While User Login helps for authorization for the operations performed on the device, there are scenarios where users need to provide the passwords at the time of the operation. Here are a few scenarios:

  • Rolling Passwords – lots of accounts incorporate the rolling passwords where the password is only valid for a certain configured time. In such cases, the prompting is required for those accounts.

  • Another scenario would be when the Network Administrator is assigned a temporary account to make the changes during a well-defined maintenance window. This account expires after this maintenance window. Prompting the user comes handy in these cases.

  • Authorization Granularity - There are times when certain users may not be allowed to execute certain commands – in other words, the authorization is done at the granularity of a command and it may so happen that certain users may need to use a different account to make certain changes, and cannot be tied down with the high level configuration.

  • NOC Users – There are times when a Network Operations Center (NOC) user has to execute a job (for example, Run as Operator Initiated), although the job may have been scheduled and approved by another user.

All of the above scenarios warrant the need to prompt the user .

The Network Administrator always has the need to override the configuration at a per operation basis – in other words, the flexibility to deal with special and exception scenarios to manage certain devices .

This may depend on the role and the privileges of the user.  There are also times when certain operations have to be performed to repair the state of the network, and this needs to be done without disturbing the current configuration.

Additional Prompt User Information

Network Configuration Manager has provided a way to control dynamically the credentials used for any device operation. This is encapsulated as part of configuration that is exposed to the administrator.

The credentials include the following (note all of them can be optional, depending upon the target device):

  • Account Name

  • Account Password

  • Privilege Password

Note: The privilege level is not necessary, as most of the time the TACACS server determines the privilege level based on the login credentials. Also, at least one of the credentials is required by the device.

Depending upon the configuration, the system uses the appropriate credentials for the device to perform the task. If there is a need to prompt the user, the system will do so.

  • The configuration does not apply for devices whose access is controlled through SNMP.

  • The credential configuration does not apply for "pull" jobs – statically assigned device credentials will be used. Similarly, all automated pulls shall use the shared credentials assigned to the target device.

  • When a copy of the job or task is made, the device credentials are copied to the new job or task.

  • All credential related information stored in the database is encrypted. The same applies for credentials in transit between the application tiers.

  • All credentials that are persisted or cached as part of the job will be discarded after the task request is sent to the target device servers.

  • If multiple devices are selected for a "Non-Scheduled" operation, and if it requires that the user be prompted for the credentials, the same user input credentials are used for all devices targeted.

  • If multiple tasks (devices) are involved in a job, and the job requires that the user be prompted for the credentials, the same user input credentials are used for all devices.

  • If the job is modified, the system invalidates the credentials if it existed, and causes the job to go through the same semantics as if no credentials were yet provided for the job.

  • The system provides the user the ability to override the credentials for a job or other non-scheduled operations. This enables the Network Admin to deal with exception scenarios where one user has to perform an operation on another's behalf.

  • Only users with "Override Credential" permission are allowed to update the credentials. The override ability is available as part of the scheduler. Any new credentials entered simply replace the existing ones if any.

  • All password information transmitted over the wire between the client and the server is encrypted to prevent snooping.

  • For cut-through operations, device level assignment (specifically –Network Configuration Manager! Account– and "User Prompt") take precedence over the global or network configuration.

  • API clients shave the ability to specify device level credentials as part of every device operation – scheduled and non-scheduled. However, these credentials are only taken into account if the configuration is set up for "User Prompt" or the API user has the appropriate privileges to override at an operation level.