FS
Documentation

Managing Users and Access Control

From Documentation

(Difference between revisions)
Jump to: navigation, search
Revision as of 00:56, 2 May 2006
Daniels (Talk | contribs)

← Previous diff
Revision as of 01:20, 2 May 2006
Daniels (Talk | contribs)

Next diff →
Line 1: Line 1:
-Users must be registered to Sentinel3G, or belong to a group that is registered,+Users must be registered to Sentinel3G, or belong to a group that is registered, for them to have access to the console and to the Sentinel3G configuration menus.
-for them to have access to the console and to the Sentinel3G configuration+ 
-menus.+Adding an existing system group such as Sysadmin or Operators or a COSmanager role such as Manager or Admin as a Sentinel3G ‘user’ is a useful way to set up group-based notification.
-Adding an existing system group such as Sysadmin or Operators or a COSmanager+ 
-role such as Manager or Admin as a Sentinel3G ‘user’ is a useful way+Roles determine the menu options open to the user. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.
-to set up group-based notification.+ 
-Roles determine the menu options open to the user. Several predefined roles are+This chapter explains how to add users and groups to Sentinel3G and how to maintain the list of roles.
-supplied, but you may wish to add new roles to reflect your organization’s management+ 
-structure, job titles and security policy.+== User Roles and Access Capabilities ==
-This chapter explains how to add users and groups to Sentinel3G and how to+Sentinel3G users are each assigned one or more roles, both personally and through the system group they belong to. Each role maps to one or more access capabilities, which determine the menu options open to the user. A role may be nested, so that it inherits the capabilities belonging to another role. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.
-maintain the list of roles.+ 
-158 Managing Users and Access Control+
-User Roles and Access Capabilities+
-Sentinel3G users are each assigned one or more roles, both personally and+
-through the system group they belong to. Each role maps to one or more access+
-capabilities, which determine the menu options open to the user. A role may be+
-nested, so that it inherits the capabilities belonging to another role. Several predefined+
-roles are supplied, but you may wish to add new roles to reflect your organization’s+
-management structure, job titles and security policy.+
This table shows the default capabilities assigned to each of the predefined roles. This table shows the default capabilities assigned to each of the predefined roles.
-Capabilities are cumulative. This means that users who are registered to+ 
-Sentinel3G and whose group is also registered to Sentinel3G receive both+{| border="1" cellpadding="3" cellspacing="0"
-sets of access capabilities.+|-
-What each capability does+|<strong>Role</strong>
-Role acknowledge action disable display maintain+|<strong>acknowledge</strong>
-Manager 􀀹􀀹􀀹􀀹􀀹+|<strong>action</strong>
-Admin 􀀹􀀹􀀹􀀹+|<strong>disable</strong>
-SeniorOp 􀀹􀀹􀀹􀀹+|<strong>display</strong>
-Operator 􀀹􀀹􀀹􀀹+|<strong>maintain</strong>
-User 􀀹+|-
-acknowledge Acknowledge a sentry’s request to escalate from one state to another+|Manager
-action Run an action associated with a sentry+|􀀹
-disable Disable or enable sentries+|􀀹
-display Read only access to Sentinel3G configuration tables+|􀀹
-maintain Modify tables unconditionally. Initially restricted to Manager role+|􀀹
-Managing Users and Access Control 159+|􀀹
-Maintaining Sentinel3G Users+|-
 +|Admin
 +|􀀹
 +|􀀹
 +|􀀹
 +|􀀹
 +|
 +|-
 +|SeniorOp
 +|􀀹
 +|􀀹
 +|􀀹
 +|􀀹
 +|
 +|-
 +|Operator
 +|􀀹
 +|􀀹
 +|􀀹
 +|􀀹
 +|
 +|-
 +|User
 +|
 +|
 +|
 +|􀀹
 +|
 +|}
 +Capabilities are cumulative. This means that users who are registered to Sentinel3G and whose group is also registered to Sentinel3G receive both sets of access capabilities.
 + 
 +=== What each capability does ===
 +;acknowledge: Acknowledge a sentry’s request to escalate from one state to another
 +;action: Run an action associated with a sentry
 +;disable: Disable or enable sentries
 +;display: Read only access to Sentinel3G configuration tables
 +;maintain: Modify tables unconditionally. Initially restricted to Manager role
 + 
 +== Maintaining Sentinel3G Users ==
This section shows you how to add users to Sentinel3G, and how to change the This section shows you how to add users to Sentinel3G, and how to change the
roles assigned to them. An existing system group or a COSmanager role can also be roles assigned to them. An existing system group or a COSmanager role can also be

Revision as of 01:20, 2 May 2006

Users must be registered to Sentinel3G, or belong to a group that is registered, for them to have access to the console and to the Sentinel3G configuration menus.

Adding an existing system group such as Sysadmin or Operators or a COSmanager role such as Manager or Admin as a Sentinel3G ‘user’ is a useful way to set up group-based notification.

Roles determine the menu options open to the user. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.

This chapter explains how to add users and groups to Sentinel3G and how to maintain the list of roles.

User Roles and Access Capabilities

Sentinel3G users are each assigned one or more roles, both personally and through the system group they belong to. Each role maps to one or more access capabilities, which determine the menu options open to the user. A role may be nested, so that it inherits the capabilities belonging to another role. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.

This table shows the default capabilities assigned to each of the predefined roles.

Role acknowledge action disable display maintain
Manager 􀀹 􀀹 􀀹 􀀹 􀀹
Admin 􀀹 􀀹 􀀹 􀀹
SeniorOp 􀀹 􀀹 􀀹 􀀹
Operator 􀀹 􀀹 􀀹 􀀹
User 􀀹

Capabilities are cumulative. This means that users who are registered to Sentinel3G and whose group is also registered to Sentinel3G receive both sets of access capabilities.

What each capability does

acknowledge
Acknowledge a sentry’s request to escalate from one state to another
action
Run an action associated with a sentry
disable
Disable or enable sentries
display
Read only access to Sentinel3G configuration tables
maintain
Modify tables unconditionally. Initially restricted to Manager role

Maintaining Sentinel3G Users

This section shows you how to add users to Sentinel3G, and how to change the roles assigned to them. An existing system group or a COSmanager role can also be added as a Sentinel3G ‘user’ to set up group-based notification, for example to make sure the Sysadmin group is notified when certain services go down. Note Changes made to a user’s security profile don’t come into effect until the next time the user invokes Sentinel3G. To Add a Sentinel3G User or Group 1. From the console, select Configure > Global tables. 2. From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed. 3. Select Maintain > Add. The ‘Add COSmanager users/groups’ window is displayed. 4. Enter these fields: User/group Enter the name of a user or group, or click to choose from the entries in /etc/password and /etc/group on this host. Group names must be prefixed by @. 160 Managing Users and Access Control Role Click to choose one or more roles to assign to this user or group. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host. Comment Enter an optional comment. Notify via Select a default method for notifying this user of alerts. Address If the notification method requires an address or identifier, enter it here. Example: For notification by email, enter a personal or workgroup e-mail address. In the case of e-mail notification to a group, you may wish to create a mail alias that is expanded by the e-mail system to delivered messages to all members of the group. 5. Click Accept to save this user and exit. To Assign a Different Role or Notification Address to a User You can assign a different role or notification address to an individual user or to all users in a system group. 1. From the console, select Configure > Global tables. 2. From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed. 3. Select the user, then click Maintain > Change. 4. The Roles field shows the roles currently assigned to this user. Click to change the list. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host. Ctrl-click a role to add it to the selection list, or Ctrl-click a highlighted role to remove it from the selection. 5. Click Accept to return to the Change Sentinel roles and access form. 6. In the Notify via field select a method for notifying users of alerts. 7. If the notification method requires an Address or identifier, enter it here. Example: For notification by email, enter a personal or workgroup e-mail Managing Users and Access Control 161 address. 8. Click Accept to save the new capabilities for this role and exit. These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not. 9. Click Accept to save this user and exit. 162 Managing Users and Access Control Maintaining Access Roles To view the current Sentinel3G role structure: 1. From the console, select Host view, then select a host. 2. Select Configure > Host monitor. The ‘All Sentries’ window is displayed. 3. Select Tables > Roles. The ‘Sentinel roles and access capabilities’ window is displayed. In this setup, the User role has a single capability, display. The Operator role inherits the display capability from the User role and also has the capabilities display, action and acknowledge. You can change the capabilities assigned to an existing role, or assign capabilities to a new role you have just defined. To Add a New Role 1. From the ‘Sentinel roles and access capabilities’ window, select Maintain > Add. Alternatively, if the new role will have similar capabilities to an existing role, you can use Maintain > Clone to add the new role based on the attributes of the existing role. 2. Enter a name for the role, relating to the responsibility of the users who will be assigned to it—e.g. ShiftSuper, Training. 3. Click to choose from the list of other roles and capabilities to assign to this new role. Managing Users and Access Control 163 4. Enter a description. 5. Click Accept to save this role and exit. To Change the Access Capabilities Assigned to a Role Example: the SeniorOp and Operator roles currently have the same set of capabilities (SeniorOp inherits all of its capabilities from the Operator role). You wish the disable capability to be available to users with the SeniorOp role. First, remove disable capability from the Operator role. 1. From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change. Figure 38 — Example: choose ‘display’ capability plus the Operator role 2. The Capabilities field shows the capabilities currently assigned to the Operator role. Click to change the list. 164 Managing Users and Access Control 3. Ctrl-click the disable row to remove it from the selection. 4. Click Accept to save the changed capabilities for this role and exit to the ‘Sentinel roles and access capabilities’ window. Next, disable capability must be assigned explicitly to the SeniorOp role. 5. From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change. Figure 39 — Example: changing the roles assigned to SeniorOp role 6. Click next to the Capabilities field. The Operator role is the only row currently selected. 7. Ctrl-click the disable row to add it to the selection. Ctrl-click on disable to remove it from the selected Managing Users and Access Control 165 Figure 40 — Example: adding ‘display’ to the selected roles/capabilities 8. Click Accept to return to the ‘Change Sentinel roles and access’ form. 9. Click Accept to save the new capabilities for this role and exit. These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not. To Assign a Notification Address to a COSmanager Role If you specify a notification method and address for a COSmanager role, then you can choose to send messages about Sentinel3G alerts to users with that role. For example, if a particular event requires a configuration change in Sentinel3G, you could choose to send notification messages to users with the Manager role. 1. From the console, select Configure > Global tables. 2. From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed. 3. Select Maintain > Access roles. The ‘Global access roles’ table is displayed. 4. Select a role then click Maintain > Change. The ‘Change global access roles’ form is displayed. 5. In the Notify via field select a method for notifying users of alerts. Ctrl-click on disable to add it to the other selected capabil166 Managing Users and Access Control 6. If the notification method requires an Address or identifier, enter it here. Example: For notification by email, enter a workgroup e-mail address that is shared by users who have this role. 7. Click Accept to save the new notification details for this role and exit