Creating and Configuring Infranet Controller Administrator Roles (NSM Procedure)
An administrator role defines administrator session and personalization settings. You can create and configure an administrator role from the Infranet Controller configuration tree.
To create an administrator role:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab, and then double-click the Infranet Controller device for which you want to configure administrator role.
- Click the Configuration tab. In the configuration tree, select Administrators > Admin Roles.
- Add or modify settings on the Admin Role tab as specified in Table 1.
- Click one:
- OK — Saves the changes.
- Cancel — Cancels the modifications.
 | Note: To create individual administrator accounts, you must add the users through the appropriate authentication server (not the role). For example, to create an individual administrator account, select Authentication > Auth. Servers > Administrators > Users from the NSM UI. |
Table 1: Administrator Role Configuration Details
Option | Function | Your Action |
|---|---|---|
Admin Role > General tab | ||
Name | Specifies a unique name for the administrator role. | Enter a name. |
Admin Role > General > Overview tab | ||
Description | Describes the administrator role. | Enter a brief description for the administrator role. |
Session Options | Specifies the maximum session length, roaming capabilities, and session persistence. | Select General > Session Options to apply the settings to the role. |
UI Options | Specifies the logo, color, navigation menus and the copyright notice. | Select General > UI Options to apply the settings to the role. |
Admin Role > General > Restrictions > Source IP Restrictions tab | ||
Allow | Specifies from which IP addresses users can access an Infranet Controller sign-in page, be mapped to a role, or access a resource. |
|
Source IP Address | Specifies the source IP addresses. | Enter the IP address. |
Source IP Netmask | Specifies the IP netmask. | Enter the IP netmask. |
Access | Specifies whether to allow or deny access. |
|
Admin Role > General > Restrictions > Browser Restrictions tab | ||
Allow | Specifies from which web browsers users can access an Infranet Controller sign-in page or be mapped to a role. |
|
User agent pattern | Specifies the format. | Enter a string in the format *<browser_string>* where start (*) is an optional character used to match any character and <browser_string>is a case-sensitive pattern that must match a substring in the user-agent header sent by the browser. Note: You cannot include escape characters (\) in browser restrictions. |
Action | Specifies whether to allow or deny access. |
|
Admin Role > General > Restrictions >Certificate Restrictions tab | ||
Allow | Restricts Infranet Controller and resource access by requiring client-side certificates |
|
Certificate Field | Specifies the certificate field. | Enter the certificate field. |
Expected Value | Specifies the expected value. | Enter the expected value. |
Admin Role > General > Restrictions >Host Checker Restrictions tab | ||
Enforce | Specifies the Host Checker policy at the role level. |
|
Host Checker policies | Specifies the Host Checker policies. | Select the required Host Checker policies. |
Allow access to the role if | Specifies access to the role |
|
| Admin Role > General > Users > Roles > Delegate User Roles | ||
Administrators can manage ALL roles | Specifies whether the administrator can manage all roles | Select the user roles. If you only want to allow the administrator role to manage selected user roles, select those roles in the Non-members list and click Add to move it to the Members list. |
Access | Specifies which user role pages the delegated administrator can manage. |
|
| Admin Role > General > Users > Role > Delegate As Read-Only Role | ||
Administrator can view (but not modify) ALL roles | Allows the administrator to view the user roles, but not manage. | Select the user role that you want to allow the administrator to view. Note: If you specify both write access and read-only access for a feature, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL roles check box under Delegate User Roles, and then select the Users role on the Delegate As Read-Only Roles page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users role. |
| Admin Role > General > Users > Realms > Delegate User Realms | ||
Administrators can manage ALL realms | Specifies whether the administrator can manage all user authentication realms | Select the user realm. If you only want to allow the administrator role to manage selected realms, select those realms from theNon—members list and add to the Members list. |
Access | Specifies which user authentication realms pages that the delegated administrator can manage. |
|
| Admin Role > General > Users > Realms > Delegate As Read-Only Realms | ||
Administrator can view (but not modify) ALL realms | Allows the administrator to view the user authentication realms, but not modify. | Select the user authentication realms that you want to allow the administrator to view. Note: If you specify both write access and read-only access for an authentication realm page, the Infranet Controller grants the most permissive access. For example, if you select the Administrators can manage ALL realms check box under Delegate User Realms, and then select the Users role on the Delegate As Read-Only Realms page, then the Infranet Controller allows the delegated administrator role full management privileges to the Users realm. |
| Admin Role > General > Delegated Administrator Settings > Management of Admin roles | ||
Manage ALL admin roles | Manages all admin roles. | Select to manage all the admin roles. |
Allow Add/Delete admin roles | Allows the security administrator the ability to create administrator roles, even if the security administrator is not part of the Administrators role. | Select to allow the security administrator to add and delete admin roles. |
Access | Indicates the level of access that you want to allow the security administrator role to set for system administrators. |
|
| Admin Role > General > Delegated Administrator Settings > Management of Admin realms | ||
Manage ALL admin realms | Manages all admin realms. | Select to manage all the admin realms. |
Allow Add/Delete admin realms | Allows the security administrator to create and delete administrator realms, even if the security administrator is not part of the administrators role. | Select to allow the security administrator to add and delete admin realms. |
Access | Indicates the level of realm access that you want to allow the security administrator role to set for system administrators for each major set of admin console pages. |
Note: All administrators that can manage admin roles and realms have at least read-only access to the admin role’s Name and Description and to the realm's Name and Description, as displayed on the General page. |
| Admin Role > General > Delegated Resource Policies > All tab | ||
Access | Indicates the level of access that you want to allow the administrator role for each Resource Policies submenu. |
|
| Admin Role > General > Delegated Resource Policies > Custom Settings | ||
Additional Access Policies | Sets custom access levels for an individual policy | Select the access level for the policy (Deny, Read, or Write). |
Policies | Provides custom access level. | Select the resource policy for which you want to provide a custom access level, and click Add. |
Default Options for Delegated Admins > Session Options tab | ||
Idle Timeout (minutes) | Specifies the number of minutes an administrator session may remain idle before ending. The minimum is 5 minutes. The default idle session limit is ten minutes, which means that if an administrator’s session is inactive for ten minutes, the Infranet Controller ends the session and logs the event in the system log (unless you enable session timeout warnings described below). | Enter the idle timeout duration in minutes. |
Max. Session Length (minutes) | Specifies the number of minutes an active administrator session may remain open before ending. The minimum is 6 minutes. The default time limit for an administrator session is sixty minutes, after which the Infranet Controller ends the session and logs the event in the system log. | Enter the session length in minutes. The default is 300 seconds, and the minimum is six minutes. |
Roaming session | Roaming sessions allow users to work across source IP addresses. This is useful for mobile users with dynamically assigned IP addresses, as it allows them to sign in from their desk and continue working. |
|
Default Options for Delegated Admins >UI Options tab | ||
Logo image | Displays the logo in the Current appearance box only after you save your changes. | Click the Browse button and locate your custom image file. |
Background color | Updates the current appearance of the box. | Type the hexadecimal number for the background color or click the Color Palette icon and pick the desired color. |
Navigation Menus | Displays hierarchical navigation menus. |
|
Show copyright notice in footer | Specifies the copyright notice and label in the footer. | Select or clear the check box (optional). Note: If you do not want user roles to see the copyright notice, you can also deselect the option in the Default Settings for user roles, in general. That way, all subsequent roles you create do not allow the notice to appear on the end-user UI. |
