Administrator HandbookTOC

User Manager

Introduction to User Manager

The goal of the User Manager is to provide a scalable solution for handling the access control to the LoriotPro Console from a remote thin client (WEB Navigator).
Up to LoriotPro version 3, it was not possible to control the access to LoriotPro by a WEB navigator with precision. The restriction was done on an IP address client basis and not regarding specific objects of the directory tree.  It is now possible to define users and assign them a level of access to directory objects. The concept of access control is based on access level and not on object rights like in other directories; we want to refer here to NDS from Novell and ACTIVE Directory from Microsoft.  Each object of the directory, container, network, and leave object like plug-in and reports has a level of access.  From these both levels, the user access level and the object directory access level the right for a particular user to access (see) an object from the remote WEB navigator is granted or revoked. The simple rule managing the access within the access policy is:  
Access allowed if User Level >= Object Level
On the diagram below you can see an example of two users with different access rights:
 User 1 has a level of 100 and is able to access the Container object and the network object but not the Host Object that has a higher level. User 2 has a higher level and can access all the three objects.  To complete the picture we define global rights per user. The global rights supersede the rights that could be granted by level. The global rights give access to a user to the main functions of the remote interface like access to the Inter network map for example.

The User Manager defines access control for remote web access. The LoriotPro console access is not protected by this way and the Windows protection mechanism should be used.

Starting the User Manager

The user Manager is functionality embedded in the LoriotPro WEB server service plug-in.

If the Web server service plug-in is running you’ll have access to the user manager.

With a right click on the LoriotPro Http Server service Plug-in you can access the properties windows.

The control of access based on the IP source address of the remote WEB navigator is still available and have to be configured. The default configuration allows any IP address to access the LoriotPro console.

A new button is present in the window, the User Right Manager.

This one gives you access to the following User Right Manager window

User Right Manager window 

The user right manager allows you to define users, user access levels, and user global rights, to define directory object levels and to view the result of your settings.

The user right manager window is composed of three panes.

  1. The left pane contains a view of the current directory but with a new information attached to each object, the level.
  1. The upper right pane displays the directory tree that could be see by the current selected user in the lower right pane.
  1. The lower right pane displays the users and their respective global access rights.


Set directory object access level

The access policy is base on the setting of the level on each object.By default all objects are accessible for any user. The default value is 0.If you want to change the level just click on the object, the following dialog box appears

From there you can define the new level for the selected object and its child objects if you want.Here is an example of setting for the Ulysse Host object.

By default the Recursive mode On is set. The child objects are not modified by your setting.

If you choose the Recursive mode On and overwrite old level the level of the child objects will be modified and set to the same level as the father object level.

If you choose the last option the child object level will be change only if their current level is lower than the level of the father object level.

Defining users

To define a new user click on the Add User Button and enter the user name.

Assigning User Password

To set the user password click on the user name cell in the lower left pane

Assign User Level

The user level is assigned by clicking on the level cell of the corresponding user.

Set the Root Directory of a user

The root directory of a user defines the upper object of the directory that a user can access. When defined, the user is unable to access object at higher level or at a similar level than its virtual root level.

To configure the root directory for a user just drag and drop the object icon from the directory view in the left pane to the user root directory cell.

Assign Global user rights

The global rights allow the user to access or not the main service offers on the remote console.

The main services are:

See Map: Allow the access to the view of the dynamic inter-network Map

Run Script: Allow the user to run the scripts attached to the hosts

See Event: Allow the user to open the event files

See Traps: Allow the user to open the trap files

See Logs: Allow the user to open the Syslog files

Access Database: Allow the user to access SQL database

Browse Directory: Allow user to browse the directory tree

PHP: Allow the user to run php script on WEB page

If one of this global right is set to “yes” the user is able to access objects based on its level.

To assign to a user its global rights you should click in the corresponding cell.

Checking your configuration

To check your configuration you can access your LoriotPro from a remote WEB navigator.

If you want to access your console from your local WEB navigator you can lunch it from the  WEB console by double clicking on the Http Server service plug-in located in the Workspace.


This open the WEB console

Press Go Home will open your navigator.

We highly recommend to use the IE5 version from Microsoft or higher versions.

Set access level on Report Files

The report manager plug-in allows you to set access level on report.

Reports within LoriotPro are WEB pages automatically or manually generated. There are accessible from a remote WEB navigator when you click on a host.

The scripts are globally accessible if the user has the Global right of running script. This global right is set in the user manager has describe in the previous chapter.

To start the Report File Manager either start the WEB console and click on the Report Manager button or open the Call Direct Plug-in menu.

From there select the Report File Manager

The report manager window is displayed.

For each report you can assign a level

Like usual if the user has a level superior or equal to this level it will be possible form him to lauch it from the WEB navigator.

Example of configuration

The example below uses a configuration where multiple networks for different customers are managed with one LoriotPro.

Each customer is assigned a dedicated container and all their proprietary devices are set in that container.

For each Customer we defined in first User Name. Cust1-User1 and Cust1-User2 are administrators from the customer 1, Cust2-User1 is the administrator of user 2 and so on.

To avoid that these user have access to directory tree segment of each other we defined the Directory Root for each of them. The Directory Root could be here the Customer container or any of its child object. In our example the Cust1-User2 has a root object set on a Network (net_128.1.0.0).

We see in the upper screen in the upper right pane the portion of the tree that the current selected user (Cust1-User1) will be able to see if it connects from its WEB navigator to the LoriotPro console.

You can see there that the authorized directory upper level is the Customer1 container and nothing more.

Within this container he could access all object because its level is higher or at least equal to the object access level.

We could have a fine tuning of access by setting the level of child object. In our example we decide to give the view of report to the admin user and not to the Customer1 users.

The Report Plugin object is assigned a level of 500 which is higher than the level of Cust1-User1 et Cust1-User2.

The right upper pane shows that now the Cust1-User1 will not see the Report Plugin from a remote access.