Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating Users in Junos Space Network Management Platform

    You create user accounts in Junos Space Network Management Platform, which are stored in the Junos Space Platform database. You can then assign different roles to the users associated with these user accounts, depending on the network management tasks the users are required to perform in your network.

    When a user attempts to log in to Junos Space Platform, the user is allowed to log in only if authenticated. Junos Space Platform supports credentials-based user authentication and certificate-based user authentication. For more information about user authentication, see Role-Based Access Control Overview.

    For credentials-based user authentication, each user account must include:

    • Login ID
    • Password
    • First name
    • Last name
    • Roles, which determine the tasks that a user can perform within the applications and workspaces
    • Domains within which the user can operate

    For certificate-based user authentication, each user account must include:

    • Login ID
    • First name
    • Last name
    • X.509 certificate file
    • Roles, which determine the tasks that a user can perform within the applications and workspaces
    • Domains within which the user can operate

    You can perform various tasks including the following from the User Accounts page of the Role-Based Access Control workspace of Junos Space Platform:

    • Generate user accounts with temporary passwords and set an expiry duration of up to 10,000 hours.
    • Set the number of concurrent UI sessions on a per-user basis.
    • Determine which users can access Junos Space through the GUI and which through the API.
    • Assign multiple roles and domains to new users.
    • Assign roles and domains to existing users.
    • Manually enable and disable users and unlock users who are locked out.

    You can assign specific roles to a user to specify the tasks and objects (devices, users, services, and so forth) that the user can access and manage. You can assign multiple roles to a single user. You can export user accounts from the Reports workspace. To export user accounts, create a User Account report definition in the Reports workspace. Then generate the report from the report definition and download the report. For more information, see Exporting User Accounts from Junos Space Network Management Platform. You can also limit the number of user login sessions in Junos Space Platform.

    Creating a User

    As a Super Administrator or User Administrator, you can create users in Junos Space Platform and assign roles to these users. The roles determine the tasks that the users can perform in Junos Space Platform.

    As an administrator, you have the option to assign a temporary or permanent password to a new user or an existing user whose password has expired. Consider the points mentioned in Table 1 before assigning a temporary or regular password to a user.

    Table 1: Differences Between Temporary and Regular Passwords

    Temporary Password

    Regular Password

    Users must change their temporary passwords at first login.

    Users need not change their passwords at first login.

    When temporary passwords expire, users cannot access the Junos Space server.

    To access the Junos Space server, users need to use the new passwords that the administrator has generated and shared with them. Users cannot change their passwords on their own.

    When regular passwords expire, users can change their passwords on their own after logging in to the Junos Space server.

    Password expiry time is configured at the user level. By default, temporary passwords expire after 24 hours.

    Password expiry time is configured at the global level from the Administration workspace. This expiry time applies to all users with regular passwords. For more information about configuring parameters related to regular passwords, see Modifying Junos Space Network Management Platform Settings.

    To create a user:

    1. On the Junos Space Platform UI, select Role Based Access Control > User Accounts.

      The User Accounts page is displayed.

    2. Click the Create User icon on the toolbar above the application data to display the Create User page.

      The Create User page is displayed. This page displays the General area on the left of the page and the Create User area on the right of the page.

      Note: We recommend that you mouse over the blue icons on this page to know more about the fields next to which they are displayed.

    3. In the Login ID field, enter a login ID for the new Junos Space user.

      This can be an e-mail address. If it is, it is not mandatory that the login ID matches the e-mail address entered in the Email field. The login ID cannot exceed 128 characters. Permitted characters include hyphen (-), underscore (_), letters and numbers, as well as @ and period (.). You cannot have two users with the same login ID.

      Note: You cannot enter admin as the login ID. If you enter admin as the login ID, the following error message is displayed:
      Username admin is reserved in Space. Please do not create user with username: admin.

    4. (Optional) Select the Generate a temporary password check box if you want to generate a temporary password for the user. Generation of temporary passwords is supported only for local authentication mode. It is not supported for remote-local authentication or remote authentication modes.

      As an administrator, you may want to generate a random password for a new user or when the password expires for an existing user. Users must change their temporary passwords when they log in for the first time. Users with temporary passwords are not allowed to use any of the features in Junos Space Platform unless they replace their temporary passwords with new passwords.

      When you generate a temporary password for a user, consider configuring the following fields related to the temporary password:

      • Temporary password will expire after—Specify the duration after which the temporary password expires. The user must log in to Junos Space within this duration and change the temporary password. Otherwise, after the expiry of the password, the user is not allowed to log in. When the temporary password expires, Junos Space displays the following message:
        Your password has expired.
        Please contact your administrator.

        The user must request the administrator for a new password.

        By default, the temporary passwords expire after 24 hours of their generation. The administrator can enter a value from 1 through 10,000 hours.

      • Temporary Password—Displays the temporary password generated by the Junos Space server. To generate another password, click Generate next to this field. The new generated password is displayed in this field.
      • Email password to user—Select this check box to e-mail the generated temporary password to the user. This check box is disabled if the SMTP server is not configured.

        If the e-mail does not reach the user or the password is lost, the administrator needs to generate a new temporary password. There is no option to resend the old temporary password.

        Tip:

        For the Junos Space server to automatically send the temporary password and expiry date by e-mail to the user, ensure that you configure:

        • The e-mail ID of the user in the Email field on the Create User page (the page that you are currently in)
        • The SMTP server that receives the e-mail from the Junos Space server and routes it to the intended recipient

          You must configure the SMTP server on the Administration > SMTP Servers inventory landing page. After configuring the SMTP server, test the connection between the Junos Space server and the SMTP server to ensure that communication between the servers is established. For more information about SMTP server configuration and how to test the configuration, see Adding an SMTP Server and Managing SMTP Servers.

    5. In the Password field, enter the password.

      This field is disabled if you have chosen to generate a temporary password.

      All passwords in Junos Space Platform are case-sensitive. For information about configuring password rules, see Modifying Junos Space Network Management Platform Settings.

      The password strength indicator checks and displays the efficiency of the password that you entered.

      Note: You cannot proceed to the next step if the password strength indicator shows that the password is weak.

    6. In the Confirm Password field, reenter the password to confirm the password.

      This field is disabled if you have chosen to generate a temporary password.

    7. In the First Name field, enter the user’s first name.

      The name cannot exceed 32 alphanumeric characters.

    8. In the Last Name field, enter the user’s last name.

      The name cannot exceed 32 alphanumeric characters.

    9. (Optional) In the Email field, enter the user’s e-mail address.

      You must enter an e-mail address in this field if you have opted to e-mail the temporary password to a user by selecting the Email password to user check box.

      This need not be the same as the login ID if the login ID is an e-mail address.

      Ensure that the e-mail ID that you enter is valid and uses the format user@domain.

    10. (Optional)To set a user-specific limit for the maximum number of concurrent UI sessions that are allowed for the user, clear the Use global settings check box.

      By default, this check box is selected and the user is allowed five concurrent sessions. This limit is displayed in the Maximum concurrent UI sessions field just below this check box. For more information about configuring concurrent UI sessions limits, see Limiting User Sessions in Junos Space.

      In the Maximum concurrent UI sessions field, which becomes active when you clear the Use global settings check box, enter the maximum number of concurrent UI sessions that are allowed for this user. The default value for this field is 5.

      You can enter a value from 0 through 999.

      Note: If you enter 0 (zero), there is no restriction on the number of concurrent UI sessions allowed for the user. However, the performance of the Junos Space setup may be affected if you allow many users with an unrestricted number of concurrent UI sessions.

    11. (Optional) To set a user-specific value for the Automatic Logout after Inactivity setting, clear the Use global settings check box.

      Note: You can configure user-specific idle time out from Release 17.1R1 onward.

      By default, this check box is selected and the value you configured for the Automatic logout after inactivity (minutes) field under User Settings of the Modify Network Management Platform page (Administration > Applications > Modify Application Settings) is applied to the user.

      In the Automatic Logout after Inactivity field, which becomes active when you clear the Use global settings check box, enter the idle time out value in minutes. An idle time out value denotes a period of inactivity after which the user session expires. You can enter a value in the range of 0 through 480 minutes. If you set the value to 0, the user session never expires.

    12. (Optional) In the Image File field, upload the user’s photo ID from your local file system.
    13. The fields displayed depend on the mode of authentication chosen for your Junos Space setup. If you enabled complete certificate-based authentication, the X509 Cert File field is displayed. If you enabled password-based authentication or parameter-based authentication, the X.509 Certificate area is displayed with text boxes to enter values for the parameters.

      • If you enabled complete certificate-based authentication:

        1. Click Browse adjacent to the X509 Cert File field to select the X.509 certificate file from your local computer.

          You can upload certificate file formats with the following extensions: .der, .cer, and .crt. Junos Space Platform uploads and saves the certificate file for the user.

        2. Click Upload.

          If you upload a certificate, the user is authenticated on the basis of the complete X.509 certificate. For more information about certificate-based user authentication, see Certificate Management Overview.

      • If you enabled password-based authentication or parameter-based authentication:

        1. In the X.509 Certificate area, enter the values for the parameters.

          A maximum of four X.509 parameters are displayed. For example, the e-mail address of the user or the serial number of the client certificate.

          You must enter a unique value for every parameter for every user. The X.509 certificate parameters are authenticated only during parameter-based authentication.

    14. (Optional) At this point, you can click Finish to create a user without assigning roles. You can assign roles later.
    15. To assign roles, click Next

      The Role Assignment page that appears displays the Available and Selected list boxes. All predefined roles are displayed in the Available list box by default.

    16. (Optional) To assign the roles of an existing user to the new user, select the Use Same Roles Assigned to check box and enter the name of the existing user and click the Search icon.

      All roles assigned to the existing user are displayed in the Available list box. You can modify the new user’s role assignments by adding roles to or removing roles from the Selected list box.

      • To select the existing user whose privileges you want to assign to the new user, enter one or more characters of the username of the existing user in the Search field to find and select the username.

        The roles assigned to the existing user are displayed in the Selected list box. You can modify the new user’s role assignments by adding roles to or removing roles from the Selected list box.

    17. (Optional) Select the GUI Access or API Access check box depending on the type of access you want to allow for the user.

      By default, the user can access both the GUI or API. Select at least one access type to successfully create a user.

    18. Select whether the user can view all jobs on Junos Space Platform or only those jobs that the user has selected.

      By default, the View User’s Own Job Only option button is selected. If you want the user to view all jobs, select the View All Jobs option button.

      Note: Users with the Super Administrator or Job Administrator role can view jobs initiated by all users. You cannot modify this privilege in Junos Space Platform. For a new user with the Super Administrator or Job Administrator role, the View All Jobs option button is selected by default and the Job Management View area appears dimmed.

      Note: If you are upgrading from previous Junos Space Platform releases, the users who are not assigned the Super Administrator or Job Administrator role in the previous release can view only their own jobs on the Job Management page. They cannot view jobs initiated by other users.

    19. To associate an API Access Profile to a user to execute RPC commands safely on the device, select the API Access Profile from the Device command Access via API drop-down list.

      By default, the Disallow all exec RPCs option button is selected.

      For more information about creating API Access Profiles, see Creating an API Access Profile.

    20. To select and assign predefined roles for the user:
      1. Select one or more roles from the Available list box and click the right arrow.

        The selected roles are displayed in the Selected list box.

        You can also double-click a role to move it between lists.

        Note: When you install a Junos Space application on Junos Space Platform, the predefined roles for these applications are also available for selection. When you want to restrict a user to a specific Junos Space application, ensure that you assign the role that is related to that application to the user.

        Note: The minimum role required for configuring a user for IBM Systems Director and Junos Space Launch in Context (LiC) is Device Manager.

      2. (Optional) Use the left arrow to move roles from the Selected list box back to the Available list box.
      3. (Optional) To view the privileges assigned to a role, click the role in the Available or Selected list boxes.

        The privileges assigned to these roles are displayed next to the Selected list box.

    21. (Optional) At this point, you can click Finish to create a user without assigning domains to the user. You can assign domains later.
    22. To assign domains to the user, click Next.

      The Domain Assignment page is displayed. This page displays the domains in a hierarchal tree structure in the Available Domains area.

    23. (Optional) To assign domains that are already assigned to an existing user to the new user, select the Use Same Roles Assigned to check box, enter the name of the existing user, and click the Search icon.

      All domains assigned to the existing user are displayed in the Available Domains area.

      • To select the existing user whose domain privileges you want to assign to the new user, enter one or more characters of the username of the existing user in the Search field to find and select the username.

        The Available Domains area displays only domains assigned to the existing user.

    24. Select the domains that you want to assign to the new user.

      You can select multiple domains at the same hierarchy level.

      Note: If you do not assign a domain to the user, the Global domain is assigned to the user by default.

    25. Click Finish.

      The new user is created in the Junos Space Platform database. You are returned to the User Accounts page.

    Release History Table

    Release
    Description
    You can configure user-specific idle time out from Release 17.1R1 onward.

    Modified: 2017-09-13