Managing TOS Aurora Users

Overview

All users can change their own account details. Only administrators can add, change and delete other user accounts.

You can only add, edit, or delete TOS Aurora entities (such as devices, users, and rules) using the TOS Aurora user interface or API commands. Using any other method may cause data corruption that will necessitate a restore of your data.

Types of User - Single Domain

By default, all users and devices belong to a single domain. there are two types of users:

  • Administrator: Full permissions, for all monitored devices, and for all SecureTrack actions including system-level configuration and Unified Security Policy.

    The following actions are available only to administrators:

  • User: Defined by Administrator and given permission for one or more specified, monitored devices. For these devices, can perform policy management, analysis, auditing, and reporting.

All users can manage policy revisions, and configure and run queries, audits, and reports, for their assigned devices.

 

 

Permitted Actions (within permission scope)

 

Permission Scope System-level Configuration Unified Security Policy Users
Devices
Zones
Edit Topology
View Topology
Policy Mgmt
Auditing
Analysis
Reporting
Administrator All check mark check mark check mark check mark
User Specific devices
      check mark

Types of User - Multi-Domain

If you have configured your system for multi-domains, the two types of user are replaced by four different types of users:

  • Super Administrator: Full permissions, for all monitored devices in all Domains, and for all SecureTrack actions including system-level configuration and Unified Security Policy.

  • Multi-Domain Administrator: Defined by Super Administrator and given permission for one or more specified Domains (including any devices to be added in the future to the Domain), including (optionally) the default Domain. For all monitored devices in any of these Domains, can perform policy management, analysis, auditing, and reporting, and can view and modify the Topology. For any of these Domains except the default Domain, can configure device monitoring, Domain Users, and Network zones. If the multi-domain administrator has access to the Global Context only and not to any specific domains, the Map will not appear.

  • Multi-Domain User: Defined by Super Administrator and given permission for one or more specified monitored devices (group-selectable by Domain, but applies only to currently-configured devices). For these devices, can perform policy management, analysis, auditing, and reporting.

  • Domain User: Defined by Administrator (Super or Multi-Domain) and given permission for one or more specified, monitored devices in a specified Domain (not the default Domain). For these devices, can perform policy management, analysis, auditing, and reporting.

Administrators have administrative supervision over other users' reports, queries, and audits.

After the first additional (non-default) Domain is defined, existing administrators become Super Administrators and existing users become Multi-Domain Users. The scope of each appears in the following table.

 

 

Permitted Actions (within permission scope)

 

Permission Scope System-level Configuration Unified Security Policy Users
Devices
Zones
Edit Topology
View Topology
Policy Mgmt
Auditing
Analysis
Reporting
Super Administrator All check mark check mark check mark check mark
Multi-Domain Administrator One or more domains   check mark
Configure/Create intra-domain USPs only

check mark
Configure Domain Users only

For default Domain, edit Topology only

check mark
Multi-Domain User Specific devices for these domains       check mark
Domain User Specific devices for this domain
      check mark

Managing Users in a Multi-Domain Environment

In a Multi-Domain environment, a Multi-Domain Administrator who wants to add or configure a Domain User must be in the context for that Domain. A Super Administrator who wants to add or configure a Multi-Domain Administrator for more than one Domain, or a Multi-Domain User, or another Super Administrator, must be in the Global context (All Domains).

Administrative Supervision

SecureTrack Administrators can manage reports, queries, audits, and alerts that were created by Users and by other Administrators. This includes viewing, running, and editing the output (scheduling and recipients). Regular Users can only see reports that they themselves created.

In the various reports, analysis, and audit pages in SecureTrack, logged-in Administrators can select only reports, queries, or alerts that they created, or all available ones. For example:

All users

If you have configured your system for managing multi-domains, reports (configured and generated), queries, audits, and alerts are only available for the domains in which they were created. Super Administrators can manage any reports (in the domain contexts in which they were created). Multi-Domain Administrators have administrative supervision only in Domain contexts for which they have permissions (but not in the Global context), over reports created by other Multi-Domain Administrators and by Domain Users (but not over reports created by Super Administrators or by Multi-Domain Users).

What Can I Do Here?

Manage Your Own Account

You can change some details of your own user account, including your name, email address, enable or disable administrative alerts, and your password.

Add a New User or Profile Group

Existing users are listed. From the list, you can Edit (edit domain) a user's properties, or Delete (delete domain) a user:

Add a New User

To add a user, click + New User.

The new user's properties appear.

In a Multi-Domain environment, when adding or configuring a Multi-Domain User, devices are categorized and selectable by Domain, but the actual permissions are defined by device. Even when a whole Domain is selected, permissions are not automatically applied to devices added in the future.

Authentication method

You can choose how users will be authenticated. If you select RADIUS or TACACS+, enter the user's name exactly as it appears in the RADIUS or TACACS+ server.

If you select an SSO, RADIUS. or TACACS+ authentication, the user password will be stored in that server and not locally in TOS.

Permissions

You can select which permissions will be assigned to the new user.

If you select User, you will be asked to choose which devices the user can view.

If you select Admin, the user will automatically be granted permission to view all devices.

Email Address

This address will be used to deliver notifications, alerts, and reports.

Administrative Alerts

Only available for Admins. They can also be enabled from the Notifications page.

Click Save to add the user. The new user will be prompted to reset the password when logging in to the TOS Aurora UI for the first time and must do so before performing other functions such as running REST APIs and connecting from SecureChange.

Add a New Profile Group (for RADIUS users only)

SecureTrack Administrators can define profile group entities to authorize RADIUS users. When RADIUS authenticated users log in, SecureTrack can automatically create them on its repository and assign them with the permissions of the profile group they are members of.

To add a new user profile group, click + New Profile group.

The new profile group properties appear.

Edit a User

All existing users are displayed. Click to Edit (edit domain) a user's properties, or Delete (delete domain) a user:

User details:

Make changes and click Save to update the user. If you change the password, the user will be prompted to reset the password when next logging in to the TOS Aurora UI and must do so before performing other functions such as running REST APIs and connecting from SecureChange.

How Do I Get Here?

To manage other user accounts: Admin > Users.

To manage your own account: > Account Details.