Managing TOS Aurora Users

Overview

All users can change their own account details. Only administrators can add, change and delete other user accounts.

You can only add, edit, or delete TOS Aurora entities (such as devices, users, and rules) using the TOS Aurora user interface or API commands. Using any other method may cause data corruption that will necessitate a restore of your data.

Types of User - Single Domain

By default, all users and devices belong to a single domain. there are two types of users:

Administrator: Full permissions, for all monitored devices, and for all SecureTrack actions including system-level configuration and Unified Security Policy.

The following actions are available only to administrators:
- Configure system-level settings such as users and Network zones.
- Add or configure monitored devices.
- Assign Users specific devices in the organization's deployment.
- Administrative supervision over other users' queries, audits and reports.
User: Defined by Administrator and given permission for one or more specified, monitored devices. For these devices, can perform policy management, analysis, auditing, and reporting.

All users can manage policy revisions, and configure and run queries, audits, and reports, for their assigned devices.

		Permitted Actions (within permission scope)
	Permission Scope	System-level Configuration	Unified Security Policy	Users Devices Zones Edit Topology View Topology	Policy Mgmt Auditing Analysis Reporting
Administrator	All
User	Specific devices

Types of User - Multi-Domain

If you have configured your system for multi-domains, the two types of user are replaced by four different types of users:

Super Administrator: Full permissions, for all monitored devices in all Domains, and for all SecureTrack actions including system-level configuration and Unified Security Policy.
Multi-Domain Administrator: Defined by Super Administrator and given permission for one or more specified Domains (including any devices to be added in the future to the Domain), including (optionally) the default Domain. For all monitored devices in any of these Domains, can perform policy management, analysis, auditing, and reporting, and can view and modify the Topology. For any of these Domains except the default Domain, can configure device monitoring, Domain Users, and Network zones. If the multi-domain administrator has access to the Global Context only and not to any specific domains, the Interactive Map will not appear.
Multi-Domain User: Defined by Super Administrator and given permission for one or more specified monitored devices (group-selectable by Domain, but applies only to currently-configured devices). For these devices, can perform policy management, analysis, auditing, and reporting.
Domain User: Defined by Administrator (Super or Multi-Domain) and given permission for one or more specified, monitored devices in a specified Domain (not the default Domain). For these devices, can perform policy management, analysis, auditing, and reporting.

Administrators have administrative supervision over other users' reports, queries, and audits.

After the first additional (non-default) Domain is defined, existing administrators become Super Administrators and existing users become Multi-Domain Users. The scope of each appears in the following table.

		Permitted Actions (within permission scope)
	Permission Scope	System-level Configuration	Unified Security Policy	Users Devices Zones Edit Topology View Topology	Policy Mgmt Auditing Analysis Reporting
Super Administrator	All
Multi-Domain Administrator	One or more domains		Configure/Create intra-domain USPs only	Configure Domain Users only For default Domain, edit Topology only
Multi-Domain User	Specific devices for these domains
Domain User	Specific devices for this domain

Managing Users in a Multi-Domain Environment

In a Multi-Domain environment, a Multi-Domain Administrator who wants to add or configure a Domain User must be in the context for that Domain. A Super Administrator who wants to add or configure a Multi-Domain Administrator for more than one Domain, or a Multi-Domain User, or another Super Administrator, must be in the Global context (All Domains).

Administrative Supervision

SecureTrack Administrators can manage reports, queries, audits, and alerts that were created by Users and by other Administrators. This includes viewing, running, and editing the output (scheduling and recipients). Regular Users can only see reports that they themselves created.

In the various reports, analysis, and audit pages in SecureTrack, logged-in Administrators can select only reports, queries, or alerts that they created, or all available ones. For example:

All users

If you have configured your system for managing multi-domains, reports (configured and generated), queries, audits, and alerts are only available for the domains in which they were created. Super Administrators can manage any reports (in the domain contexts in which they were created). Multi-Domain Administrators have administrative supervision only in Domain contexts for which they have permissions (but not in the Global context), over reports created by other Multi-Domain Administrators and by Domain Users (but not over reports created by Super Administrators or by Multi-Domain Users).

What Can I Do Here?

Manage your own account
Add a new user
Edit a user
Add an administrator using st_add_user

Manage Your Own Account

You can change some details of your own user account, including your name, email address, enable or disable administrative alerts, and your password.

Add a New User or Profile Group

Existing users are listed. From the list, you can Edit () a user's properties, or Delete () a user:

Add a New User

To add a user, click + New User.

The new user's properties appear.

In a Multi-Domain environment, when adding or configuring a Multi-Domain User, devices are categorized and selectable by Domain, but the actual permissions are defined by device. Even when a whole Domain is selected, permissions are not automatically applied to devices added in the future.

Authentication method

You can choose how users will be authenticated. If you select RADIUS or TACACS+, enter the user's name exactly as it appears in the RADIUS or TACACS+ server.

If you select an SSO, RADIUS. or TACACS+ authentication, the user password will be stored in that server and not locally in TOS.

Permissions

You can select which permissions will be assigned to the new user.

If you select User, you will be asked to choose which devices the user can view.

If you select Admin, the user will automatically be granted permission to view all devices.

Email Address

This address will be used to deliver notifications, alerts, and reports.

Administrative Alerts

Only available for Admins. They can also be enabled from the Notifications page.

Click Save to add the user. The new user will be prompted to reset the password when logging in to the TOS Aurora UI for the first time and must do so before performing other functions such as running REST APIs and connecting from SecureChange.

Add a New Profile Group (for RADIUS users only)

SecureTrack Administrators can define profile group entities to authorize RADIUS users. When RADIUS authenticated users log in, SecureTrack can automatically create them on its repository and assign them with the permissions of the profile group they are members of.

To add a new user profile group, click + New Profile group.

The new profile group properties appear.

Edit a User

All existing users are displayed. Click to Edit () a user's properties, or Delete () a user:

User details:

Make changes and click Save to update the user. If you change the password, the user will be prompted to reset the password when next logging in to the TOS Aurora UI and must do so before performing other functions such as running REST APIs and connecting from SecureChange.

How Do I Get Here?

To manage other user accounts: Admin > Users.

To manage your own account: > Account Details.