| Administrator Handbook | TOC |
Up to LoriotPro version 3, it was not possible to control the access to LoriotPro by a WEB navigator with precision. The restriction was done on an IP address client basis and not regarding specific objects of the directory tree. It is now possible to define users and assign them a level of access to directory objects. The concept of access control is based on access level and not on object rights like in other directories; we want to refer here to NDS from Novell and ACTIVE Directory from Microsoft. Each object of the directory, container, network, and leave object like plug-in and reports has a level of access. From these both levels, the user access level and the object directory access level the right for a particular user to access (see) an object from the remote WEB navigator is granted or revoked. The simple rule managing the access within the access policy is:
Access allowed if User Level >= Object Level
On the diagram below you can see an example of two users with different access rights:
User 1 has a level of 100 and is able to access the Container object and the network object but not the Host Object that has a higher level. User 2 has a higher level and can access all the three objects. To complete the picture we define global rights per user. The global rights supersede the rights that could be granted by level. The global rights give access to a user to the main functions of the remote interface like access to the Inter network map for example.
The User Manager defines access control for remote web access. The LoriotPro console access is not protected by this way and the Windows protection mechanism should be used.
The user Manager is functionality embedded in the LoriotPro WEB server service plug-in.
If the Web server service plug-in is running you’ll have access to the user manager.
With a right click on the LoriotPro Http Server service Plug-in you can access the properties windows.
The control of access based on the IP source address of the remote WEB navigator is still available and have to be configured. The default configuration allows any IP address to access the LoriotPro console.
A new button is present in the window, the User Right Manager.
This one gives you access to the following User Right Manager window
User Right Manager window
The user right manager allows you to define users, user access levels, and user global rights, to define directory object levels and to view the result of your settings.
The user right manager window is composed of three panes.
The access policy is base on the setting of the level on each object.By default all objects are accessible for any user. The default value is 0.If you want to change the level just click on the object, the following dialog box appears
From there you can define the new level for the selected object and its child objects if you want.Here is an example of setting for the Ulysse Host object.
By default the Recursive mode On is set. The child objects are not modified by your setting.
If you choose the Recursive mode On and overwrite old level the level of the child objects will be modified and set to the same level as the father object level.
If you choose the last option the child object level will be change only if their current level is lower than the level of the father object level.
To define a new user click on the Add User Button and enter the user name.
To set the user password click on the user name cell in the lower left pane
The user level is assigned by clicking on the level cell of the corresponding user.
The root directory of a user defines the upper object of the directory that a user can access. When defined, the user is unable to access object at higher level or at a similar level than its virtual root level.
To configure the root directory for a user just drag and drop the object icon from the directory view in the left pane to the user root directory cell.
The global rights allow the user to access or not the main service offers on the remote console.
The main services are:
See Map: Allow the access to the view of the dynamic inter-network Map
Run Script: Allow the user to run the scripts attached to the hosts
See Event: Allow the user to open the event files
See Traps: Allow the user to open the trap files
See Logs: Allow the user to open the Syslog files
Access Database: Allow the user to access SQL database
Browse Directory: Allow user to browse the directory tree
PHP: Allow the user to run php script on WEB page
If one of this global right is set to “yes” the user is able to access objects based on its level.
To assign to a user its global rights you should click in the corresponding cell.
To check your configuration you can access your LoriotPro from a remote WEB navigator.
If you want to access your console from your local WEB navigator you can lunch it from the WEB console by double clicking on the Http Server service plug-in located in the Workspace.
This open the WEB console
Press Go Home will open your navigator.
We highly recommend to use the IE5 version from Microsoft or higher versions.
The report manager plug-in allows you to set access level on report.
Reports within LoriotPro are WEB pages automatically or manually generated. There are accessible from a remote WEB navigator when you click on a host.
The scripts are globally accessible if the user has the Global right of running script. This global right is set in the user manager has describe in the previous chapter.
To start the Report File Manager either start the WEB console and click on the Report Manager button or open the Call Direct Plug-in menu.
From there select the Report File Manager
The report manager window is displayed.
For each report you can assign a level
Like usual if the user has a level superior or equal to this level it will be possible form him to lauch it from the WEB navigator.
The example below uses a configuration where multiple networks for different customers are managed with one LoriotPro.
Each customer is assigned a dedicated container and all their proprietary devices are set in that container.
For each Customer we defined in first User Name. Cust1-User1 and Cust1-User2 are administrators from the customer 1, Cust2-User1 is the administrator of user 2 and so on.
To avoid that these user have access to directory tree segment of each other we defined the Directory Root for each of them. The Directory Root could be here the Customer container or any of its child object. In our example the Cust1-User2 has a root object set on a Network (net_128.1.0.0).
We see in the upper screen in the upper right pane the portion of the tree that the current selected user (Cust1-User1) will be able to see if it connects from its WEB navigator to the LoriotPro console.
You can see there that the authorized directory upper level is the Customer1 container and nothing more.
Within this container he could access all object because its level is higher or at least equal to the object access level.
We could have a fine tuning of access by setting the level of child object. In our example we decide to give the view of report to the admin user and not to the Customer1 users.
The Report Plugin object is assigned a level of 500 which is higher than the level of Cust1-User1 et Cust1-User2.
The right upper pane shows that now the Cust1-User1 will not see the Report Plugin from a remote access.
www.loriotpro.com |
|
