On This Page
Managing TOS Aurora Users
Overview
All users can change their own account details. Only administrators can add, change and delete other user accounts.
Types of User - Single Domain
By default, all users and devices belong to a single domain. there are two types of users:
-
Administrator: Full permissions, for all monitored devices, and for all SecureTrack actions including system-level configuration and Unified Security Policy.
The following actions are available only to administrators:
-
Configure system-level settings such as users and Network zones.
-
Add or configure monitored devices.
-
Assign Users specific devices in the organization's deployment.
-
Administrative supervision over other users' queries, audits and reports.
-
-
User: Defined by Administrator and given permission for one or more specified, monitored devices. For these devices, can perform policy management, analysis, auditing, and reporting.
All users can manage policy revisions, and configure and run queries, audits, and reports, for their assigned devices.
|
|
Permitted Actions (within permission scope) |
|||
---|---|---|---|---|---|
|
Permission Scope | System-level Configuration | Unified Security Policy | Users Devices Zones Edit Topology View Topology |
Policy Mgmt Auditing Analysis Reporting |
Administrator | All | ||||
User | Specific devices |
Types of User - Multi-Domain
If you have configured your system for multi-domains, the two types of user are replaced by four different types of users:
-
Super Administrator: Full permissions, for all monitored devices in all Domains, and for all SecureTrack actions including system-level configuration and Unified Security Policy.
-
Multi-Domain Administrator: Defined by Super Administrator and given permission for one or more specified Domains (including any devices to be added in the future to the Domain), including (optionally) the default Domain. For all monitored devices in any of these Domains, can perform policy management, analysis, auditing, and reporting, and can view and modify the Topology. For any of these Domains except the default Domain, can configure device monitoring, Domain Users, and Network zones. If the multi-domain administrator has access to the Global Context only and not to any specific domains, the Map will not appear.
-
Multi-Domain User: Defined by Super Administrator and given permission for one or more specified monitored devices (group-selectable by Domain, but applies only to currently-configured devices). For these devices, can perform policy management, analysis, auditing, and reporting.
-
Domain User: Defined by Administrator (Super or Multi-Domain) and given permission for one or more specified, monitored devices in a specified Domain (not the default Domain). For these devices, can perform policy management, analysis, auditing, and reporting.
Administrators have administrative supervision over other users' reports, queries, and audits.
After the first additional (non-default) Domain is defined, existing administrators become Super Administrators and existing users become Multi-Domain Users. The scope of each appears in the following table.
|
|
Permitted Actions (within permission scope) |
|||
---|---|---|---|---|---|
|
Permission Scope | System-level Configuration | Unified Security Policy | Users Devices Zones Edit Topology View Topology |
Policy Mgmt Auditing Analysis Reporting |
Super Administrator | All | ||||
Multi-Domain Administrator | One or more domains |
Configure/Create intra-domain USPs only |
For default Domain, edit Topology only |
||
Multi-Domain User | Specific devices for these domains | ||||
Domain User | Specific devices for this domain |
Managing Users in a Multi-Domain Environment
In a Multi-Domain environment, a Multi-Domain Administrator who wants to add or configure a Domain User must be in the context for that Domain. A Super Administrator who wants to add or configure a Multi-Domain Administrator for more than one Domain, or a Multi-Domain User, or another Super Administrator, must be in the Global context (All Domains).
Administrative Supervision
SecureTrack Administrators can manage reports, queries, audits, and alerts that were created by Users and by other Administrators. This includes viewing, running, and editing the output (scheduling and recipients). Regular Users can only see reports that they themselves created.
In the various reports, analysis, and audit pages in SecureTrack, logged-in Administrators can select only reports, queries, or alerts that they created, or all available ones. For example:
If you have configured your system for managing multi-domains, reports (configured and generated), queries, audits, and alerts are only available for the domains in which they were created. Super Administrators can manage any reports (in the domain contexts in which they were created). Multi-Domain Administrators have administrative supervision only in Domain contexts for which they have permissions (but not in the Global context), over reports created by other Multi-Domain Administrators and by Domain Users (but not over reports created by Super Administrators or by Multi-Domain Users).
What Can I Do Here?
- Manage your own account
- Add a new user
- Edit a user
- Add an administrator using st_add_user
Manage Your Own Account
You can change some details of your own user account, including your name, email address, enable or disable administrative alerts, and your password.
Add a New User or Profile Group
Existing users are listed. From the list, you can Edit () a user's properties, or Delete () a user:
Add a New User
To add a user, click + New User.
The new user's properties appear.
In a Multi-Domain environment, when adding or configuring a Multi-Domain User, devices are categorized and selectable by Domain, but the actual permissions are defined by device. Even when a whole Domain is selected, permissions are not automatically applied to devices added in the future.
Authentication method
You can choose how users will be authenticated. If you select RADIUS or TACACS+, enter the user's name exactly as it appears in the RADIUS or TACACS+ server.
If you select an SSO, RADIUS. or TACACS+ authentication, the user password will be stored in that server and not locally in TOS.
Permissions
You can select which permissions will be assigned to the new user.
If you select User, you will be asked to choose which devices the user can view.
If you select Admin, the user will automatically be granted permission to view all devices.
Email Address
This address will be used to deliver notifications, alerts, and reports.
Administrative Alerts
Only available for Admins. They can also be enabled from the Notifications page.
Click Save to add the user. The new user will be prompted to reset the password when logging in to the TOS Aurora UI for the first time and must do so before performing other functions such as running REST APIs and connecting from SecureChange.
Add a New Profile Group (for RADIUS users only)
SecureTrack Administrators can define profile group entities to authorize RADIUS users. When RADIUS authenticated users log in, SecureTrack can automatically create them on its repository and assign them with the permissions of the profile group they are members of.
To add a new user profile group, click + New Profile group.
The new profile group properties appear.
Edit a User
All existing users are displayed. Click to Edit () a user's properties, or Delete () a user:
User details:
Make changes and click Save to update the user. If you change the password, the user will be prompted to reset the password when next logging in to the TOS Aurora UI and must do so before performing other functions such as running REST APIs and connecting from SecureChange.
How Do I Get Here?
To manage other user accounts: Admin > Users.
To manage your own account: > Account Details.