Setting Up User Group Authorizationand Viewing User Permissions

This chapter describes how to set up Junos Scope user group authorization for device access based on the user group association. The Junos Scope administrator can assign one or more users to belong to a user group.

There are two types of user groups: predefined and user-defined. After the Junos Scope software is installed, there are four predefined user groups, each associated with a permission level, and no user-defined user groups. The four pre-defined user groups are:

Each user group must have a permission level assigned to it. Four permission levels are available:

The name and permission level assigned to the four predefined user groups are fixed, and cannot be changed or deleted.

If this group-based authorization feature is not used, the Junos Scope administrator does not have to create any new user-defined user groups. The administrator can simply treat three predefined user groups—for example, administrator, read-write user, and read-only user—as the three distinct permission levels of superuser, read-write, and read-only.

You can assign any name to user-defined user groups except for names that already exist, however, the permission level available is limited to read-only and read-write. In other words, the administrator cannot create a new user group with either superuser or none permission levels. The administrator and nobody user groups have unique authorization privileges across all devices.

The nobody user group and none permission level allow a user account to be created without access permission to any device, for example, a guest or demo account.

Each user must belong to at least one user group, but a user can belong to multiple user groups. A user assigned to multiple user groups will have the least restrictive permission. The order of permission restrictions, from least to the highest, is superuser, read-write, read-only, and none.

The administrator can assign a user group either read-only or read-write access permission to available devices and device groups that have been configured in the Junos Scope software. When a user group is assigned read-write access to devices or device groups, the users in the user group can do read-write operations on those devices and device groups, such as Configuration > Repository > Archive and Restore. When a user group is assigned read-only access to devices or device groups, the users in the user group can do read-only operations on those devices and device groups in the read-only operations, such as Monitor > Status and Configuration > Current > View. However, a user belonging to two user groups—one read-write and one read-only—has read-write access to devices and device groups in read-write user groups. Devices and device groups listed for read-only user groups are not available for write actions.

When devices are added to a device group, the device list includes only those devices to which the user has access permission. A user in a user group with access to a device group can operate on those members of the device group to which the user has access. For example, user group usergroup1 has read-write permission. usergroup1 has read-write access to devices device1, device2, and device3. usergroup1 also has read-write access to device group devgroup1. devgroup1 has device members device1, device2, device3, and device4. In this case, when user user1 belonging to usergroup1 tries to use devgroup1 in a read-write operation, such as Archive, devgroup1 will be expanded to member devices device1, device2, and device3.

Note: The device device4 will not be in the expanded list of members of devgroup1 in the archive operation.

If a user group has either superuser or read-write permission, it has read-write access to all devices associated with that user group. If the user group has read-only permission, it has read-only access to all devices associated with that user group. If a user group has no access, it can only log in to the Junos Scope software, but cannot access any devices.

The administrator user group has full permission to all devices on the network configured in the Junos Scope software. The administrator can create a network operations center (NOC) technician user group that has read-write permission to all devices configured in a network region. The administrator can also create a network operations center (NOC) operator user group that has read-only access to monitor all devices configured on the network.

You must belong to the administrator user group to set up user groups and edit associations among user groups, users, devices, or device groups.

Using Monitor > Operations, users can monitor scheduled operations of users belonging to the same user group, but can not view operations scheduled by users belong to different user groups. Users belonging to the administrator user group can monitor operations scheduled by any user.

Using Settings > Saved Operations, users can use only those saved operations that have been created by users belonging to the same user group, but cannot use saved operations created by users belonging to different user groups. Users belonging to the administrator user group can use saved operations created by any user.

This chapter includes the following topics: