Managing Users and Access Control
This page was last modified 07:12, 24 May 2017.From Documentation
(Difference between revisions)
| Revision as of 01:20, 2 May 2006 Daniels (Talk | contribs) ← Previous diff |
Current revision Mike (Talk | contribs) (→Maintaining Sentinel3G Users) |
||
| Line 12: | Line 12: | ||
| This table shows the default capabilities assigned to each of the predefined roles. | This table shows the default capabilities assigned to each of the predefined roles. | ||
| - | {| border="1" cellpadding="3" cellspacing="0" | + | {| border="1" cellpadding="3" cellspacing="0" style="text-align: center;" |
| |- | |- | ||
| |<strong>Role</strong> | |<strong>Role</strong> | ||
| Line 22: | Line 22: | ||
| |- | |- | ||
| |Manager | |Manager | ||
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| |- | |- | ||
| |Admin | |Admin | ||
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| | | | | ||
| |- | |- | ||
| |SeniorOp | |SeniorOp | ||
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| | | | | ||
| |- | |- | ||
| |Operator | |Operator | ||
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| - | | | + | |✓ |
| | | | | ||
| |- | |- | ||
| Line 53: | Line 53: | ||
| | | | | ||
| | | | | ||
| - | | | + | |✓ |
| | | | | ||
| |} | |} | ||
| Line 66: | Line 66: | ||
| == Maintaining Sentinel3G Users == | == Maintaining Sentinel3G Users == | ||
| - | This section shows you how to add users to Sentinel3G, and how to change the | + | This section shows you how to add users to Sentinel3G, and how to change the roles assigned to them. An existing system group or a COSmanager role can also be added as a Sentinel3G ‘user’ to set up group-based notification, for example to make sure the Sysadmin group is notified when certain services go down. |
| - | roles assigned to them. An existing system group or a COSmanager role can also be | + | |
| - | added as a Sentinel3G ‘user’ to set up group-based notification, for example to | + | <strong>Note</strong>: Changes made to a user’s security profile don’t come into effect until the next time the user invokes Sentinel3G. |
| - | make sure the Sysadmin group is notified when certain services go down. | + | |
| - | Note Changes made to a user’s security profile don’t come into effect until | + | === To Add a Sentinel3G User or Group === |
| - | the next time the user invokes Sentinel3G. | + | #From the console, select Configure > Global tables. |
| - | To Add a Sentinel3G User or Group | + | #From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed. |
| - | 1. From the console, select Configure > Global tables. | + | #Select Maintain > Add. The ‘Add COSmanager users/groups’ window is displayed. |
| - | 2. From the ‘COSmanager global configuration’ menu, select Users. The | + | #Enter these fields: |
| - | ‘COSmanager users/groups’ window is displayed. | + | #;User/group: Enter the name of a user or group, or click to choose from the entries in /etc/password and /etc/group on this host. |
| - | 3. Select Maintain > Add. The ‘Add COSmanager users/groups’ window | + | #:Group names must be prefixed by @. |
| - | is displayed. | + | #;Role: Click to choose one or more roles to assign to this user or group. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host. |
| - | 4. Enter these fields: | + | #;Comment: Enter an optional comment. |
| - | User/group Enter the name of a user or group, or click to choose from the | + | #;Notify via: Select a default method for notifying this user of alerts. |
| - | entries in /etc/password and /etc/group on this host. | + | #;Address: If the notification method requires an address or identifier, enter it here. Example: For notification by email, enter a personal or workgroup e-mail address. In the case of e-mail notification to a group, you may wish to create a mail alias that is expanded by the e-mail system to delivered messages to all members of the group. |
| - | Group names must be prefixed by @. | + | #Click Accept to save this user and exit. |
| - | 160 Managing Users and Access Control | + | |
| - | Role Click to choose one or more roles to assign to this user or | + | === To Assign a Different Role or Notification Address to a User === |
| - | group. Roles prefixed by SEN: are specific to Sentinel3G | + | You can assign a different role or notification address to an individual user or to all users in a system group. |
| - | menus. The other roles control access to COSmanager | + | #From the console, select Configure > Global tables. |
| - | configuration menus and any other COSmanager products that | + | #From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed. |
| - | may be installed on this host. | + | #Select the user, then click Maintain > Change. |
| - | Comment Enter an optional comment. | + | #The Roles field shows the roles currently assigned to this user. Click to change the list. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host. |
| - | Notify via Select a default method for notifying this user of alerts. | + | #:Ctrl-click a role to add it to the selection list, or Ctrl-click a highlighted role to remove it from the selection. |
| - | Address If the notification method requires an address or identifier, enter it | + | #Click Accept to return to the Change Sentinel roles and access form. |
| - | here. Example: For notification by email, enter a personal or | + | #In the Notify via field select a method for notifying users of alerts. |
| - | workgroup e-mail address. In the case of e-mail notification to a | + | #If the notification method requires an Address or identifier, enter it here. |
| - | group, you may wish to create a mail alias that is expanded by the | + | #:Example: For notification by email, enter a personal or workgroup e-mail address. |
| - | e-mail system to delivered messages to all members of the group. | + | #Click Accept to save the new capabilities for this role and exit. These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not. |
| - | 5. Click Accept to save this user and exit. | + | #Click Accept to save this user and exit. |
| - | To Assign a Different Role or Notification Address to a User | + | |
| - | You can assign a different role or notification address to an individual user or to all | + | == Maintaining Access Roles == |
| - | users in a system group. | + | |
| - | 1. From the console, select Configure > Global tables. | + | |
| - | 2. From the ‘COSmanager global configuration’ menu, select Users. The | + | |
| - | ‘COSmanager users/groups’ window is displayed. | + | |
| - | 3. Select the user, then click Maintain > Change. | + | |
| - | 4. The Roles field shows the roles currently assigned to this user. Click to | + | |
| - | change the list. Roles prefixed by SEN: are specific to Sentinel3G | + | |
| - | menus. The other roles control access to COSmanager configuration menus | + | |
| - | and any other COSmanager products that may be installed on this host. | + | |
| - | Ctrl-click a role to add it to the selection list, or Ctrl-click a highlighted role | + | |
| - | to remove it from the selection. | + | |
| - | 5. Click Accept to return to the Change Sentinel roles and | + | |
| - | access form. | + | |
| - | 6. In the Notify via field select a method for notifying users of alerts. | + | |
| - | 7. If the notification method requires an Address or identifier, enter it here. | + | |
| - | Example: For notification by email, enter a personal or workgroup e-mail | + | |
| - | Managing Users and Access Control 161 | + | |
| - | address. | + | |
| - | 8. Click Accept to save the new capabilities for this role and exit. | + | |
| - | These changes will take effect when users with these roles next start | + | |
| - | Sentinel3G. In other words, users with the SeniorOp role will still be able | + | |
| - | to disable and enable sentries, but users with only the Operator role will not. | + | |
| - | 9. Click Accept to save this user and exit. | + | |
| - | 162 Managing Users and Access Control | + | |
| - | Maintaining Access Roles | + | |
| To view the current Sentinel3G role structure: | To view the current Sentinel3G role structure: | ||
| - | 1. From the console, select Host view, then select a host. | + | #From the console, select Host view, then select a host. |
| - | 2. Select Configure > Host monitor. The ‘All Sentries’ window is | + | #Select Configure > Host monitor. The ‘All Sentries’ window is displayed. |
| - | displayed. | + | #Select Tables > Roles. The ‘Sentinel roles and access capabilities’ window is displayed. |
| - | 3. Select Tables > Roles. The ‘Sentinel roles and access capabilities’ | + | |
| - | window is displayed. | + | In this setup, the User role has a single capability, display. The Operator role inherits the display capability from the User role and also has the capabilities display, action and acknowledge. |
| - | In this setup, the User role has a single capability, display. The Operator role | + | |
| - | inherits the display capability from the User role and also has the capabilities | + | You can change the capabilities assigned to an existing role, or assign capabilities to a new role you have just defined. |
| - | display, action and acknowledge. | + | |
| - | You can change the capabilities assigned to an existing role, or assign capabilities to | + | == To Add a New Role == |
| - | a new role you have just defined. | + | #From the ‘Sentinel roles and access capabilities’ window, select Maintain > Add. Alternatively, if the new role will have similar |
| - | To Add a New Role | + | capabilities to an existing role, you can use Maintain > Clone to add the new role based on the attributes of the existing role. |
| - | 1. From the ‘Sentinel roles and access capabilities’ window, select | + | #Enter a name for the role, relating to the responsibility of the users who will be assigned to it—e.g. ShiftSuper, Training. |
| - | Maintain > Add. Alternatively, if the new role will have similar | + | #Click to choose from the list of other roles and capabilities to assign to this new role. |
| - | capabilities to an existing role, you can use Maintain > Clone to add | + | #Enter a description. |
| - | the new role based on the attributes of the existing role. | + | #Click Accept to save this role and exit. |
| - | 2. Enter a name for the role, relating to the responsibility of the users who will | + | |
| - | be assigned to it—e.g. ShiftSuper, Training. | + | === To Change the Access Capabilities Assigned to a Role === |
| - | 3. Click to choose from the list of other roles and capabilities to assign to | + | Example: the SeniorOp and Operator roles currently have the same set of capabilities (SeniorOp inherits all of its capabilities from the Operator role). You wish the disable capability to be available to users with the SeniorOp role. |
| - | this new role. | + | |
| - | Managing Users and Access Control 163 | + | First, remove disable capability from the Operator role. |
| - | 4. Enter a description. | + | |
| - | 5. Click Accept to save this role and exit. | + | #From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change. |
| - | To Change the Access Capabilities Assigned to a Role | + | #The Capabilities field shows the capabilities currently assigned to the Operator role. Click to change the list. |
| - | Example: the SeniorOp and Operator roles currently have the same set of capabilities | + | #Ctrl-click the disable row to remove it from the selection. |
| - | (SeniorOp inherits all of its capabilities from the Operator role). You | + | #Click Accept to save the changed capabilities for this role and exit to the ‘Sentinel roles and access capabilities’ window. |
| - | wish the disable capability to be available to users with the SeniorOp role. | + | #:Next, disable capability must be assigned explicitly to the SeniorOp role. |
| - | First, remove disable capability from the Operator role. | + | #From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change. |
| - | 1. From the ‘Sentinel roles and access capabilities’ window, select the | + | #Click next to the Capabilities field. The Operator role is the only row currently selected. |
| - | Operator role, then select Maintain > Change. | + | #Ctrl-click the disable row to add it to the selection. |
| - | Figure 38 — Example: choose ‘display’ capability plus the Operator role | + | #Click Accept to return to the ‘Change Sentinel roles and access’ form. |
| - | 2. The Capabilities field shows the capabilities currently assigned to the | + | #Click Accept to save the new capabilities for this role and exit. |
| - | Operator role. Click to change the list. | + | |
| - | 164 Managing Users and Access Control | + | These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not. |
| - | 3. Ctrl-click the disable row to remove it from the selection. | + | |
| - | 4. Click Accept to save the changed capabilities for this role and exit to the | + | === To Assign a Notification Address to a COSmanager Role === |
| - | ‘Sentinel roles and access capabilities’ window. | + | If you specify a notification method and address for a COSmanager role, then you can choose to send messages about Sentinel3G alerts to users with that role. For example, if a particular event requires a configuration change in Sentinel3G, you could choose to send notification messages to users with the Manager role. |
| - | Next, disable capability must be assigned explicitly to the SeniorOp role. | + | |
| - | 5. From the ‘Sentinel roles and access capabilities’ window, select the | + | #From the console, select Configure > Global tables. |
| - | Operator role, then select Maintain > Change. | + | #From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed. |
| - | Figure 39 — Example: changing the roles assigned to SeniorOp role | + | #Select Maintain > Access roles. The ‘Global access roles’ table is displayed. |
| - | 6. Click next to the Capabilities field. The Operator role is the only | + | #Select a role then click Maintain > Change. The ‘Change global access roles’ form is displayed. |
| - | row currently selected. | + | #In the Notify via field select a method for notifying users of alerts. |
| - | 7. Ctrl-click the disable row to add it to the selection. | + | #If the notification method requires an Address or identifier, enter it here. |
| - | Ctrl-click on disable to | + | #:Example: For notification by email, enter a workgroup e-mail address that is shared by users who have this role. |
| - | remove it from the selected | + | #Click Accept to save the new notification details for this role and exit |
| - | Managing Users and Access Control 165 | + | |
| - | Figure 40 — Example: adding ‘display’ to the selected roles/capabilities | + | |
| - | 8. Click Accept to return to the ‘Change Sentinel roles and access’ form. | + | |
| - | 9. Click Accept to save the new capabilities for this role and exit. | + | |
| - | These changes will take effect when users with these roles next start | + | |
| - | Sentinel3G. In other words, users with the SeniorOp role will still be able | + | |
| - | to disable and enable sentries, but users with only the Operator role will not. | + | |
| - | To Assign a Notification Address to a COSmanager Role | + | |
| - | If you specify a notification method and address for a COSmanager role, then you | + | |
| - | can choose to send messages about Sentinel3G alerts to users with that role. For | + | |
| - | example, if a particular event requires a configuration change in Sentinel3G, you | + | |
| - | could choose to send notification messages to users with the Manager role. | + | |
| - | 1. From the console, select Configure > Global tables. | + | |
| - | 2. From the ‘COSmanager global configuration’ menu, select Users. The | + | |
| - | ‘COSmanager users/groups’ window is displayed. | + | |
| - | 3. Select Maintain > Access roles. The ‘Global access roles’ table is | + | |
| - | displayed. | + | |
| - | 4. Select a role then click Maintain > Change. The ‘Change global access | + | |
| - | roles’ form is displayed. | + | |
| - | 5. In the Notify via field select a method for notifying users of alerts. | + | |
| - | Ctrl-click on disable to add it | + | |
| - | to the other selected capabil166 | + | |
| - | Managing Users and Access Control | + | |
| - | 6. If the notification method requires an Address or identifier, enter it here. | + | |
| - | Example: For notification by email, enter a workgroup e-mail address that | + | |
| - | is shared by users who have this role. | + | |
| - | 7. Click Accept to save the new notification details for this role and exit | + | |
Current revision
Users must be registered to Sentinel3G, or belong to a group that is registered, for them to have access to the console and to the Sentinel3G configuration menus.
Adding an existing system group such as Sysadmin or Operators or a COSmanager role such as Manager or Admin as a Sentinel3G ‘user’ is a useful way to set up group-based notification.
Roles determine the menu options open to the user. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.
This chapter explains how to add users and groups to Sentinel3G and how to maintain the list of roles.
Contents |
[edit]
User Roles and Access Capabilities
Sentinel3G users are each assigned one or more roles, both personally and through the system group they belong to. Each role maps to one or more access capabilities, which determine the menu options open to the user. A role may be nested, so that it inherits the capabilities belonging to another role. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.
This table shows the default capabilities assigned to each of the predefined roles.
| Role | acknowledge | action | disable | display | maintain |
| Manager | ✓ | ✓ | ✓ | ✓ | ✓ |
| Admin | ✓ | ✓ | ✓ | ✓ | |
| SeniorOp | ✓ | ✓ | ✓ | ✓ | |
| Operator | ✓ | ✓ | ✓ | ✓ | |
| User | ✓ |
Capabilities are cumulative. This means that users who are registered to Sentinel3G and whose group is also registered to Sentinel3G receive both sets of access capabilities.
[edit]
What each capability does
- acknowledge
- Acknowledge a sentry’s request to escalate from one state to another
- action
- Run an action associated with a sentry
- disable
- Disable or enable sentries
- display
- Read only access to Sentinel3G configuration tables
- maintain
- Modify tables unconditionally. Initially restricted to Manager role
[edit]
Maintaining Sentinel3G Users
This section shows you how to add users to Sentinel3G, and how to change the roles assigned to them. An existing system group or a COSmanager role can also be added as a Sentinel3G ‘user’ to set up group-based notification, for example to make sure the Sysadmin group is notified when certain services go down.
Note: Changes made to a user’s security profile don’t come into effect until the next time the user invokes Sentinel3G.
[edit]
To Add a Sentinel3G User or Group
- From the console, select Configure > Global tables.
- From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed.
- Select Maintain > Add. The ‘Add COSmanager users/groups’ window is displayed.
- Enter these fields:
- User/group
- Enter the name of a user or group, or click to choose from the entries in /etc/password and /etc/group on this host.
- Group names must be prefixed by @.
- Role
- Click to choose one or more roles to assign to this user or group. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host.
- Comment
- Enter an optional comment.
- Notify via
- Select a default method for notifying this user of alerts.
- Address
- If the notification method requires an address or identifier, enter it here. Example: For notification by email, enter a personal or workgroup e-mail address. In the case of e-mail notification to a group, you may wish to create a mail alias that is expanded by the e-mail system to delivered messages to all members of the group.
- Click Accept to save this user and exit.
[edit]
To Assign a Different Role or Notification Address to a User
You can assign a different role or notification address to an individual user or to all users in a system group.
- From the console, select Configure > Global tables.
- From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed.
- Select the user, then click Maintain > Change.
- The Roles field shows the roles currently assigned to this user. Click to change the list. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host.
- Ctrl-click a role to add it to the selection list, or Ctrl-click a highlighted role to remove it from the selection.
- Click Accept to return to the Change Sentinel roles and access form.
- In the Notify via field select a method for notifying users of alerts.
- If the notification method requires an Address or identifier, enter it here.
- Example: For notification by email, enter a personal or workgroup e-mail address.
- Click Accept to save the new capabilities for this role and exit. These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not.
- Click Accept to save this user and exit.
[edit]
Maintaining Access Roles
To view the current Sentinel3G role structure:
- From the console, select Host view, then select a host.
- Select Configure > Host monitor. The ‘All Sentries’ window is displayed.
- Select Tables > Roles. The ‘Sentinel roles and access capabilities’ window is displayed.
In this setup, the User role has a single capability, display. The Operator role inherits the display capability from the User role and also has the capabilities display, action and acknowledge.
You can change the capabilities assigned to an existing role, or assign capabilities to a new role you have just defined.
[edit]
To Add a New Role
- From the ‘Sentinel roles and access capabilities’ window, select Maintain > Add. Alternatively, if the new role will have similar
capabilities to an existing role, you can use Maintain > Clone to add the new role based on the attributes of the existing role.
- Enter a name for the role, relating to the responsibility of the users who will be assigned to it—e.g. ShiftSuper, Training.
- Click to choose from the list of other roles and capabilities to assign to this new role.
- Enter a description.
- Click Accept to save this role and exit.
[edit]
To Change the Access Capabilities Assigned to a Role
Example: the SeniorOp and Operator roles currently have the same set of capabilities (SeniorOp inherits all of its capabilities from the Operator role). You wish the disable capability to be available to users with the SeniorOp role.
First, remove disable capability from the Operator role.
- From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change.
- The Capabilities field shows the capabilities currently assigned to the Operator role. Click to change the list.
- Ctrl-click the disable row to remove it from the selection.
- Click Accept to save the changed capabilities for this role and exit to the ‘Sentinel roles and access capabilities’ window.
- Next, disable capability must be assigned explicitly to the SeniorOp role.
- From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change.
- Click next to the Capabilities field. The Operator role is the only row currently selected.
- Ctrl-click the disable row to add it to the selection.
- Click Accept to return to the ‘Change Sentinel roles and access’ form.
- Click Accept to save the new capabilities for this role and exit.
These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not.
[edit]
To Assign a Notification Address to a COSmanager Role
If you specify a notification method and address for a COSmanager role, then you can choose to send messages about Sentinel3G alerts to users with that role. For example, if a particular event requires a configuration change in Sentinel3G, you could choose to send notification messages to users with the Manager role.
- From the console, select Configure > Global tables.
- From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed.
- Select Maintain > Access roles. The ‘Global access roles’ table is displayed.
- Select a role then click Maintain > Change. The ‘Change global access roles’ form is displayed.
- In the Notify via field select a method for notifying users of alerts.
- If the notification method requires an Address or identifier, enter it here.
- Example: For notification by email, enter a workgroup e-mail address that is shared by users who have this role.
- Click Accept to save the new notification details for this role and exit