view we can see the default roles with basic permissions:
administrator: A privileged role from where we will be able to perform all types of actions in the administration portal.
otpmanager: This role will only have access to manage functions related to the OTP such as regenerate OTP, send emails with the OTP, configure its TTL, etc.
readonly: This role does not have permissions to create, add, modify or delete any object in the administration portal, so it will only be able to read the objects that are already created.
audit: Role with permissions to audit logs. This role will be able to check all the different logs in the administration portal related to the different functionalities of the solution.
operator: Role with permissions to operate on the different menus but with a privilege level lower than an administrator. In this case, we will not be able to make modifications to database users, import new objects, etc.
UserDeviceViewer: Role wth permissions to operate (visualize) User Devices within the ON CMDB.
Note
We can modify all the permissions of the different roles, except for the administrator role, to adapt them according to the convenience of each environment.
3.2.2.1.5.2.1. Creating a new role
To create a custom role, click on Create new. It will display the following window.
Define the role name and its description and configure the permits for that role. Click on Confirm to save this configuration.
Administrators can manage the permissions of new roles by assigning minimum permissions through ACLs and selecting the appropriate permissions for each menu option. They can also enable or disable views and menus on the Administration Portal and manage the ALCs for different sections.
3.2.2.1.5.3. Local users
The local users section can display two types of users: Provisional local users and Autogenerated local users.
In the Provisioned local users section you can register local users and its information will be stored in the OpenNAC Enterprise database.
3.2.2.1.5.3.1. Local users configuration
Within the local users toolbar, you will find the search field, the visualization options (view all users, provisioned users, or autogenerated users), the import and export data buttons, and the local users configuration button.
By clicking on the local users configuration button, it will display the following window:
Here you can define the password lifetime and email template, and the custom properties for using when creating a provisioned user.
3.2.2.1.5.3.2. Creating a provisioned user
To create a new user, click on the Create provisioned user button. It will display the following window:
General
Identity: Enter the user ID.
Name: Enter the user name.
Mail: Enter the user email.
Send password by email: Flag to enable sending the password by email.
Password: Define a password following our password policy.
Warning
Remember! All passwords must comply with the following password policy:
Password length: minimum 8 characters.
One or more lowercase characters.
One or more uppercase characters.
One or more numbers.
One or more special characters.
It cannot be the user’s name.
It cannot be a car license plate.
None of the last 3 passwords used can be reused.
Autogenerate password: Flag to enable autogenerating the password.
Phone: Associate a phone number to this user.
TTL
Define the TTL (Time To Live) of this provisioned user. If you enable the Forever flag, it will never expire.
Custom properties
You can add more properties to the user, within these fields. Define the name of the property (it will be the variable name that will be stored on the database) and the value that we will associate with the new property.
You can expand the information about each local user, by clicking on the arrow located at the the beginning of each local user row. Also, the three-dot icon located at the end of the row, gives you the option to quickly edit, delete, or send a password to a specific user.