About user permissions
You can manage user permissions—including changing administrator or monitor passwords and defining role-based management (RBM) users—in the User Permissions page.
The system uses RBM roles to control what actions a user can perform:
• Admin—Has full access to the system. Admins can change configuration settings, manage users, restart services, reboot the SteelHead, and view performance and system reports. Admins can also assign or remove the administrator role from other users, but not from themselves.
• Monitor—Can view reports, view user logs, and change their own password. However, monitor users cannot change settings, access private keys, view system logs, or manage cryptographic modules.
You can also create new users, assign passwords, and define their permissions by assigning them RBM roles. These roles determine the level of access for specific features:
• Read-only—Can view configuration settings but cannot make changes.
• Read/Write—Can view and modify settings.
• Deny—Cannot view or change settings for the feature.
Menu items in the interface adjust automatically based on the user’s permissions. If a user tries to access a feature they don’t have rights to, they’ll be redirected to the User Permissions page.
Restricted policy visibility for RBM users
With SCC 9.7 and later, administrators and system administrators can restrict editing and deleting of policies in groups for which RBM users don’t have access under Administration > Security: User Permissions. RBM users can still view and edit the policies associated with the groups for which they have access. RBM users with only read/write access to a group can view and edit the policies associated for that group. This feature is disabled by default.
• If RBM users create a new policy by copying an existing policy for which they have deny access to, they can still view the existing policy’s configurations in the new policy they created.
• RBM users with deny access to a group can’t view the policies associated with that group from the Manage > Policy page.
• RBM users with read-only access to a group can only view the policies associated with that group from the Manage > Policy page. Read-only users can’t edit policies.
• RBM users with read/write permissions to a group can view, modify, and delete the policies associated to that group.
• RBM users can‘t edit or attach a policy to an accessible group if that policy is already attached to a group for which the user doesn’t have read/write permission.
You configure policy visibility restrictions when you add a new user account and select Policy Visibility Restricted. This feature is disabled by default.
Upgrade behavior
If you upgrade from a previous version of SCC and there are shared policies between groups that have independent and shared RBM users, the policies will continue to be visible to both types of users between the group the policy shares.
Combining permissions by feature
RiOS 9.0 and later require additional user permissions for hybrid networking features. For example, to change a QoS rule, a user needs read/write permission for the Network Settings role, read/write permission for QoS, and read/write permission for policy pushes.
RiOS 9.0 and later contain these changes to the user permission requirements.
Management Console page | Feature
(to configure or change this feature) | Required settings for read permission | Required settings for
read/write permission |
|---|
Manage > Topology: Sites & Networks | Networks | Network Settings Read-Only | Network Settings read/write Policy Push read/write |
Sites | Network Settings Read-Only QoS/Path Selection Read-Only | Network Settings read/write Policy Push read/write QoS/Path Selection read/write |
Manage > Applications: App Definitions | Applications | Network Settings Read-Only | Network Settings read/write Policy Push read/write |
Manage > Services: Quality of Service | Enable QoS | Network Settings Read-Only | Network Settings read/write QoS/Path Selection read/write Policy Push read/write |
Manage QoS Per Interface | Network Settings Read-Only | Network Settings read/write QoS/Path Selection read/write Policy Push read/write |
QoS Profile | QoS/Path Selection Read-Only | QoS/Path Selection read/write Policy Push read/write |
Manage > Services: QoS Profile Details | QoS Profile Name | QoS/Path Selection Read-Only | QoS/Path Selection read/write Policy Push read/write |
QoS Classes | QoS/Path Selection Read-Only | QoS/Path Selection read/write Policy Push read/write |
QoS Rules | QoS/Path Selection Read-Only | Network Settings read/write QoS/Path Selection read/write Policy Push read/write |
Manage > Services: Path Selection | Enable Path Selection | Network Settings Read-Only | Network Settings read/write Policy Push read/write |
Path Selection Rules | Network Settings Read-Only QoS/Path Selection Read-Only | Network Settings read/write QoS/Path Selection read/write Policy Push read/write |
Uplink Status | Network Settings Read-Only QoS/Path Selection Read-Only Reports read/write | — |
Manage > Topology: Clusters | Interceptor Clusters | Network Settings Read-Only | Interceptor/Cluster Settings read/write Policy Push read/write |
SCC roles and permissions
The SCC supports role-based administration privileges, allowing you to create specific privilege levels for network administrators, backup administrators, help-desk support, and IT management. In addition, the SCC supports integration with a RADIUS or TACACS server for single sign-on.
You can set these roles and permissions for the SCC:
SCC Settings
Manages the SCC features: for example, host settings, network settings and reports.
AAA Configurations
Authenticates and authorizes SCC users.
Group roles and permissions
You can set these group roles and permissions for the SCC:
Global
Configures Global group settings.
<group>
Configures the <group> settings.
You configure user permissions under Administration > Security: User Permissions. Click admin or monitor to expand the page. These configuration settings are available under Capability-Based Accounts:
admin/monitor
Modifies the admin and monitor accounts. Click the right arrow.
Clear Login Failure Details
Clears the account log in failure details and closes the fields for changing the password.
Change Password
Enables password protection. Password protection is an account control feature that allows you to select a password policy for more security. When you enable account control on the Administration > Security: Password Policy page, a user must use a password. When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it can’t be reset to null as long as account control is enabled.
• Password—Specify a password in the text box.
• Password Confirm—Retype the new administrator password.
Enable Account
Activates the account. Clear the check box to disable the administrator or monitor account. When enabled, you may make the account the default user for RADIUS and TACACS+ authorization. You may only designate one account as the default user. Once enabled, the default user account may not be disabled or removed. The Accounts table displays the account as permanent.
Allow Policy Push for Non-Admin Connected Appliances
Enables administrator users to perform configuration pushes to appliances connected with nonadministrator role-based management users, provided the nonadministrator role-based management users have read/write privileges on the appliance.
Add a New Account
Displays the controls for adding a new user account and defining the user permissions.
Account Name
Specifies a name for the role-based account.
Password
Specifies a password in the text box, and then retype the password for confirmation.
Enable Account
Enables the new account.
Make this The AAA Default User (for RADIUS and TACACS+ logins)
Makes the user the default AAA user to provide strict AAA access for RADIUS and TACACS+ logins.
Policy Visibility Restricted
Restricts viewing, editing, and deleting of policies in groups for which RBM users don’t have access.
• Users with deny access to a group can’t view the policies associated with that group from the Manage->Policy page.
• Users with read-only access to a group can only view the policies associated with that group from the Manage > Policy page. Read-only users can’t edit policies.
• Users can‘t view or attach a policy to an accessible group if that policy is already attached to a group for which the user doesn’t have read/write permission.
Users can still view and edit the policies associated with the groups for which they have access. Users with only read/write access to a group can view and edit the policies associated for that group.
User Roles
Creates system administrator or role-based management accounts for users.
• Administrator—Creates a system administrator account for the user. This is an administrator account with full access to configurations and reports on this appliance. This account can also be used to create, edit, and remove user accounts. Create a system administrator account to increase security and to conform to Defense Information Systems Agency (DISA) requirements.
In cases where an AAA server isn’t reachable and the admin user or system administrator isn’t able to login, you can create a safety account in the Administrator > Security: General Settings page. For details, see
Configuring general security settings.
• RBM User—Select to create a role based management user and apply permissions for each role below.
– CMC (SCC) Settings—Manages the SCC features: for example, host settings, network settings and reports.
– AAA Configurations—Authenticates and authorizes SCC users.
Groups Global
Configures Global group permissions.
Appliance Management
Controls appliance upgrades, policy pushes, and so forth.
• Appliance Upgrade—Configures permissions for appliance upgrade.
• File Transfer—Configures permissions for file transfers on managed appliances.
• Non Admin Connected Appliance's Policy—Enables administrator users to perform configuration pushes to appliances connected with nonadministrator role-based management users, provided the nonadministrator role-based management users have read/write privileges on the appliance.
If the push fails, verify if the nonadministrator role-based management user has the required permissions to modify the page that’s being pushed on the appliance and on the SCC: for example, to push QoS changes the user must also have read/write permissions for Role Based Accounts > Appliance Management Roles > Optimization Settings > QoS/Path Selection.
• SteelHead Backup—Configures permissions for SteelHead backups on managed appliances.
• Operation Status—Configures permissions for operation status on managed appliances.
• CLI Commands—Configures permissions for CLI commands to managed appliances.
Appliance Settings
Manages appliance permissions, such as cluster configuration, host settings, network settings, and so forth.
• Interceptor/Cluster Settings—Configures permissions for Interceptor clusters. You must also include the Policy Push role.
• General Settings—Configures permissions for general system settings.
• Network Settings—Configures permissions for topology definitions, site and network definitions, application definitions, host interface settings, network interface, DNS cache, hardware assist rules, host labels, and port labels. You must include this role for users configuring path selection or enforcing QoS policies in addition to the QoS and Path Selection roles.
• Reports—Configures permissions for reports.
• Basic Diagnostics—Configures permissions for basic diagnostic reports.
• SteelFusion Branch Storage Device Service—Configures permissions for SteelFusion Branch.
• TCP Dumps—Configures permissions for TCP Dump.
Appliance AAA Configuration Security Settings
Configures security permissions, including RADIUS and TACACS authentication settings and the secure vault password.
Optimization Settings
Manages appliance optimization setup.
• SteelHead In-Path Rules—Configures permissions for TCP traffic for optimization and optimizing traffic with in-path rules. This role includes WAN visibility to preserve TCP/IP address or port information. For details about WAN visibility, see the SteelHead Deployment Guide.
• QoS/Path Selection—Configures permissions for QoS policies and path selection. You must also include the Network Settings role for QoS and path selection.
Application Optimization Policies
Configures optimization permissions for different applications.
• Optimization Service—Configures permissions for alarms, performance features, SkipWare, HS-TCP, and TCP optimization.
• CIFS Optimization—Configures permissions for CIFS optimization settings (including SMB signing) and Overlapping Open optimization.
• HTTP Optimization—Configures permissions for enhanced HTTP optimization: URL learning, parse and prefetch, object prefetch table, keepalive, insert cookie, file extensions to prefetch, and the ability to set up HTTP optimization for a specific server subnet.
HTTP optimization is unavailable in cloud appliances models. This feature may become available in future releases of those models.
• Oracle Forms Optimization—Configures permissions for Oracle E-business application content and forms applications.
• MAPI Optimization—Configures permissions for MAPI and sets Exchange and NSPI ports.
• SQL Optimization—Configures permissions for SQL optimization.
• NFS Optimization—Configures permissions for NFS optimization.
• Notes Optimization—Configures permissions for Lotus Notes optimization.
• Citrix Optimization—Configures permissions for Citrix optimization.
• SSL Optimization—Configures permissions for SSL support and the secure inner channel.
• Domain Authentication—Configures permissions for joining a Windows domain and configuring Windows domain authentication.
Branch Services
Specifies branch services permissions.
Proxy File Service (PFS)
Configures permissions for a virtualized environment on the client SteelHead. The functionality can include third-party packages such as a firewall security package, a streaming video server, or a package that provides core networking services (for example, DNS and DHCP). This role includes permission to install VMware tools and add subnet side rules.
Add
Adds your settings to the system.