Просмотреть исходный

Description

NAICE supports a role-based access control model (RBAC) that provides flexible and secure management of administrator permissions.

Privileges support five access levels:

Level 0, No access — the system user has no access to the functionality of the privilege. The corresponding sections are not displayed in the NAICE web interface.
Level 1, Reading — the system user can view sections associated with the privilege.
Level 2, Creation — the system user can create entities associated with the privilege’s functionality.
Level 3, Editing — the system user can edit entities associated with the privilege’s functionality.
Level 4, Removal — the system user can delete entities associated with the privilege’s functionality.

Each access level includes all permissions of the previous one.

Some privileges, such as those related to monitoring, have a maximum access level of 1.

When upgrading from version 0.9, all existing administrative accounts receive the Super Admin role, which grants full access to all system capabilities.

Adding new roles and assigning roles to administrators is described in the built-in documentation (Administration → System users).

Sections included in privileges

Sections that do not require privileges

Account settings.
Documentation.
Dashboard — widget availability depends on the assigned privileges.
System events — availability of event groups depends on the assigned privileges.

Privilege-controlled sections

Privilege	Section	Access restrictions	License level
RADIUS policy	Policies → Elements: → Authorization profiles → Allowed protocols → Conditions → Dictionaries		BASIC
	Policies: → Policy sets	Access levels 1–3 provide Read-only access Management and `“reset counters”` become available at level 4
	Administration → Identity management: → Identity sequences
RADIUSmonitoring	Monitoring → RADIUS: → User sessions		BASIC
Endpoints	Administration → Identity management: → Endpoints → Endpoint groups	`Endpoint groups:` Creating/deleting endpoint groups becomes available at level 2, and adding/removing endpoints to/from a group becomes available starting at level 3	BASIC
Network resources	Administration → Network resources: → Devices → Device groups → Device profiles		BASIC
TACACS+policy	Network device control → Policy elements: → Conditions → TACACS command sets → TACACS profiles → Dictionaries		TACACS+ module
	Network device control: → Network device policies	Access levels 1–3 provide Read-only access Management and `“reset counters”` become available at level 4
	Administration → Identity management: → Identity sequences
TACACS+monitoring	Monitoring → TACACS+: → Connections journal → Accounting		TACACS+ module
Profiling	Policies → Profiling: → Profiling conditions → Profiling policies → Logical profiles	`Profiling policies:` `“Reset counters”` becomes available at level 4	BASIC
Profiling	Policies → Elements: → Dictionaries		BASIC
Roles andaccounts	Administration → System users: → Accounts → Roles		BASIC
Guest access	Guest portals → Portal management: → Portal builder		ADVANCED
Guest access	Administration → Identity management: → Identity sequences		ADVANCED
Guest users	Guest portals → Portal management: → Guest endpoints → Portal users		ADVANCED
Enterprise users	Administration → Identity management: → Network users → Network user groups	`Network user groups:` Creating/deleting user groups becomes available at level 2, and adding/removing users to/from a group becomes available starting at level 3	BASIC
System settings	System: → Log collectors	`“Send test event”` becomes available at level 2	BASIC
System settings	Licensing	Access levels 1–3 provide Read-only access Management and `“reset counters”` become available at level 4
External sources	Administration → Identity management: → External identification sources	`“Check connection”` is available starting at level 1 Adding user groups and attributes becomes available at level 2 Deleting user groups and attributes becomes available at level 3	BASIC
Notification services	Notification gateways: → Notification gateways management	`“Send test SMS”` becomes available at level 2	ADVANCED

Privilege dependencies

For the system to operate correctly, some privileges require the presence of other privileges:

RADIUS policies — requires read access to: Network resources, Profiling, Guest access
TACACS+ policies — requires read access to: Network resources
Endpoints — requires read access to: Profiling
Guest users — requires read access to: Guest access
Guest access — requires read access to: Notification services

Predefined roles

The system includes the following predefined roles for common usage scenarios:

Super Admin — full access to all system functionality.
Network Admin — management of network access.
Hardware Admin — management of network devices.
System Admin — system administration.
Guest Admin — management of the guest network.
Guest Operator — guest network operations.
Monitor — monitoring and data viewing.

Privilege	Super Admin	Network Admin	Hardware Admin	System Admin	Guest Admin	Guest Operator	Monitor
RADIUS policy	4	4	0	4	1	0	1
RADIUS monitoring	1	1	0	1	1	1	1
Endpoints	4	4	0	4	0	0	1
Network resources	4	4	4	4	1	0	1
TACACS+ policy	4	0	4	4	0	0	1
TACACS+ monitoring	1	0	1	1	0	0	1
Profiling	4	4	0	4	1	0	1
Roles and accounts	4	0	0	1	0	0	0
Guest access	4	1	0	4	4	1	1
Guest users	4	4	0	4	4	4	0
Enterprise users	4	4	4	4	0	0	0
System settings	4	0	0	4	0	0	0
External sources	4	1	1	4	0	0	1
Notification services	4	1	0	4	1	1	1