Alcatel-Lucent OmniVista Cirrus

Network Management as a Service

Users and User Groups Overview

The Users and User Groups application enables you to control user access to OmniVista and to network devices. Access to OmniVista is controlled through the definition of user logins and passwords. Access to network switches is controlled through the use of User Groups, which have specified levels of access to switches. You can further define access with the User Role feature, which can be used to specify read/write access to specific OmniVista applications and network devices.

All OmniVista users must be assigned to at least one User Group, which defines the access rights and roles for its members. User Groups and user logins are configured from the Users and User Groups application, and constitute one level of network security. Users can also be configured for Two-Factor Authentication, based on User Role. Security levels are summarized below.

User Groups, Users, and User Roles are configured using the following screens:

  • Role Management - Used to configure User Roles to restrict user access/rights to specific devices and OmniVista applications.
  • Group Management - Used to configure User Groups to define access to OmniVista, network devices. A User Role is associated with a User Group to specify read/write access to specific devices and OmniVista applications.
  • User Management - Used to configure users and assign the user to a User Group.
  • Two-Factor Authentication - Used to enable/disable Two-Factor Authentication for user login based on User Role.

Note: A User Role is an option that enables you to provide user access/rights to specific applications and network devices. For the most part, configuring Users and User Groups is all that will be required.

Security Levels

Security levels are configured in the Users and User Groups application, and through the Command Line Interface (CLI):

  • SNMP Get and Set Community Names - Get and Set Community names act as read and write passwords that define whether any OmniVista user is allowed to read or write the switch's configuration information. Get and Set Community names are configurable only from the switch itself. Configured through the Console Port or CLI.
  • OmniVista User Groups - User Groups in OmniVista provide different level of access to switches. An OmniVista user's access rights are based on the access rights of his/her assigned User Group. Configured in the Users and User Groups application.

Default Groups, Users, Roles

OmniVista security uses a combination of user logins, User Groups, and User Roles to control access to OmniVista, network switches, and applications. OmniVista is shipped with the pre-configured user logins, passwords, and User Groups described below. The Users and User Groups application enables you to modify these User Groups, Users, and passwords, or create new ones. Note that the pre-configured user admin is the only user that has permission to change the user logins and User Groups defined by the Users and User Groups application. The pre-configured User Groups, Users, and Roles shipped with OmniVista are as follows:

Group

User

Role

Access

Administrators

admin

Account Admin

Full administrative rights to all devices in the network and full administrative rights to the following features. These features are only available to this user:

  • User Management
  • License Management
  • Write Operations of System Settings
  • Control Panel Watchdog, Scheduler Management, and Session Management

The default password for this user is switch.

Network Administrators

netadmin

Network Admin

Full administrative rights to all devices in the network, as well as the Audit - Collect Support Info Feature. The default password for this user is switch.

Writers

writer

Write

Read/Write access to all devices in the network. The default password for this user is switch.

Default

user

Read

Read access to all devices in the network. The default password for this user is switch.

Note: A User Role is an option that enables you to provide user access/rights to specific OmniVista applications and network devices. For the most part, configuring Users and User Groups is all that will be required. The User Roles feature is configured on the Role Management Screen. This feature enables you to specify access to specific applications, as well as devices using Topology maps. You can also limit user access to specific devices for VLAN and VXLAN configuration. You create a User Role to specify user access, associate it with a User Group, and then create a user in that User Group.

Working with User Groups, Users, and User Roles

You can use one of the pre-configured User Groups or use the Group Management Screen to create a new group or edit one of the pre-configured groups. You can use one of the pre-configured users or use the User Management Screen to create a new user or one of the edit pre-configured users. And you can use the Role Management Screen to create a new role.

Note: All pre-configured users have the same default password, switch. At a minimum, it is recommended that you redefine the passwords.

The User Role feature allows you to limit users to specific network devices and applications. For example, OmniVista users with Admin rights can view and manage every device in the network, and have read/write access for all applications. With the User Role feature, you can limit the devices a user can manage and the applications the user can configure by creating a User Role with access to a specific Topology map.

To utilize the User Role feature, you create a User Role with access to a specific Topology map and read/write access to a specific application(s). You then create a User Group and associate that group with that User Role. And finally, you create a user and associate it with that User Group. The user would then have full administrative rights to the specified applications for all devices in the specified map

For example, you could create a User Role (User Role 1) with access to devices in Map 1 and read/write access to the Application Visibility application. A user with this role would be able to access all devices in Map 1 and configure Application Visibility on those devices. And since a user can have multiple roles, you could create a second User Role (User Role 2) with access to Map 2 and read/write access to the CLI Scripting and assign it to the same user. That user could now configure Application Visibility on devices in Map 1, and CLI Scripting on devices in Map 2.

Two-Factor Authentication

Two-Factor Authentication uses the Google Authenticator App to generate a time-based, 6-digit code that must be entered in addition to a user’s login/password to log into OmniVista Cirrus. Two-Factor Authentication is configured for a user based on User Role. Once Two-Factor Authentication is set up for a user, the user will be required to enter their username/login, and then the 6-digit code generated by Google Authenticator to log into OmniVista Cirrus.