Description

NAICE supports a role-based access control model (RBAC) that provides flexible and secure management of administrator permissions.

NAICE supports two types of roles:

Privileges support five access levels: 

Each access level includes all permissions of the previous one.

Some privileges, such as those related to monitoring, have a maximum access level of 1.

Adding new roles and assigning roles to administrators is described in the built-in documentation (Users and devices → System users).

Management of administrator password policies is described in the built-in documentation (System settingsSecurity and accessPassword policies).

Sections included in privileges 

Sections that do not require privileges

Privilege-controlled sections

PrivilegeSectionAccess restrictionsLicense level
RADIUS policy

Policies → Elements:
→ Authorization profiles
→ Allowed protocols
→ Conditions
→ Dictionaries






BASIC

Policies:
→ Policy sets

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

Administration → Identity management:
→ Identity sequences


RADIUS monitoring

Monitoring → RADIUS:
→ User sessions


BASIC
Endpoints

Administration → Identity management:
→ Endpoints
→ Endpoint groups

Endpoint groups:

  • Creating/deleting endpoint groups becomes available at level 2, and adding/removing endpoints to/from a group becomes available starting at level 3

BASIC

Network resources

Administration → Network resources:
Devices
→ Device groups
→ Device profiles



BASIC

TACACS+policy

Network device control → Policy elements:
→ Conditions
→ TACACS command sets
→ TACACS profiles
→ Dictionaries





TACACS+ module

Network device control:
→ Network device policies

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

Administration → Identity management:
Identity sequences


TACACS+monitoring

Monitoring → TACACS+:
→ Connections journal
→ Accounting


TACACS+ module
Profiling

Policies → Profiling:
→ Profiling conditions
→ Profiling policies
→ Logical profiles

Profiling policies:

  • “Reset counters” becomes available at level 4



BASIC

Policies → Elements:
→ Dictionaries


Roles and accounts

Administration → System users:
→ Accounts
→ Roles


BASIC
Guest access

Guest portals → Portal management:
→ Portal builder



ADVANCED

Administration → Identity management:
→ Identity sequences


Guest users

Guest portals → Portal management:
→ Guest endpoints
→ Portal users


ADVANCED

Enterprise users

Administration → Identity management:
→ Network users
→ Network user groups

Network user groups:

  • Creating/deleting user groups becomes available at level 2, and adding/removing users to/from a group becomes available starting at level 3
BASIC

System settings

System:
→ Log collectors

“Send test event” becomes available at level 2BASIC

Licensing

  • Access levels 0–3 provide Read-only access
  • Management and “reset counters” become available at level 4

System settings

  • Access levels 0–3 provide Read-only access
  • Management and “reset counters” become available at level 4
BASIC

External sources

Administration → Identity management:
→ External identification sources

  • “Check connection” is available starting at level 1
  • Adding user groups and attributes becomes available at level 2
  • Deleting user groups and attributes becomes available at level 3
BASIC
Notification services

Notification gateways:
→ Notification gateways management

“Send test SMS” becomes available at level 2ADVANCED

Privilege dependencies

For the system to operate correctly, some privileges require the presence of other privileges:

Predefined roles

The system includes the following predefined roles for common usage scenarios:


PrivilegeSuper AdminNetwork Admin

Hardware Admin

System AdminGuest Admin

Guest Operator

Monitor

RADIUS policy4404101
RADIUS monitoring1101111
Endpoints4404001
Network resources4444101
TACACS+ policy4044001
TACACS+ monitoring1011001
Profiling4404101
Roles and accounts4001000
Guest access4104411
Guest users4404440
Enterprise users4444000
System settings4004000
External sources4114001
Notification services4104111