Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Related Documentation

    User Administration

    The User Administration window is used by the IP/MPLSView admin to create and manage accounts for accessing the software and Web Portal.

    Accessing the User Administration Window

    To access the User Administration window, you must log in to the client with the user account used to install the server. Other users will not see the User Administration window.

    There are three types of users:

    • Full Access users who can log into the client and optionally the web, which are mapped to a Unix User. Any Full Access user created through the User Administration window must map to an existing Unix user on the IP/MPLSView server. The login name used to log in to IP/MPLSView should be the same as the Unix user name. The corresponding password is the same as the password for the corresponding Unix user account. The only exception is the “admin” user which is mapped to the Unix account of the user that installed the application. Authentication is done through an LDAP server that is installed on the same server machine of IP/MPLSView.
    • Web Portal users who are restricted to the web only.
    • Web VPN users who are restricted to the web VPN view. These users can be assigned access to view only certain VPN customers.

    Creating User Groups and Permissions

    An admin user can create any number of IP/MPLSView user groups and assign to each of these group a custom set of permissions. Select the group type and enter in the group name.

    Figure 203: User Groups Tab of the User Administration Window

    User Groups Tab of the User Administration Window

    Setting Permissions


    Once a user group has been created, you can assign permissions to that user group. Some features allow both View/Enable and Modify permissions, while others are turned completely on or off with just the View/Enable permission.

    Note that enabling some features may require additional features to be enabled as well. This is because certain features are dependent on other features to be enabled before they can be accessed. When selecting the check box for such a feature, the checkbox(es) of the additional required feature(s) will automatically be checked as well.

    To select all View/Enable or Modify items within a category, check the corresponding checkbox in the gray row indicating a category. Click the gray checkbox again to deselect all items under that category. Individual items within a category can also be turned on and off.

    Changes made to a user group’s permission checkboxes are saved when clicking “Apply” or “OK.”


    Regional Permissions


    For the live network view, Full Access and Web Portal users can be restricted to being able to directly access the routers only for particular region(s). For devices outside of the permitted regions, which are grouped into the OUTSIDE_REGION group, view-only access is provided, and features such as ping, traceroute, show config, and hardware inventory are disabled. To limit the region(s), first define the regions in the top Regions tab. Note that you need to have run a live network task in order to define regions based on routers collected in the task.


    Defining Regions


    Figure 204: Defining Network Regions

    Defining Network Regions

    Select the routers to add to a region from the left pane and then click Add to New Region to create a new region with these selected routers. Alternatively, click Add New Region in the right pane and then select multiple routers (using <Shift> and <Ctrl> keys), and drag them from the left pane to the right pane. Note that you must drag them over a group name and not over a group member to add them to a group. To move a router from one group to another, select the router, and drag it to another group. To remove the router from the group, drag it outside of the right pane. Click Apply to save your changes.


    Setting Regional Permissions


    Once the region has been added, select the User Groups tab.at the bottom of the right pane and select the Regions tab. Here, you can limit the permissions for accessing the router live by unchecking the All Regions checkbox and then checking the corresponding region(s) to which the user can have access.

    Figure 205: Setting Regional Permissions

    Setting Regional Permissions

    Creating Users / Assigning Users to Groups

    Once user groups have been setup with the desired permissions, you can create users and assign them to user groups. To create a user, click on Add User icon button on the bottom of the Users tab of the User Administration window.

    Figure 206: Users Tab of the User Administration Window

    Users Tab of the User Administration Window

    Type a login name next to Name. Next, choose the radio button for the appropriate group type (Full Access, Web Portal, or Web VPN). Then select one of the available groups for that group type.

    • For Full Access users, please choose a valid Unix User ID to map the new IP/MPLSView user to. This should be the same as the login name. (Note: To add a new user ID, you must access the server via telnet or ssh window, switch to root user, and either run “admintool” (requires display of the desktop) or use the “useradd” command (for example, “useradd -g staff -d /export/home/wandl wandl” would add user wandl in group staff with home directory /export/home/wandl). Subsequently, you may create a password for that user using the command “passwd userid” substituting userid with the Unix User ID. Note that you can similarly modify or delete a Unix user ID as root user using the commands “usermod” and “userdel”.)
    • For Web Portal and Web VPN users, enter in a password to log in to the web interface.

      Optionally specify additional contact information such as Email, Phone, IM, and a Description for this new user.

      Max Logins can be configured to control the maximum number of times a specific user can be logged into the IP/MPLSView server.

      Access level (Full Control, Browsing, Restricted, or Blocked) can be configured to further control the access level of a user.

    • Full Control Access: The Full Control user can modify, perform design and simulation on the network model in IP/MPLSView.
    • Browsing Access: The Browsing user can only open a network model in IP/MPLSView for viewing, but is not allowed to perform any modification, design, or simulation on the network model.
    • Restricted Access: The Restricted user has Browsing privileges, but with even stricter limitations to view only certain networks, files and directories: Once logged in, the Restricted user can only navigate to the Home Directory and its child directories. Only spec.* and newdemand.* network files are displayed in the File Manager. The user cannot access "Hidden" files. All Report Manager reports are read-only, and are not regenerated before displaying in the Report Manager. Certain menus are disabled.
    • Block Access: The user is blocked from opening a network model in IP/MPLSView. The length of time a user is blocked from accessing the system is defined by the Block Period in the Update GUI Login Policy section.

    Once an IP/MPLSView user name has been added, that user name will also appear in the User Groups tab of the User Administration window under the group to which it belongs. To modify an existing user, select the user in the Users tab, and click the Modify Icon button at the bottom of the window. To delete an existing user, select the user and click the Delete Icon button.

    If the user name has been mapped to a valid Unix User ID, the new user should be able to log in to the IP/MPLSView client and interface, when assigned the appropriate privileges, using either the user name and the corresponding password for this Unix User ID.

    Performing User Administration From Text Mode

    In addition to using the GUI interface to perform user administration, users can also be added from text mode using /u/wandl/bin/addWandlUser.sh.

    Usage: addWandlUser.sh: "name" "group" <-u "uid"|-w "webpassword"> [-a
    <Full|Browsing|Restricted|Blocked>] [-e "email"] [-p "phone"] [-i
    "im"] [-d "description"]
    name => mandatory username
    group => mandatory user admin group-u unixloginname => unix user id (mandatory if group is a full access group)
    -w webpassword => password for web user (mandatory if group is a web
    or vpn group)
    -a <Full|Browsing|Restricted|Blocked> => sets access level to one of
    the 4 choices (defaults to Full if not specified for non web/vpn
    group)
    -e email => optional email
    -p phone => optional phone
    -i im => optional im
    -d description => optional description
    Example:
    $ cd /u/wandl/bin
    $ ./addWandlUser.sh lab Administrators -u lab -a Full -d “for test”

    To configure the maximum number of logins per user, edit the file /u/wandl/data/.usr/.usercount with one line per user to control. The last line is the default maximum number of logins. For example, to configure at most 3 IP/MPLSView users, and at most one user for all other users, the format is as follows:

    wandl 3
    1

    Modified: 2016-11-08