Authentication Options and Adding User Accounts
AAA
The AAA UI group contains the user interfaces relating to the creation and editing of users, user permissions, authentication and security. The first thing that should be done as an Administrator after the initial install is complete is to change the default Administrator password to a more secure password.
Users
There are three user accounts in Unified Assurance by default; Administrator, Operator and the API User. The difference between the three users is that the Administrator user has full read and write access to every element of Unified Assurance, whereas the Operator user has read-only access. The API User has access to most areas of the application to allow external applications to interact with Unified Assurance without requiring a login, with the exception of the Delete permission.
The button bar allows for various actions to be done for user accounts.
-
Similar to editing a user, clicking on the Add button will open a blank form User (New) to the right of the grid. Filling in the form and clicking Submit will add the new user to the system.
-
Selecting a user and clicking on the Clone button will create a cloned copy of that user. Making changes in the form and clicking Submit will add the cloned user to the system.
-
Selecting a user and clicking on the Delete button will remove that user account from the system.
Change the password
-
Navigate to the Users UI, and select the Administrator user.
-
Clicking on the Administrator user will open the User (Edit) form to the right of the grid for editing that particular user account.
-
In the password fields, enter your new administrator password and re-enter to confirm.
-
The Unified Assurance Support Account section of the form can be used to link your Unified Assurance user to your support account. This may be needed for future functionality.
-
Click Submit to save the changes.
Roles
The permissions of a user group are set from the Roles interface.
Permissions for a user group can be customized for each individual user interface in Unified Assurance. For example, a user may have full create/read/update and delete access to every events interface, read-only access to the dashboard interface, and be denied access to the Broker Scheduled Jobs and Services interfaces.
-
Navigate to the Roles UI, and select the Administrator role.
-
The Role(Edit) form will open to the right of the grid.
-
In the form, under Permissions, in the Selected section, notice that the Administrator role has full create, read, update, delete and execute access enabled for every Unified Assurance interface.
-
Now select the Operator role. The Role(Edit) form will open for the operator role.
-
Once again, under Permissions, in the Selected section, notice that the Operator role has full read access enabled for every interface, with update and execute access for a small number of select interfaces only.
Click Add to add a new role, or click Clone to clone an existing role. Once cloned you can edit the copy.
User Groups
Users can be organized into groups from the User Groups interface.
-
Navigate to the User Groups UI and click on the Administrators user group.
-
Note the layout of the form. Each User Group allows for multiple users to be assigned security restrictions under one simple administration element. Individual groups can be assigned different permissions based on their role in the system, their specific customer devices, or their default dashboard view.
-
The Properties section of the form allows for restrictions to be made on that group of users as to which device groups, event filter groups, dashboard groups, etc. that they have access to.
-
The Preferences section of the form allows for specific preferences to be made for a group of users, such as the default navigation interface to open when a user logs in, the refresh rate of the UI, the default time zone, etc.
- The lock icons are clickable, and can be toggled by an administrator to lock the preferences, preventing users from making changes.
-
The Users section of the form shows the list of users available, and the list of users selected for the group. After selecting a user (or users), use the arrow buttons to add or remove users from the group.
Authentication
Authentication Types is the configuration interface for the authentication options within Unified Assurance. You can configure Unified Assurance to use the following different methods for the authentication of users:
-
Internal - Used for backup accounts and environments without external authentication.
-
RADIUS - Used for RADIUS integration.
-
Active Directory - Used for Microsoft Active Directory integration.
-
LDAP - Used for OpenLDAP integration.
-
SAML - Used for SAML integration.
Note:
By default, internal authentication is always active.
Creating a User, User Group and Role
-
Navigate to the Roles UI.
-
Click on the Operator role and click Clone in the top-left of the window to clone the role. This will open the Role (New) form with the Operator role details in the form fields.
-
Change the following form fields to the following values (the other fields can be left as is):
-
Role Name: Example Role
-
Description: Example Role for demonstration purposes
-
In the Selected section, tick the Create and Update checkboxes for Jobs.
-
-
Click Submit to save the new Role.
-
Navigate to the User Groups UI.
-
Click the Operators user group and click Clone in the top-left of the window to clone the user group. This will open the User Group (New) form to the right of the grid, with the Operators user group details in the form fields.
-
Change the following form fields to the following values (the other fields can be left as is):
-
User Group Name: Example Group
-
Role: Example Role
-
-
Click Submit to save the new User Group.
-
Navigate to the Users UI.
-
Click the Add button in the top-left of the window to add a new user. This will open the User (New) form to the right of the grid.
-
Change the following form fields in the form (the other fields can be left as is):
-
Username: Example
-
Full Name: Example User
-
Password/Repeat Password: Password of your choosing
-
User Group Name: Example Group
-
Status: Enabled
-
-
Click Submit to save the new User.
-
Log out of the Unified Assurance UI, and log back in using the new Example user credentials.
-
Notice that upon login, the Links navigation pane is open to the left by default.
-
Navigate to Configuration -> AAA and click on any of the user interfaces.
-
Notice that the Add, Clone and Delete buttons are missing from the UI, because the Example user has read-only access.
-
Navigate to Configuration -> Broker Control and look at the UI pages. You will notice that the Licensing page is not visible, as the Example user has no permission to access it.
-
Open the Jobs UI. Note that the Add and Clone buttons are visible, as the Example user has read, write and update permission for this page.
-
Log out of the Unified Assurance UI and log back in as the Admin user once again.
Configuring User Access
This section will cover the general steps for configuring Users to access the software. The process assumes that Unified Assurance has been newly installed.
Dependencies
-
If external authentication is to be utilized for user accounts, the following information needs to be available for each authentication method supported:
-
RADIUS
-
Primary/secondary server IP Address or DNS name
-
RADIUS port
-
RADIUS server secret password
-
-
Active Directory
-
Primary/secondary server IP Address or DNS name
-
Domain suffix
-
CA certificate if utilizing a secure connection
-
-
LDAP
-
Primary/secondary server IP Address or DNS name
-
Distinguished Name
-
CA certificate if utilizing LDAPs
-
-
SAML
-
SAML IDP Entity ID lnk
-
Single SignOn service link
-
Single Logout service link
-
IDP certificate data
-
-
-
User account names need to be captured if external authentication is to be utilized. The User Name in Unified Assurance must match the entry in the external authentication source.
-
Define the initial User Groups to be established and identify what the User Group should be able to access within the software.
Configuring Users
-
Navigate to the Authentication Types and edit the authentication entry with information gathered on the authentication type to be utilized. If using external authentication, set the Status to Enabled before submitting the changes.
-
Navigate to the Roles and add the required Roles.
-
Navigate to User Groups and add the required User Groups.
-
Navigate to the Users and add User accounts. If utilizing an external authentication method for the Authentication Type, the Password fields will not be available. Set the Status to Enabled before submitting the changes to activate the account.
-
Test a User account by logging out of the Unified Assurance UI and logging in as one of the newly created User accounts.
AAA Properties and Preferences
AAA Properties, Preferences, and Inheritance allow a wide variety of customization surrounding the user experience in Unified Assurance. From multitenancy to time zone settings, this article details the properties and preferences available to the user and how they can be utilized in Unified Assurance.
Properties
Users
User Properties are additional settings applicable to the user.
| User Group Properties | Description |
|---|---|
| Reset Question | Reserved for Future Use |
User Groups
User Group Properties are for customizing the viewing and multi-tenant restrictions for users within the user group. If a setting is not set, the user will have unrestricted view of items in the particular section. Useful for multitenancy views for customer users so they can only see devices or data pertinent to them.
| User Group Properties | Description |
|---|---|
| RestrictiveDashboardGroupID | Restricts dashboard navigation to only Adhoc dashboards and dashboards within the specified Dashboard Group and any sub groups |
| RestrictiveDeviceGroupID | Restricts device navigation and device-related data viewing to only devices within the specified Device Group and any sub groups |
| RestrictiveDiagramGroupID | Restricts diagram navigation to only those within the specified Diagram Group and any sub groups |
| RestrictiveEventMenuID | Restricts context menu selection when configuring and using event list tools to only those in the specified Menu and any sub menus |
| RestrictiveFilterGroupID | Restricts event filter navigation to only private and those within the specified Filter Group and any sub groups |
| RestrictiveLinkGroupID | Restricts link navigation to only links within the specified Link Group and any sub groups |
| RestrictiveTopologyMenuID | Restricts context menu selection when configuring and using topology tools to only those in the specified Menu and any sub menus |
Preferences
Preferences are a set of common settings between both user and their parent user group surrounding user experience and how the Unified Assurance GUI is used. Users will inherit preference settings from their parent user group, but these defaults can be overridden on a per-user basis. Administrators can also lock preferences to prevent overriding by the user and to create a more unified environment for the users in that group.
The following are the available preferences for both users and user groups:
| Preferences | Description | Default |
|---|---|---|
| DefaultDisplayID | Default display used when showing the event list | Default |
| DefaultLink | Link to use as the landing page after initial login | |
| DefaultLocale | Locale settings when displaying numbers, dates, etc | en_US |
| DefaultTheme | Theme directory containing CSS and icon resources | light |
| DefaultTimeZone | Timezone when displaying dates and times from database | CST6CDT |
| EventListPageSize | Default pagination setting for event lists | 100 |
| EventListRefreshRate | How often in seconds to refresh open event lists | 60 |
| MaxPageSize | Custom maximum selection for pagination | |
| MaxPauseTime | How long in seconds after the event list is paused for the pause button to begin flashing | 300 |
| PageSize | Default pagination setting for grid views | 1000 |
| RefreshRate | How often in seconds to refresh open dashboards | 60 |
| UILoadTimeout | Custom timeout for page requests in seconds |