Description
NAICE supports a role-based access control model (RBAC) that provides flexible and secure management of administrator permissions.
NAICE supports two types of roles:
Local roles — assigned manually to local user accounts.
External roles — assigned automatically to external user accounts based on verification of the user’s membership in groups from an external identity source.
Privileges support five access levels:
- Level 0, No access — the system user has no access to the functionality of the privilege. The corresponding sections are not displayed in the NAICE web interface.
- Level 1, Reading — the system user can view sections associated with the privilege.
- Level 2, Creation — the system user can create entities associated with the privilege’s functionality.
- Level 3, Editing — the system user can edit entities associated with the privilege’s functionality.
- Level 4, Removal — the system user can delete entities associated with the privilege’s functionality.
Each access level includes all permissions of the previous one.
Some privileges, such as those related to monitoring, have a maximum access level of 1.
Adding new roles and assigning roles to administrators is described in the built-in documentation (Users and devices → System users).
Management of administrator password policies is described in the built-in documentation (System settings → Security and access → Password policies).
Sections included in privileges
Sections that do not require privileges
Account settings.
Documentation.
Dashboard — widget availability depends on the assigned privileges.
System events — availability of event groups depends on the assigned privileges.
Privilege-controlled sections
| Privilege | Section | Access restrictions | License level |
|---|---|---|---|
| RADIUS policy | Policies → Elements: | BASIC | |
Policies: |
| ||
Administration → Identity management: | |||
| RADIUS monitoring | Monitoring → RADIUS: | BASIC | |
| Endpoints | Administration → Identity management: |
| BASIC |
Network resources | Administration → Network resources: | BASIC | |
| TACACS+policy | Network device control → Policy elements: | TACACS+ module | |
Network device control: |
| ||
Administration → Identity management: | |||
| TACACS+monitoring | Monitoring → TACACS+: | TACACS+ module | |
| Profiling | Policies → Profiling: |
| BASIC |
Policies → Elements: | |||
| Roles and accounts | Administration → System users: | BASIC | |
| Guest access | Guest portals → Portal management: | ADVANCED | |
Administration → Identity management: | |||
Guest users | Guest portals → Portal management: | ADVANCED | |
Enterprise users | Administration → Identity management: |
| BASIC |
System settings | System: | “Send test event” becomes available at level 2 | BASIC |
Licensing |
| ||
System settings |
| BASIC | |
External sources | Administration → Identity management: |
| BASIC |
| Notification services | Notification gateways: | “Send test SMS” becomes available at level 2 | ADVANCED |
Privilege dependencies
For the system to operate correctly, some privileges require the presence of other privileges:
- RADIUS policies — requires read access to: Network resources, Profiling, Guest access
- TACACS+ policies — requires read access to: Network resources
- Endpoints — requires read access to: Profiling
- Roles and accounts — requires read privileges for: External sources
- Guest users — requires read access to: Guest access
- Guest access — requires read access to: Notification services
- System settings — requires read privileges for: External sources, Notification services
Predefined roles
The system includes the following predefined roles for common usage scenarios:
- Super Admin — full access to all system functionality.
- Network Admin — management of network access.
- Hardware Admin — management of network devices.
- System Admin — system administration.
- Guest Admin — management of the guest network.
- Guest Operator — guest network operations.
- Monitor — monitoring and data viewing.
| Privilege | Super Admin | Network Admin | Hardware Admin | System Admin | Guest Admin | Guest Operator | Monitor |
|---|---|---|---|---|---|---|---|
| RADIUS policy | 4 | 4 | 0 | 4 | 1 | 0 | 1 |
| RADIUS monitoring | 1 | 1 | 0 | 1 | 1 | 1 | 1 |
| Endpoints | 4 | 4 | 0 | 4 | 0 | 0 | 1 |
| Network resources | 4 | 4 | 4 | 4 | 1 | 0 | 1 |
| TACACS+ policy | 4 | 0 | 4 | 4 | 0 | 0 | 1 |
| TACACS+ monitoring | 1 | 0 | 1 | 1 | 0 | 0 | 1 |
| Profiling | 4 | 4 | 0 | 4 | 1 | 0 | 1 |
| Roles and accounts | 4 | 0 | 0 | 1 | 0 | 0 | 0 |
| Guest access | 4 | 1 | 0 | 4 | 4 | 1 | 1 |
| Guest users | 4 | 4 | 0 | 4 | 4 | 4 | 0 |
| Enterprise users | 4 | 4 | 4 | 4 | 0 | 0 | 0 |
| System settings | 4 | 0 | 0 | 4 | 0 | 0 | 0 |
| External sources | 4 | 1 | 1 | 4 | 0 | 0 | 1 |
| Notification services | 4 | 1 | 0 | 4 | 1 | 1 | 1 |