Managing user permissions

Configuring Administration Settings : Configuring security settings : Managing user permissions

Managing user permissions

You can change the administrator or monitor passwords and define role-based management (RBM) users in the User Permissions page.

The system uses these RBM accounts based on what actions the user can take:

• Admin - The system administrator user has full privileges. For example, as an administrator you may set and modify configuration settings, add and delete users, restart the optimization service, reboot the SteelHead, and create and view performance and system reports. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.

• Monitor - Users with monitor privileges can view reports, view user logs, and change their password. A monitor user can’t make configuration changes, modify private keys, view logs, or manage cryptographic modules in the system.

You can also create users, assign passwords to the user, and assign varying configuration roles to the user.

An administrator role configures a system administrator role. Read-only permission isn’t allowed for this role. This role allows permission for all other RBM roles, including creating, editing and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.

The RBM role determines whether the user has permission to:

• Read-only - With read-only privileges you can view current configuration settings but you can’t change them.

• Read/Write - With read and write privileges you can view settings and make configuration changes for a feature.

• Deny - With deny privileges you can’t view settings or save configuration changes for a feature.

Available menu items reflect the privileges of the user. For example, any menu items that a user doesn’t have permission to use are unavailable. When a user selects an unavailable link, the User Permissions page appears.

Restricted policy visibility for RBM users

With SCC 9.7 or later, administrators and system administrators can restrict editing and deleting of policies in groups for which RBM users don’t have access in the Administration > Security: User Permissions page. RBM users can still view and edit the policies associated with the groups for which they have access. RBM users with only read/write access to a group can view and edit the policies associated for that group. This feature is disabled by default.

• If RBM users create a new policy by copying an existing policy for which they have deny access to, they can still view the existing policy’s configurations in the new policy they created.

• RBM users with deny access to a group can’t view the policies associated with that group from the Manage > Policy page.

• RBM users with read-only access to a group can only view the policies associated with that group from the Manage > Policy page. Read-only users can’t edit policies.

• RBM users with read/write permissions to a group can view, modify, and delete the policies associated to that group.

• RBM users can‘t edit or attach a policy to an accessible group if that policy is already attached to a group for which the user doesn’t have read/write permission.

You configure policy visibility restrictions when you add a new user account and select Policy Visibility Restricted. This feature is disabled by default.

Upgrade behavior

If you upgrade from a previous version of SCC and there are shared policies between groups that have independent and shared RBM users, the policies will continue to be visible to both types of users between the group the policy shares.

Combining permissions by feature

RiOS 9.0 and later require additional user permissions for hybrid networking features. For example, to change a QoS rule, a user needs read/write permission for the Network Settings role, read/write permission for QoS, and read/write permission for policy pushes.

RiOS 9.0 and later contain these changes to the user permission requirements.

Management Console page	Feature (to configure or change this feature)	Required settings for read permission	Required settings for read/write permission
Manage > Topology: Sites & Networks	Networks	Network Settings Read-Only	Network Settings read/write Policy Push read/write
Manage > Topology: Sites & Networks	Sites	Network Settings Read-Only QoS/Path Selection Read-Only	Network Settings read/write Policy Push read/write QoS/Path Selection read/write
Manage > Applications: App Definitions	Applications	Network Settings Read-Only	Network Settings read/write Policy Push read/write
Manage > Services: Quality of Service	Enable QoS	Network Settings Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
	Manage QoS Per Interface	Network Settings Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
	QoS Profile	QoS/Path Selection Read-Only	QoS/Path Selection read/write Policy Push read/write
Manage > Services: QoS Profile Details	QoS Profile Name	QoS/Path Selection Read-Only	QoS/Path Selection read/write Policy Push read/write
	QoS Classes	QoS/Path Selection Read-Only	QoS/Path Selection read/write Policy Push read/write
	QoS Rules	QoS/Path Selection Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
Manage > Services: Path Selection	Enable Path Selection	Network Settings Read-Only	Network Settings read/write Policy Push read/write
	Path Selection Rules	Network Settings Read-Only QoS/Path Selection Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
	Uplink Status	Network Settings Read-Only QoS/Path Selection Read-Only Reports read/write	—
Manage > Topology: Clusters	Interceptor Clusters	Network Settings Read-Only	Interceptor/Cluster Settings read/write Policy Push read/write

SCC roles and permissions

The SCC supports job role-based administration, allowing you to create specific privilege levels for network administrators, backup administrators, help-desk support, and IT management. In addition, the SCC supports integration with a RADIUS or TACACS server for single sign-on.

You can set these roles and permissions for the SCC.

Page	Description
SCC Settings	Manages the SCC features: for example, host settings, network settings and reports.
AAA Configurations	Authenticates and authorizes SCC users.

Group roles and permissions

Page	Description
Global	Configures Global group settings.
<group>	Configures the <group> settings.

To configure user permissions

1. Choose Administration > Security: User Permissions to display the User Permissions page.

2. Click admin or monitor to expand the page.

3. Under Capability-Based Accounts, complete the configuration as described in this table.

Control	Description
admin/monitor	Click the right arrow to modify the admin and monitor accounts.
Clear Login Failure Details	Clears the account log in failure details and closes the fields for changing the password.
Change Password	Enables password protection. Password protection is an account control feature that allows you to select a password policy for more security. When you enable account control on the Administration > Security: Password Policy page, a user must use a password. When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it can’t be reset to null as long as account control is enabled. • Password - Specify a password in the text box. • Password Confirm - Retype the new administrator password.
Enable Account	Activates the account. Clear the check box to disable the administrator or monitor account. When enabled, you may make the account the default user for RADIUS and TACACS+ authorization. You may only designate one account as the default user. Once enabled, the default user account may not be disabled or removed. The Accounts table displays the account as permanent.
Allow Policy Push for Non-Admin Connected Appliances	Enables administrator users to perform configuration pushes to appliances connected with nonadministrator role-based management users, provided the nonadministrator role-based management users have read/write privileges on the appliance.
Apply	Applies your changes to the running configuration.

To add new users and set permissions on role-based users

1. Choose Administration > Security: User Permissions to display the User Permissions page.

2. Complete the configuration as described in this table.

Control	Description
Add a New User	Displays the controls for adding a new user.
Account Name	Specify a name for the role-based account.
Password	Specify a password in the text box, and then retype the password for confirmation.
Enable Account	Select the check box to enable the new account.
Make this The AAA Default User (for RADIUS and TACACS+ logins)	Select to make the user the default AAA user to provide strict AAA access for RADIUS and TACACS+ logins.
Policy Visibility Restricted	Restricts viewing, editing, and deleting of policies in groups for which RBM users don’t have access. • Users with deny access to a group can’t view the policies associated with that group from the Manage->Policy page. • Users with read-only access to a group can only view the policies associated with that group from the Manage > Policy page. Read-only users can’t edit policies. • Users can‘t view or attach a policy to an accessible group if that policy is already attached to a group for which the user doesn’t have read/write permission. Users can still view and edit the policies associated with the groups for which they have access. Users with only read/write access to a group can view and edit the policies associated for that group.
User Roles	Create system administrator or role-based management accounts for users. • Administrator - Creates a system administrator account for the user. This is an administrator account with full access to configurations and reports on this appliance. This account can also be used to create, edit, and remove user accounts. Create a system administrator account to increase security and to conform to Defense Information Systems Agency (DISA) requirements. In cases where an AAA server isn’t reachable and the admin user or system administrator isn’t able to login, you can create a safety account in the Administrator > Security: General Settings page. For details, see Configuring general security settings. • RBM User - Select to create a role based management user and apply permissions for each role below. – CMC (SCC) Settings - Manages the SCC features: for example, host settings, network settings and reports. – AAA Configurations - Authenticates and authorizes SCC users.
Groups	• Global - Configures Global group permissions.
Appliance Management	Controls appliance upgrades, policy pushes, and so forth. • Appliance Upgrade - Configures permissions for appliance upgrade. • File Transfer - Configures permissions for file transfers on managed appliances. • Non Admin Connected Appliance's Policy - Enables administrator users to perform configuration pushes to appliances connected with nonadministrator role-based management users, provided the nonadministrator role-based management users have read/write privileges on the appliance. If the push fails, verify if the nonadministrator role-based management user has the required permissions to modify the page that’s being pushed on the appliance and on the SCC: for example, to push QoS changes the user must also have read/write permissions for Role Based Accounts > Appliance Management Roles > Optimization Settings > Qos/Path Selection. • SteelHead Backup - Configures permissions for SteelHead backups on managed appliances. • Operation Status - Configures permissions for operation status on managed appliances. • CLI Commands - Configures permissions for CLI commands to managed appliances.
Appliance Settings	Manage appliance permissions, such as cluster configuration, host settings, network settings, and so forth. • Interceptor/Cluster Settings - Configures permissions for Interceptor clusters. You must also include the Policy Push role. • General Settings - Configures permissions for general system settings. • Network Settings - Configures permissions for topology definitions, site and network definitions, application definitions, host interface settings, network interface, DNS cache, hardware assist rules, host labels, and port labels. You must include this role for users configuring path selection or enforcing QoS policies in addition to the QoS and Path Selection roles. • Reports - Configures permissions for reports. • Basic Diagnostics - Configures permissions for basic diagnostic reports. • SteelFusion Branch Storage Device Service - Configures permissions for SteelFusion Branch. • TCP Dumps - Configures permissions for TCP Dump.
Appliance AAA Configuration	Appliance security permissions. • Security Settings - Configures security permissions, including RADIUS and TACACS authentication settings and the secure vault password.
Optimization Settings	Manage appliance optimization setup. • SteelHead In-Path Rules - Configures permissions for TCP traffic for optimization and optimizing traffic with in-path rules. This role includes WAN visibility to preserve TCP/IP address or port information. For details about WAN visibility, see the SteelHead Deployment Guide • QoS/Path Selection - Configures permissions for QoS policies and path selection. You must also include the Network Settings role for QoS and path selection.
Application Optimization Policies	Configure optimization permissions for different applications. • Optimization Service - Configures permissions for alarms, performance features, SkipWare, HS-TCP, and TCP optimization. • CIFS Optimization - Configures permissions for CIFS optimization settings (including SMB signing) and Overlapping Open optimization. • HTTP Optimization - Configures permissions for enhanced HTTP optimization: URL learning, parse and prefetch, object prefetch table, keepalive, insert cookie, file extensions to prefetch, and the ability to set up HTTP optimization for a specific server subnet. • Oracle Forms Optimization - Configures permissions for Oracle E-business application content and forms applications. • MAPI Optimization - Configures permissions for MAPI and sets Exchange and NSPI ports. • SQL Optimization - Configures permissions for SQL optimization. • NFS Optimization - Configures permissions for NFS optimization. • Notes Optimization - Configures permissions for Lotus Notes optimization. • Citrix Optimization - Configures permissions for Citrix optimization. • SSL Optimization - Configures permissions for SSL support and the secure inner channel. • Replication Optimization - Configures permissions for the SRDF/A, FCIP, and SnapMirror storage optimization modules. • Domain Authentication - Configures permissions for joining a Windows domain and configuring Windows domain authentication.
Branch Services	Branch services permissions: • Proxy File Service (PFS) - Configures permissions for a virtualized environment on the client SteelHead. The functionality can include third-party packages such as a firewall security package, a streaming video server, or a package that provides core networking services (for example, DNS and DHCP). This role includes permission to install VMware tools and add subnet side rules. For details, see the RSP User Guide. • RSP/VSP - Configures permissions for Riverbed Services Platform (RSP) and Virtual Services Platform (VSP).
Add	Adds your settings to the system.
Remove Selected Accounts	Select the check box next to the name and click Remove Selected.

3. Click Save to Disk to save your settings permanently.

Related topic

• Configuring password policy