Setting Network Configuration Manager Permissions

Network Configuration Manager security is segmented into two components:

Authentication services , providing login access to the application itself
A uthorization services , which allow access to networks and devices managed by the application

Authentication is provided via an external TACACS+ server, or through the Network Configuration Manager Native Registry. When creating users that require authorized access to the application, you must first designate how they with be authenticated during login, via one of two mechanisms, an external TACACS+ server, or the internal Native Registry. Then, access to the different modules of the application is controlled by a flexible, secure authorization system.

Note: For more information on setting up authentication mechanisms in Network Configuration Manager, see the sections on TACACS+ Server and Native Registry. This section describes how the Network Configuration Manager authorization system is implemented and managed.

Authorizations provides each user with access security, based on their network roles. Authorizations allow secure access to all protected resources within Network Configuration Manager including networks, devices, jobs, and workspaces. Authorizations can be granted to users or groups on a default, or on a per-resource basis.

For security management purposes, it is recommended that "like users" be placed within groups. Groups could then be provided with a set of default authorizations for all the resources they control. Network Configuration Manager recommends (for ease of management) that you deploy authorizations for your network at the group level. In this way, security management for all users in the group can be handled at one time, with a single change. However, individual users can also be granted permissions, and if desired, a customized environment can be created in which each user is provided separate access authorizations to each resource.

It is important to note that due to the great flexibility of the authorization scheme within Network Configuration Manager that permissions can be defaulted, implicit, explicit, inherited, summed, and overridden, thus encouraging great care be taken in planning the correct approach for deployment in your environment.

The following are examples offered for clarification.


Default Permissions	Each user and group has a set of default network and workspace permissions (called the Default Network and Default Workspace, respectively), that when set, apply those access lists to any network or workspace associated with the user or group.
Implicit Permissions	Permissions granted at the system level are granted implicit to all networks, regardless of the networks assigned to the user or group.
Explicit Permissions	Any permissions granted at the device level explicitly override any grants to that device given at the network or system level.
Inherited Permissions	Any user or group placed into another group having access permissions to a protected resource, will inherit those permissions as well.
Permission Summation	Users or Groups can be placed in group relationships in such a way they obtain the sum of permissions to a protected resource. For example, if a user is placed in a group that has View, Edit, and Schedule access to Network A, and into a group that has Approve access for Network A, the user effectively then has View, Edit, Schedule and Approve permissions in Network A.
Override Permissions	Continuing with the example above, if the user was also associated directly to Network A and given an override permission of View Only, the user would lose all other access to Network A, except for the override permissions. This rule applies to any user or group where the override check box has been selected. This, then overrides any other access provided to the protected resource.

All permissions are granted at the following levels:


System Level Permissions	Highest level of permissions in Network Configuration Manager. System Level Permissions allow you to manage networks, users and groups, access for users, System Administration, and more.
Network Level Permissions	Each user or group must be associated to a network, prior to having permissions for the network defined. A default network provides the ability to associate the same rights to any network assigned to the user or group. Any changes to the default network affect all associated networks that do not have overridden authorizations.
Workspace Level Permissions	Permissions can be set to allow specific users or groups to have access to design workspaces that have been created for the network. A default workspace provides the ability to associate the same rights to any workspace assigned to the user or group. Any changes to the default workspace affect all associated workspaces that do not have overridden authorizations.
Device Level Permissions	Each device within Network Configuration Manager can have its own set of authorizations. Any authorizations provided at the device level override all other permissions. For example, giving a user device level permissions will deny access to any other user that has access to that device at the network level.

The User Management module is where all permissions originate. The user or group is created and defined in this module.


User Permissions	User permissions define the authorizations to protected resources granted to an individual user of the application.
Group Permissions	Identical to user permissions, but assigned at the group level, group permissions define a group to protected resource authorizations.