Difference between revisions of "UM::User Management"

From NetXMS Wiki
Jump to navigation Jump to search
(Replaced content with "Information moved to documentation: https://www.netxms.org/documentation/adminguide/user-management.html")
Line 1: Line 1:
{{DISPLAYTITLE:User Management}}
Information moved to documentation:
= Introduction =
NetXMS has it's own user database. All NetXMS user accounts stored in backend SQL database. Each account has it's own unique login name and identifier. The account may also have a password.


= Terms and Definitions =
https://www.netxms.org/documentation/adminguide/user-management.html
 
== Users ==
 
NetXMS has the following attributes for users:
* Unique identifier
* Unique login name
* First name
* Last name
* Description
* Authentication method
* Password
* Certificate
 
Not all attributes are mandatory.
 
=== Superuser ===
 
NetXMS has built-in superuser with ID 0, which always has full access to the system. Default login name for superuser is '''admin'''. Superuser account can be renamed or disabled, but cannot be deleted.
 
== Groups ==
 
Each user can be member of several groups. Groups are the preferred way to organize access permissions. You should always grant permission to groups instead of using individual users. That way you will get a much shorter access control list which is easier to handle. Access rights from multiple groups are summarized to calculate effective user access rights.
 
=== Everyone Group ===
 
NetXMS has built-in virtual group called '''Everyone'''. This group always contains all users in the system. It cannot be deleted, and it's members list cannot be edited.
 
== System Access Rights ==
 
System access rights used to grant access to system-wide configuration (like [[UM:Event_Processing#Event_Processing_Policy|Event Processing Policy]]) and functions (like agent registration). The following system access rights can be granted:
 
{| class="wikitable"
|-
! Access Right !! Description
|-
| Access server console || Allow user to access server's debug console.
|-
| Configure event templates || Allow user to configure event templates.
|-
| Configure object tools || Allow user to configure object tools.
|-
| Configure server actions || Allow user to configure server actions.
|-
| Configure situations || Allow user to configure [[UM:Event_Processing#Situations|situations]].
|-
| Configure SNMP traps || Allow user to configure SNMP trap mapping.
|-
| Control user sessions || Allow user to see active user sessions and force terminate them.
|-
| Delete alarms || Allow user to delete alarms from database.
|-
| Edit event processing policy || Allow user to edit [[UM:Event_Processing#Event_Processing_Policy|Event Processing Policy]].
|-
| Edit server configuration variables || Allow user to edit server configuration variables.
|-
| Manage agent configurations || Allow user to create, edit, and delete agent configurations stored on server.
|-
| Manage packages || Allow user to install, remove, and deploy agent packages.
|-
| Manage server files || Allow user to upload files to server and delete files stored on server.
|-
| Manage script library || Allow user to manage scripts in Script Library.
|-
| Manage users || Allow user to manage user accounts. Please note that user having this access right granted can modify own account to get any other system right granted.
|-
| Read server files || Allow user to read files stored on server and upload to agents (user still needs appropriate object rights for upload).
|-
| Register agents || Allow user to register NetXMS agents.
|-
| Send SMS || Allow user to send SMS via NetXMS server. This access right has no effect unless server configuration variable '''AllowDirectSMS''' set to 1.
|-
| View audit log || Allow user to view audit log.
|-
| View event log || Allow user to view event log.
|-
| View event templates configuration || Allow user to view configured event templates.
|-
| View SNMP trap log || Allow user to view SNMP trap log.
|}
 
== Object Access Rights ==
 
Object access rights controls access to NetXMS objects. Permissions given to an object inherited by all child objects, unless specifically blocked by turning off "Inherit access rights from parent object(s)" option in object's access control properties. Permissions given at different levels of the object tree summarize to form effective user rights for the object.
 
The following object access rights can be granted:
 
{| class="wikitable"
|-
! Access Right !! Description
|-
| Access control || Modify access control list for this object. Please note that user with this access right can grant any other access rights to own account.
|-
| Acknowledge alarms || Acknowledge alarms with this object as source.
|-
| Control || For node objects, execute object tools of type "Remote Command".
|-
| Create child objects || Create child objects (or bind existing) under this object.
|-
| Delete || Delete this object.
|-
| Modify || Modify object's properties (except access control).
|-
| Push data || Push data for DCIs on this object.
|-
| Read || View object in the tree and read it's information. For node objects, read access allows to view collected DCI data.
|-
| Send events || Send events on behalf of this object.
|-
| Terminate alarms || Terminate alarms with this object as source.
|-
| View alarms || View alarms with this object as source.
|}
 
= User Authentication =
 
== Internal Password ==
 
This is the default method for user authentication. Password provided by user compared against password stored in NetXMS database.
 
=== Password Policy ===
 
Various restrictions can be put on internal passwords to force users to choose stronger passwords. The following server configuration variables controls password policy:
 
{| class="wikitable"
|-
! Variable !! Description !! Default Value
|-
| MinPasswordLength || Default minimum password length for a NetXMS user. The default applied only if per-user setting is not defined. || 0
|-
| PasswordComplexity || Set of flags to enforce password complexity. The following flags can be used:
{| class="wikitable"
|-
! Value !! Description
|-
| 1 || Password must contain digits
|-
| 2 || Password must contain uppercase letters
|-
| 4 || Password must contain lowercase letters
|-
| 8 || Password must contain special characters
|-
| 16 || Forbid alphabetical sequences (password considered invalid if it contains alphabetical sequence of 3 or more letters of same case).
|-
| 32 || Forbid keyboard sequences (password considered invalid if it contains sequence of 3 or more characters that are located on keyboard next to each other, like ''ASDF'').
|}
Flags can be added together to get desired restrictions. For example, to force passwords to contain uppercase and lowercase letters, PasswordComplexity variable must be set to 6 (2 + 4).
|| 0
|-
| PasswordExpiration || Password expiration time in days. If set to 0, password expiration is disabled. Has no effect on users with "password never expired" flag set. || 0
|-
| PasswordHistoryLength || Number of previous passwords to keep. Users are not allowed to set password if it matches one from previous passwords list. || 0
|}
 
Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.
 
== RADIUS ==
 
If RADIUS authentication method selected password provided by user sent to [http://en.wikipedia.org/wiki/RADIUS RADIUS] server for validation. User is granted access if RADIUS server responds with Access-Accept. Communication between NetXMS server and RADIUS server controlled by the following server configuration variables:
 
{| class="wikitable"
|-
! Variable !! Description !! Default value
|-
| RADIUSNumRetries || The number of retries for RADIUS authentication. || 5
|-
| RADIUSPort || Port number used for connection to primary RADIUS server. || 1645
|-
| RADIUSSecondaryPort || Port number used for connection to secondary RADIUS server. || 1645
|-
| RADIUSSecondarySecret || Shared secret used for communication with secondary RADIUS server. || netxms
|-
| RADIUSSecondaryServer || Host name or IP address of secondary RADIUS server. || none
|-
| RADIUSSecret || Shared secret used for communication with primary RADIUS server. || netxms
|-
| RADIUSServer || Host name or IP address of primary RADIUS server. || none
|-
| RADIUSTimeout || Timeout in seconds for requests to RADIUS server || 3
|}
 
Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.
 
= Managing User Accounts =
 
All NetXMS user accounts can be managed from "User Manager", accessible via Configuration menu in NetXMS Console. Only users with granted system right "Manage users" can access User Manager.
 
* To create new user account, select "Create new user" from view menu or context menu.
 
* To create new group, select "Create new group" from view menu or context menu.
 
* To delete user account, select it in the list, right-click, and select "Delete" from popup menu. You can delete multiple accounts at a time.
 
* To modify properties of user or group, select it in the list, right-click, and select "Properties..." from popup menu.
 
* To reset user's password, select user account in the list, right-click, and select "Change password..." from popup menu.
 
= Audit =
 
All important user actions are written to audit log. There are two audit logging modes - internal and external. Internal audit logging is on by default and writes audit records into table in NetXMS database. External audit logging allows sending audit records to external system via [http://en.wikipedia.org/wiki/Syslog syslog] protocol. External audit logging is off by default. Audit logging controlled by the following server configuration variables:
 
{| class="wikitable"
|-
! Variable !! Description !! Default value
|-
| AuditLogRetentionTime || Retention time in days for the records in internal audit log. All records older than specified will be deleted by housekeeping process. || 90
|-
| EnableAuditLog || Enable (1) or disable (0) audit logging. || 1
|-
| ExternalAuditFacility || Syslog facility to be used in audit log records sent to external server. || 13
|-
| ExternalAuditPort || UDP port of external syslog server to send audit records to. || 514
|-
| ExternalAuditServer || External syslog server to send audit records to. If set to ''none'', external audit logging is disabled. || none
|-
| ExternalAuditSeverity || Syslog severity to be used in audit log records sent to external server. || 5
|-
| ExternalAuditTag || Syslog tag to be used in audit log records sent to external server. || netxmsd-audit
|}
 
Changes to these variables requires NetXMS server restart.

Revision as of 17:43, 24 November 2017

Information moved to documentation:

https://www.netxms.org/documentation/adminguide/user-management.html

Retrieved from "https://wiki.netxms.org/index.php?title=UM::User_Management&oldid=1638"