Managing Users and Access Control
From Documentation
Users must be registered to Sentinel3G, or belong to a group that is registered, for them to have access to the console and to the Sentinel3G configuration menus.
Adding an existing system group such as Sysadmin or Operators or a COSmanager role such as Manager or Admin as a Sentinel3G ‘user’ is a useful way to set up group-based notification.
Roles determine the menu options open to the user. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.
This chapter explains how to add users and groups to Sentinel3G and how to maintain the list of roles.
Contents |
User Roles and Access Capabilities
Sentinel3G users are each assigned one or more roles, both personally and through the system group they belong to. Each role maps to one or more access capabilities, which determine the menu options open to the user. A role may be nested, so that it inherits the capabilities belonging to another role. Several predefined roles are supplied, but you may wish to add new roles to reflect your organization’s management structure, job titles and security policy.
This table shows the default capabilities assigned to each of the predefined roles.
Role | acknowledge | action | disable | display | maintain |
Manager | √ | √ | √ | √ | √ |
Admin | √ | √ | √ | √ | |
SeniorOp | √ | √ | √ | √ | |
Operator | √ | √ | √ | √ | |
User | √ |
Capabilities are cumulative. This means that users who are registered to Sentinel3G and whose group is also registered to Sentinel3G receive both sets of access capabilities.
What each capability does
- acknowledge
- Acknowledge a sentry’s request to escalate from one state to another
- action
- Run an action associated with a sentry
- disable
- Disable or enable sentries
- display
- Read only access to Sentinel3G configuration tables
- maintain
- Modify tables unconditionally. Initially restricted to Manager role
Maintaining Sentinel3G Users
This section shows you how to add users to Sentinel3G, and how to change the roles assigned to them. An existing system group or a COSmanager role can also be added as a Sentinel3G ‘user’ to set up group-based notification, for example to make sure the Sysadmin group is notified when certain services go down.
Note Changes made to a user’s security profile don’t come into effect until the next time the user invokes Sentinel3G.
To Add a Sentinel3G User or Group
- From the console, select Configure > Global tables.
- From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed.
- Select Maintain > Add. The ‘Add COSmanager users/groups’ window is displayed.
- Enter these fields:
- User/group
- Enter the name of a user or group, or click to choose from the entries in /etc/password and /etc/group on this host.
- Group names must be prefixed by @.
- Role
- Click to choose one or more roles to assign to this user or group. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host.
- Comment
- Enter an optional comment.
- Notify via
- Select a default method for notifying this user of alerts.
- Address
- If the notification method requires an address or identifier, enter it here. Example: For notification by email, enter a personal or workgroup e-mail address. In the case of e-mail notification to a group, you may wish to create a mail alias that is expanded by the e-mail system to delivered messages to all members of the group.
- Click Accept to save this user and exit.
To Assign a Different Role or Notification Address to a User
You can assign a different role or notification address to an individual user or to all users in a system group.
- From the console, select Configure > Global tables.
- From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed.
- Select the user, then click Maintain > Change.
- The Roles field shows the roles currently assigned to this user. Click to change the list. Roles prefixed by SEN: are specific to Sentinel3G menus. The other roles control access to COSmanager configuration menus and any other COSmanager products that may be installed on this host.
- Ctrl-click a role to add it to the selection list, or Ctrl-click a highlighted role to remove it from the selection.
- Click Accept to return to the Change Sentinel roles and access form.
- In the Notify via field select a method for notifying users of alerts.
- If the notification method requires an Address or identifier, enter it here.
- Example: For notification by email, enter a personal or workgroup e-mail address.
- Click Accept to save the new capabilities for this role and exit. These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not.
- Click Accept to save this user and exit.
Maintaining Access Roles
To view the current Sentinel3G role structure:
- From the console, select Host view, then select a host.
- Select Configure > Host monitor. The ‘All Sentries’ window is displayed.
- Select Tables > Roles. The ‘Sentinel roles and access capabilities’ window is displayed.
In this setup, the User role has a single capability, display. The Operator role inherits the display capability from the User role and also has the capabilities display, action and acknowledge.
You can change the capabilities assigned to an existing role, or assign capabilities to a new role you have just defined.
To Add a New Role
- From the ‘Sentinel roles and access capabilities’ window, select Maintain > Add. Alternatively, if the new role will have similar
capabilities to an existing role, you can use Maintain > Clone to add the new role based on the attributes of the existing role.
- Enter a name for the role, relating to the responsibility of the users who will be assigned to it—e.g. ShiftSuper, Training.
- Click to choose from the list of other roles and capabilities to assign to this new role.
- Enter a description.
- Click Accept to save this role and exit.
To Change the Access Capabilities Assigned to a Role
Example: the SeniorOp and Operator roles currently have the same set of capabilities (SeniorOp inherits all of its capabilities from the Operator role). You wish the disable capability to be available to users with the SeniorOp role.
First, remove disable capability from the Operator role.
- From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change.
- The Capabilities field shows the capabilities currently assigned to the Operator role. Click to change the list.
- Ctrl-click the disable row to remove it from the selection.
- Click Accept to save the changed capabilities for this role and exit to the ‘Sentinel roles and access capabilities’ window.
- Next, disable capability must be assigned explicitly to the SeniorOp role.
- From the ‘Sentinel roles and access capabilities’ window, select the Operator role, then select Maintain > Change.
- Click next to the Capabilities field. The Operator role is the only row currently selected.
- Ctrl-click the disable row to add it to the selection.
- Click Accept to return to the ‘Change Sentinel roles and access’ form.
- Click Accept to save the new capabilities for this role and exit.
These changes will take effect when users with these roles next start Sentinel3G. In other words, users with the SeniorOp role will still be able to disable and enable sentries, but users with only the Operator role will not.
To Assign a Notification Address to a COSmanager Role
If you specify a notification method and address for a COSmanager role, then you can choose to send messages about Sentinel3G alerts to users with that role. For example, if a particular event requires a configuration change in Sentinel3G, you could choose to send notification messages to users with the Manager role.
- From the console, select Configure > Global tables.
- From the ‘COSmanager global configuration’ menu, select Users. The ‘COSmanager users/groups’ window is displayed.
- Select Maintain > Access roles. The ‘Global access roles’ table is displayed.
- Select a role then click Maintain > Change. The ‘Change global access roles’ form is displayed.
- In the Notify via field select a method for notifying users of alerts.
- If the notification method requires an Address or identifier, enter it here.
- Example: For notification by email, enter a workgroup e-mail address that is shared by users who have this role.
- Click Accept to save the new notification details for this role and exit