Users and User Groups Overview

The Users and User Groups application enables you to control user access to OmniVista Cirrus and to network switches. Access to OmniVista Cirrus is controlled through the definition of user logins and passwords. Access to network switches is controlled through the use of User Groups, which have specified levels of access to switches. All OmniVista users must be assigned to at least one User Group, which defines the access rights for its members. User Groups and user logins are configured from the Users and User Groups application, and constitute one level of network security. Users can also be configured for Two-Factor Authentication, based on User Role. Security levels are summarized below.

Security Levels

Security levels are configured in the Users and User Groups application, as well as the Topology application, and through the Command Line Interface (CLI):

• SNMP Get and Set Community Names - Get and Set Community names act as read and write passwords that define whether any OmniVista user is allowed to read or write the switch's configuration information. Get and Set Community names are configurable only from the switch itself. Configured through the Console Port or CLI.
• The "Seen By" Parameter - This parameter makes individual switches visible to users in a specified OmniVista User Group. The Seen By parameter setting is specified in the Discovery Wizard when switches are discovered. After discovery, you can use the Topology application to edit entries in the list of All Discovered Devices to redefine this parameter.
• OmniVista User Groups - User Groups in OmniVista provide different levels of access to switches. An OmniVista user's access rights are based on the access rights of his/her assigned User Group. Configured in the Users and User Groups application.

Default Users, Groups, and Passwords

OmniVista security uses a combination of user logins and User Groups to control access to OmniVista and to network switches. OmniVista is shipped with the pre-configured user logins, passwords, and User Groups described below. The Users and User Groups application enables you to modify these users, passwords, and User Groups, or create new ones. Note that the pre-configured user admin is the only user that has permission to change the user logins and User Groups defined by the Users and User Groups application. The pre-configured users and User Groups shipped with OmniVista are as follows:

• User user in User Group Default

User user belongs to the Default User Group and therefore has read-only access to switches that can be seen by the Default User Group. The default password for this user is switch. User user can view the information for a switch, but cannot modify the information. This is because the only group right assigned to the Default User Group is Read.

• User writer in User Group Writers

User writer belongs to the Writers User Group and has both read and write access to switches that can be seen by the Writers User Group. The default password for this user is switch. User writer can view and modify switch information; and can use the Discovery Wizard to discover network switches (Re-Discovery Mode only). User writer can also modify entries in the list of All Discovered Devices.

• User netadmin in User Group Network Administrators

User netadmin belongs to the Network Administrators User Group and therefore has full administrative rights to all the switches that can be seen by the Network Administrators User Group. These are the users who are responsible for management of parts of the network (Site Administrators). The default password for this user is switch. User netadmin can manually add, delete, or modify entries in the list of All Discovered Devices for their User Group. User netadmin does not have access to the SecureView-SA, Authentication Servers, Control Panel or Server Backup Applications (the application icons are "grayed out"), nor is this user able to change the trap port in the Preferences Application or delete/archive log files in the Audit Application. The group rights assigned to the Network Administrators group are Read, Write, and Network Admin.

• User admin in User Group Administrators

User admin belongs to the Administrators User Group and therefore has full administrative rights to all devices switches in the network AND full administrative rights to edit the User Groups and users defined in the Users and User Groups security application. The default password for this user is switch.

Two-Factor Authentication

Two-Factor Authentication uses the Google Authenticator App to generate a time-based, 6-digit code that must be entered in addition to a user’s login/password to log into OmniVista Cirrus. Two-Factor Authentication is configured for a user based on User Role. Once Two-Factor Authentication is set up for a user, the user will be required to enter their username/login, and then the 6-digit code generated by Google Authenticator to log into OmniVista Cirrus.

Using Users and User Groups the First Time

You can use one of the pre-configured User Groups or use the Groups Screen to create a new group or edit one of the pre-configured groups. The Groups Screen is also used to add or remove users from existing groups, and delete groups. You can use one of the pre-configured users or use the Local Users Screen to create a new user or one of the edit pre-configured users. Note that all pre-configured users have the same default password, switch. At a minimum, it is recommended that you redefine the passwords. The Local Users Screen is also used to delete users, add or remove users from existing groups, and change user passwords.

Sample Security Configurations

OmniVista users with Administrators rights can view and manage every switch in the network. Selected switches can be "walled off" from users that have Network Administrators, Writers or Default (read) security rights. The "walled off" switches can be made visible to, and manageable from, a single OmniVista User Group. This is accomplished by creating a new User group and setting the can be seen by parameter, so that relevant switches can be seen by that User Group only. (Note that, if problems arise, switches are always visible to, and can be managed by, users in the Administrator User Group.)

For example, first you can create a group named Marketing with Writers access rights. You can also create a single user named Marketing Writer, who is the sole member of User Group Marketing. The Marketing department contains five switches, and you set the can be seen by parameter for each switch to User Group Marketing only.

The effect of this security configuration is that the five switches in the Marketing department will be visible to, and manageable by, the user Marketing Writer only. OmniVista's list of All Discovered Devices will display the five Marketing switches only when user Marketing Writer is logged in. Since the switches will not be visible in the list of All Discovered Devices when other users with Write or Read permission are logged in, they cannot be managed by other users. (Note that users with Administrator security rights are an exception to this. Users with Administrator security rights will always be able to see and manage the five Marketing switches.)

You could also create a second User Group, named Marketing Monitor, which has read access rights only. You create a user that belongs to this group named Marketing Reader. If you set the can be seen by parameter for each Marketing switch to User Group Marketing Monitor and User Group Marketing, user Marketing Reader will be able to view and monitor the five Marketing switches, but only user Marketing Writer will be able to configure the switches.