Description

NAICE supports a role-based access control model (RBAC) that provides flexible and secure management of administrator permissions.

Privileges support five access levels: 

  • Level 0, No access — the system user has no access to the functionality of the privilege. The corresponding sections are not displayed in the NAICE web interface.
  • Level 1, Reading — the system user can view sections associated with the privilege.
  • Level 2, Creation — the system user can create entities associated with the privilege’s functionality.
  • Level 3, Editing — the system user can edit entities associated with the privilege’s functionality.
  • Level 4, Removal — the system user can delete entities associated with the privilege’s functionality.

Each access level includes all permissions of the previous one.

Some privileges, such as those related to monitoring, have a maximum access level of 1.

When upgrading from version 0.9, all existing administrative accounts receive the Super Admin role, which grants full access to all system capabilities.


Adding new roles and assigning roles to administrators is described in the built-in documentation (Administration → System users).

Sections included in privileges 

Sections that do not require privileges

  • Account settings.

  • Documentation.

  • Dashboard — widget availability depends on the assigned privileges.

  • System events — availability of event groups depends on the assigned privileges.

Privilege-controlled sections

PrivilegeSectionAccess restrictionsLicense level
RADIUS policy

Policies → Elements:
→ Authorization profiles
→ Allowed protocols
→ Conditions
→ Dictionaries






BASIC

Policies:
→ Policy sets

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

Administration → Identity management:
→ Identity sequences


RADIUSmonitoring

Monitoring → RADIUS:
→ User sessions


BASIC
Endpoints

Administration → Identity management:
→ Endpoints
→ Endpoint groups

Endpoint groups:

  • Creating/deleting endpoint groups becomes available at level 2, and adding/removing endpoints to/from a group becomes available starting at level 3

BASIC

Network resources

Administration → Network resources:
Devices
→ Device groups
→ Device profiles



BASIC

TACACS+policy

Network device control → Policy elements:
→ Conditions
→ TACACS command sets
→ TACACS profiles
→ Dictionaries





TACACS+ module

Network device control:
→ Network device policies

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

Administration → Identity management:
Identity sequences


TACACS+monitoring 

Monitoring → TACACS+:
→ Connections journal
→ Accounting


TACACS+ module
Profiling

Policies → Profiling:
→ Profiling conditions
→ Profiling policies
→ Logical profiles

Profiling policies:

  • “Reset counters” becomes available at level 4



BASIC

Policies → Elements:
→ Dictionaries


Roles andaccounts

Administration → System users:
→ Accounts
→ Roles


BASIC
Guest access

Guest portals → Portal management:
→ Portal builder



ADVANCED

Administration → Identity management:
→ Identity sequences


Guest users

Guest portals → Portal management:
→ Guest endpoints
→ Portal users


ADVANCED

Enterprise users

Administration → Identity management:
→ Network users
→ Network user groups

Network user groups:

  • Creating/deleting user groups becomes available at level 2, and adding/removing users to/from a group becomes available starting at level 3
BASIC

System settings

System:
→ Log collectors

“Send test event” becomes available at level 2BASIC

Licensing

  • Access levels 1–3 provide Read-only access
  • Management and “reset counters” become available at level 4

External sources

Administration → Identity management:
→ External identification sources

  • “Check connection” is available starting at level 1
  • Adding user groups and attributes becomes available at level 2
  • Deleting user groups and attributes becomes available at level 3
BASIC
Notification services

Notification gateways:
→ Notification gateways management

“Send test SMS” becomes available at level 2ADVANCED

Privilege dependencies

For the system to operate correctly, some privileges require the presence of other privileges:

  • RADIUS policies — requires read access to: Network resources, Profiling, Guest access
  • TACACS+ policies — requires read access to: Network resources
  • Endpoints — requires read access to: Profiling
  • Guest users — requires read access to: Guest access
  • Guest access — requires read access to: Notification services

Predefined roles

The system includes the following predefined roles for common usage scenarios:

  • Super Admin — full access to all system functionality.
  • Network Admin — management of network access.
  • Hardware Admin — management of network devices.
  • System Admin — system administration.
  • Guest Admin — management of the guest network.
  • Guest Operator — guest network operations.
  • Monitor — monitoring and data viewing.


PrivilegeSuper AdminNetwork Admin

Hardware Admin

System AdminGuest Admin

Guest Operator

Monitor

RADIUS policy4404101
RADIUS monitoring1101111
Endpoints4404001
Network resources4444101
TACACS+ policy4044001
TACACS+ monitoring1011001
Profiling4404101
Roles and accounts4001000
Guest access4104411
Guest users4404440
Enterprise users4444000
System settings4004000
External sources4114001
Notification services4104111
  • Нет меток