Description

NAICE supports a role-based access control model (RBAC) that provides flexible and secure management of administrator permissions.

NAICE supports two types of roles:

  • Local roles — assigned manually to local user accounts.

  • External roles — assigned automatically to external user accounts based on verification of the user’s membership in groups from an external identity source.

Privileges support five access levels: 

  • Level 0, No access — the system user has no access to the functionality of the privilege. The corresponding sections are not displayed in the NAICE web interface.
  • Level 1, Reading — the system user can view sections associated with the privilege.
  • Level 2, Creation — the system user can create entities associated with the privilege’s functionality.
  • Level 3, Editing — the system user can edit entities associated with the privilege’s functionality.
  • Level 4, Removal — the system user can delete entities associated with the privilege’s functionality.

Each access level includes all permissions of the previous one.

Some privileges, such as those related to monitoring, have a maximum access level of 1.

Adding new roles and assigning roles to administrators is described in the built-in documentation (Users and devices → System users).

Management of administrator password policies is described in the built-in documentation (System settingsSecurity and accessPassword policies).

Sections included in privileges 

Sections that do not require privileges

  • Account settings.

  • Documentation.

  • Dashboard — widget availability depends on the assigned privileges.

  • System events — availability of event groups depends on the assigned privileges.

Privilege-controlled sections

PrivilegeSectionAccess restrictionsLicense level
RADIUS policy

Policies → Elements:
→ Authorization profiles
→ Allowed protocols
→ Conditions
→ Dictionaries






BASIC

Policies:
→ Policy sets

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

Administration → Identity management:
→ Identity sequences


RADIUS monitoring

Monitoring → RADIUS:
→ User sessions


BASIC
Endpoints

Administration → Identity management:
→ Endpoints
→ Endpoint groups

Endpoint groups:

  • Creating/deleting endpoint groups becomes available at level 2, and adding/removing endpoints to/from a group becomes available starting at level 3

BASIC

Network resources

Administration → Network resources:
Devices
→ Device groups
→ Device profiles



BASIC

TACACS+policy

Network device control → Policy elements:
→ Conditions
→ TACACS command sets
→ TACACS profiles
→ Dictionaries





TACACS+ module

Network device control:
→ Network device policies

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

Administration → Identity management:
Identity sequences


TACACS+monitoring

Monitoring → TACACS+:
→ Connections journal
→ Accounting


TACACS+ module
Profiling

Policies → Profiling:
→ Profiling conditions
→ Profiling policies
→ Logical profiles

Profiling policies:

  • “Reset counters” becomes available at level 4



BASIC

Policies → Elements:
→ Dictionaries


Roles and accounts

Administration → System users:
→ Accounts
→ Roles


BASIC
Guest access

Guest portals → Portal management:
→ Portal builder



ADVANCED

Administration → Identity management:
→ Identity sequences


Guest users

Guest portals → Portal management:
→ Guest endpoints
→ Portal users


ADVANCED

Enterprise users

Administration → Identity management:
→ Network users
→ Network user groups

Network user groups:

  • Creating/deleting user groups becomes available at level 2, and adding/removing users to/from a group becomes available starting at level 3
BASIC

System settings

System:
→ Log collectors

“Send test event” becomes available at level 2BASIC

Licensing

  • Access levels 0–3 provide Read-only access
  • Management and “reset counters” become available at level 4

System settings

  • Access levels 0–3 provide Read-only access
  • Management and “reset counters” become available at level 4
BASIC

External sources

Administration → Identity management:
→ External identification sources

  • “Check connection” is available starting at level 1
  • Adding user groups and attributes becomes available at level 2
  • Deleting user groups and attributes becomes available at level 3
BASIC
Notification services

Notification gateways:
→ Notification gateways management

“Send test SMS” becomes available at level 2ADVANCED

Privilege dependencies

For the system to operate correctly, some privileges require the presence of other privileges:

  • RADIUS policies — requires read access to: Network resources, Profiling, Guest access
  • TACACS+ policies — requires read access to: Network resources
  • Endpoints — requires read access to: Profiling
  • Roles and accounts — requires read privileges for: External sources
  • Guest users — requires read access to: Guest access
  • Guest access — requires read access to: Notification services
  • System settings — requires read privileges for: External sources, Notification services

Predefined roles

The system includes the following predefined roles for common usage scenarios:

  • Super Admin — full access to all system functionality.
  • Network Admin — management of network access.
  • Hardware Admin — management of network devices.
  • System Admin — system administration.
  • Guest Admin — management of the guest network.
  • Guest Operator — guest network operations.
  • Monitor — monitoring and data viewing.


PrivilegeSuper AdminNetwork Admin

Hardware Admin

System AdminGuest Admin

Guest Operator

Monitor

RADIUS policy4404101
RADIUS monitoring1101111
Endpoints4404001
Network resources4444101
TACACS+ policy4044001
TACACS+ monitoring1011001
Profiling4404101
Roles and accounts4001000
Guest access4104411
Guest users4404440
Enterprise users4444000
System settings4004000
External sources4114001
Notification services4104111
  • Нет меток