Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure)

    An administrator role defines administrator session and personalization settings. You can create and configure an administrator role from the Infranet Controller configuration tree.

    To create an administrator role:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the Infranet Controller device for which you want to configure administrator role.
    3. Click the Configuration tab. In the configuration tree, select Administrators > Admin Roles.
    4. Add or modify settings on the Admin Role tab as specified in Table 1.
    5. Click one:
      • OK — Saves the changes.
      • Cancel — Cancels the modifications.

    Note: To create individual administrator accounts, you must add the users through the appropriate authentication server (not the role). For example, to create an individual administrator account, select Authentication > Auth. Servers > Administrators > Users from the NSM UI.

    Table 1: Administrator Role Configuration Details

    Option

    Function

    Your Action

    Admin Role > General tab

    Name

    Specifies a unique name for the administrator role.

    Enter a name.

    Admin Role > General > Overview tab

    Description

    Describes the administrator role.

    Enter a brief description for the administrator role.

    Session Options

    Specifies the maximum session length, roaming capabilities, and session persistence.

    Select General > Session Options to apply the settings to the role.

    UI Options

    Specifies the logo, color, navigation menus and the copyright notice.

    Select General > UI Options to apply the settings to the role.

    Admin Role > General > Restrictions > Source IP Restrictions tab

    Allow

    Specifies from which IP addresses users can access an Infranet Controller sign-in page, be mapped to a role, or access a resource.

    • Select Users from any IP address to enable users to sign into the Infranet Controller from any IP address in order to satisfy the access management requirement.
    • Select Users from IP addresses which pass the specifies matching policies to allow you to specify user access to the listed IP addresses.

    Source IP Address

    Specifies the source IP addresses.

    Enter the IP address.

    Source IP Netmask

    Specifies the IP netmask.

    Enter the IP netmask.

    Access

    Specifies whether to allow or deny access.

    • Select Allow to allow the user to use the IP.
    • Select Deny to prevent users from using the IP.

    Admin Role > General > Restrictions > Browser Restrictions tab

    Allow

    Specifies from which web browsers users can access an Infranet Controller sign-in page or be mapped to a role.

    • Select Browsers with any user-agent to allow users to access the Infranet Controller or resources using any of the supported Web browsers.
    • Select Browsers whose user-agent pass the matching policies defined below to allow you to define browser access control rules.

    User agent pattern

    Specifies the format.

    Enter a string in the format

    *<browser_string>*

    where start (*) is an optional character used to match any character and <browser_string>is a case-sensitive pattern that must match a substring in the user-agent header sent by the browser.

    Note: You cannot include escape characters (\) in browser restrictions.

    Action

    Specifies whether to allow or deny access.

    • Select Allow access to allow users to use a browser that has a user-agent header containing the<browser_string> substring.
    • Select Deny access to prevent users from using a browser that has a user-agent header containing the <browser_string> substring.

    Admin Role > General > Restrictions >Certificate Restrictions tab

    Allow

    Restricts Infranet Controller and resource access by requiring client-side certificates

    • Select All users to allow users to access the Infranet Controller or resources from any machine.
    • Select Users with a trusted client certificate to allow users to access the Infranet Controller from a machine with a trusted client certificate.

    Certificate Field

    Specifies the certificate field.

    Enter the certificate field.

    Expected Value

    Specifies the expected value.

    Enter the expected value.

    Admin Role > General > Restrictions >Host Checker Restrictions tab

    Enforce

    Specifies the Host Checker policy at the role level.

    • Select Allow all users to restrict Host Checker to be installed in order for the user to meet the access requirement.
    • Select Allow users whose workstations meet the requirements specified by the Host Checker policies to requires that Host Checker is running the specified Host Checker policies in order for the user to meet the access requirement.

    Host Checker policies

    Specifies the Host Checker policies.

    Select the required Host Checker policies.

    Allow access to the role if

    Specifies access to the role

    • Select All of the selected policies pass to allow access only if all the policy requirements are met.
    • Select Any ONE of the selected policies pass to allow access even if one policy requirement is met.
    Admin Role > General > Users > Roles > Delegate User Roles

    Administrators can manage ALL roles

    Specifies whether the administrator can manage all roles

    Select the user roles. If you only want to allow the administrator role to manage selected user roles, select those roles in the Non-members list and click Add to move it to the Members list.

    Access

    Specifies which user role pages the delegated administrator can manage.

    • Select Write All to specify that members of the administrator role can modify all user role pages.
    • Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user role pages.
    Admin Role > General > Users > Role > Delegate As Read-Only Role

    Administrator can view (but not modify) ALL roles

    Allows the administrator to view the user roles, but not manage.

    Select the user role that you want to allow the administrator to view.

    Note: If you specify both write access and read-only access for a feature, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL roles check box under Delegate User Roles, and then select the Users role on the Delegate As Read-Only Roles page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users role.

    Admin Role > General > Users > Realms > Delegate User Realms

    Administrators can manage ALL realms

    Specifies whether the administrator can manage all user authentication realms

    Select the user realm. If you only want to allow the administrator role to manage selected realms, select those realms from theNon—members list and add to the Members list.

    Access

    Specifies which user authentication realms pages that the delegated administrator can manage.

    • Select Write All to specify that members of the administrator role can modify all user authentication realm pages.
    • Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user authentication realm pages.
    Admin Role > General > Users > Realms > Delegate As Read-Only Realms

    Administrator can view (but not modify) ALL realms

    Allows the administrator to view the user authentication realms, but not modify.

    Select the user authentication realms that you want to allow the administrator to view.

    Note: If you specify both write access and read-only access for an authentication realm page, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL realms check box under Delegate User Realms, and then select the Users role on the Delegate As Read-Only Realms page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users realm.

    Admin Role > General > Delegated Administrator Settings > Management of Admin roles

    Manage ALL admin roles

    Manages all admin roles.

    Select to manage all the admin roles.

    Allow Add/Delete admin roles

    Allows the security administrator the ability to create administrator roles, even if the security administrator is not part of the Administrators role.

    Select to allow the security administrator to add and delete admin roles.

    Access

    Indicates the level of access that you want to allow the security administrator role to set for system administrators.

    • Select Deny All to specify that members of the security administrator role cannot see or modify any settings in the category.
    • Select Read All to specify that members of the security administrator role can view, but not modify, all settings in the category.
    • Select Write All to specify that members of the security administrator role can modify all settings in the category.
    • Select Custom Settings to allow you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.
    Admin Role > General > Delegated Administrator Settings > Management of Admin realms

    Manage ALL admin realms

    Manages all admin realms.

    Select to manage all the admin realms.

    Allow Add/Delete admin realms

    Allows the security administrator to create and delete administrator realms, even if the security administrator is not part of the administrators role.

    Select to allow the security administrator to add and delete admin realms.

    Access

    Indicates the level of realm access that you want to allow the security administrator role to set for system administrators for each major set of admin console pages.

    • Select Deny All to specify that members of the security administrator role cannot see or modify any settings in the category.
    • Select Read All to specify that members of the security administrator role can view, but not modify, all settings in the category.
    • Select Write All to specify that members of the security administrator role can modify all settings in the category.
    • Select Custom Settings to allow you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.

    Note: All administrators that can manage admin roles and realms have at least read-only access to the admin role’s Name and Description and to the realm's Name and Description, as displayed on the General page.

    Admin Role > General > Delegated Resource Policies > All tab

    Access

    Indicates the level of access that you want to allow the administrator role for each Resource Policies submenu.

    • Select Deny All to specify that members of the administrator role cannot see or modify any resource policies.
    • Select Read All to specify that members of the administrator role can view, but not modify, all resource policies.
    • Select Write All to specify that members of the administrator role can modify all resource policies.
    • Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for each type of resource policy or for individual resource policies.
    Admin Role > General > Delegated Resource Policies > Custom Settings

    Additional Access Policies

    Sets custom access levels for an individual policy

    Select the access level for the policy (Deny, Read, or Write).

    Policies

    Provides custom access level.

    Select the resource policy for which you want to provide a custom access level, and click Add.

    Default Options for Delegated Admins > Session Options tab

    Idle Timeout (minutes)

    Specifies the number of minutes an administrator session may remain idle before ending. The minimum is 5 minutes. The default idle session limit is ten minutes, which means that if an administrator’s session is inactive for ten minutes, the Infranet Controller ends the session and logs the event in the system log (unless you enable session timeout warnings described below).

    Enter the idle timeout duration in minutes.

    Max. Session Length (minutes)

    Specifies the number of minutes an active administrator session may remain open before ending. The minimum is 6 minutes. The default time limit for an administrator session is sixty minutes, after which the Infranet Controller ends the session and logs the event in the system log.

    Enter the session length in minutes. The default is 300 seconds, and the minimum is six minutes.

    Roaming session

    Roaming sessions allow users to work across source IP addresses. This is useful for mobile users with dynamically assigned IP addresses, as it allows them to sign in from their desk and continue working.

    • Select Enabled to enable roaming user sessions for users mapped to this group. A roaming user session works across source IP addresses, which allows mobile administrators (laptop users) with dynamic IP addresses to sign in to the Infranet Controller from one location and continue working from another. Disable this feature to prevent users from accessing a previously established session from a new source IP address. This helps protect against an attack spoofing a user’s session, provided the hacker was able to obtain a valid user's session cookie.
    • Select Limit to subnet to limit the roaming session to the local subnet specified in the Netmask field. Administrators may sign in from one IP address and continue using their sessions with another IP address as long as the new IP address is within the same subnet.
    • Select Disabled to disable roaming sessions for administrators mapped to this role. Administrators who sign in from one IP address may not continue an active Infranet Controller session from another IP address; administrator sessions are tied to the initial source IP address.

    Default Options for Delegated Admins >UI Options tab

    Logo image

    Displays the logo in the Current appearance box only after you save your changes.

    Click the Browse button and locate your custom image file.

    Background color

    Updates the current appearance of the box.

    Type the hexadecimal number for the background color or click the Color Palette icon and pick the desired color.

    Navigation Menus

    Displays hierarchical navigation menus.

    • Select Auto-enabled to determine whether the administrator is signed in from a supported platform and enables or disables the hierarchical menus accordingly.
    • Select Enabled to enable hierarchical menus, regardless of your platform. If the administrator is signed in from an unsupported platform, they may not be able to use the hierarchical menus, even though they are enabled.
    • Select Disabled to disable hierarchical menus for all members of the role.

    Show copyright notice in footer

    Specifies the copyright notice and label in the footer.

    Select or clear the check box (optional).

    Note: If you do not want user roles to see the copyright notice, you can also deselect the option in the Default Settings for user roles, in general. That way, all subsequent roles you create do not allow the notice to appear on the end-user UI.

    Published: 2012-11-28