About Organizations, Zones & Users

Data on Asset Manager is segregated by an enterprise-grade user management facility that controls who can see Asset Manager system options, components, and zones. Access to individual zones is controlled by an administrator who assigns users to organizations and zones. User-defined system configurations can be reused in all zones to which the user has access.

Organizations

In the context of Asset Manager and for the purpose of linking users to zones, an Organization is a set of Zones with a common set of permissions.  There can be many organizations and these are associated with one another in a single layer without hierarchy. Organizations do not nest within other organizations.  

Each organization has three fully defined roles belonging to it:  SysAdmin, Manager, and Viewer. The organization segregates users and controls what information they can see and manipulate. You can add, edit, and delete most organizations. The default organization, called Organization 1, can be renamed but not deleted.

This structure of access control enables you to restrict zone access to particular users. Now,  New York Asset Manager users can have access to the New York Zone and not the London Zone, for example.  London users can be granted access to London Asset Manager Zone and blocked from New York Asset Manager Zone. 

About Organizations

  • Each zone is assigned to a single organization
  • Each role is specific to an organization
  • Each user can have multiple roles and the roles can be associated with different organizations

Example: User Sally

  • Has two roles: Manager/Organization1 and Viewer/Organization2
  • Can view and modify all of Organization1's zones
  • Can create new zones in Organization1
  • Can view but not create zones in Organization2

Example: User Bob

  • Has one role: Viewer/Organization1
  • Can view zones in Organization1
  • Cannot view zones in Organization2
  • Cannot modify or create new zones in either organization

Zones

AvailableZones are sets of network devices you want to monitor as a unit. For example, a  zone might describe a subnet, an enclave, boxes containing classified financial data, machines belonging to a particular business unit, devices affiliated by region or purpose, machines over which a security or operations professional is responsible.

A zone may also describe a set of network devices that are to be monitored using defined indexing methods.  In the screencap on the left, several zones have been set up to target the same IPs/CIDRs.  The indexing methods each zone uses to explore the area, however, vary.  The zones have been named to indicate the indexing methods that have been configured to perform.  Host+Port+DP, for example, contains collectors configured to identify host, port, and device profiling information. This method is especially useful when you want to find out or better understand what Asset Manager can discover using one indexing technique versus another.

Typically, one organization contains several zones.

  • The zone that comes with Asset Manager Asset Manager by default is called Zone1. This default zone can be renamed but not deleted.
  • You can add, edit, or delete zones.  Select the zone you want to manage before clicking Edit Zone or Delete Zone.
  • You may add as many zones as you need.

When you add a zone, consider giving it a name that's associated with its user base such as Corporate Zone, Guest Zone, or Wi-Fi Zone. Or give it a name with geographical or business significance such as Manufacturing, Finance, West Coast Office, or New York Office.

See Adding & Managing Zones for step-by-step procedures on how to add, edit, view, monitor, and map zones.

Users

A user is a login and password combination that identifies individuals entitled to use Asset Manager. Asset Manager > Username can be a combination of alphanumeric characters but cannot start with number. Valid user names are admin1, manager0056. Invalid user names are: 1admin, 1005m

A superuser is not a role but a flag that allows a user to manage all aspects of the system regardless of zone affiliation. The entire system is accessible to a user with superuser privileges. CRUD operations can only be performed by a superuser.  Also, the superuser can see the Support menu option.

The superuser permission is required to grant superuser status to another user.  It is also required to add the first user to an organization. At least one user must have this superuser flag set.  Any attempt to delete the last superuser is ignored by the system and a message is returned to the user. The password for this user is "admin". See Managing Asset Manager via the CLI for the "Adding a superuser" command. The superuser can oversee the complete Asset Manager system. This role is equivalent to the root user of linux or the Administrator of Windows.


Asset Manager Asset Manager comes with two default users: admin and manager - The admin has the SysAdmin role and superuser privileges. 

User Role Description
admin

SysAdmin

Viewer

Has SysAdmin role and superuser privileges
manager

Manager

Viewer

Has Manager role of the default Organization 1.

 About configuring users . . .

  • The "superuser" is a flag associated with a user, and not with a Role or Organization. It provides complete access to the Asset Manager system. The superuser can access everything. The superuser flag is set via the CLI only.  Multiple superusers can be created.  Superusers can be deleted as long as there is more than one of them. The last superuser cannot be deleted.
  • You can add, edit, and delete user names.
  • You can add, edit, and delete user accounts.

Browse to Settings > Users to set up user accounts and system access.

Roles

Roles define the system features and commands users can access. Each user is assigned a set of permissions, or role.

Asset Manager Asset Manager comes with three pre-defined roles that you can associate all, some, or none of of to a user.

SysAdmin - Manages the system. Is concerned with details at device level (i.e., software and hardware). Can manage the Asset Manager System (Installation of License, Upgrading the System, Configuring CEF, Resetting the IP, Restarting services or system). The SysAdmin cannot log in to the Asset Manager GUI unless he or she has also been given the Viewer role, the Manager role, or has been flagged as a superuser.

The SysAdmin can access the following commands in the CLI:

  • certificate - all sub-commands
  • Asset Manager – all sub-commands
  • log – all sub-commands (can configure CEF destination)
  • organizationlist
  • role list
  • system – all sub-commands  (can configure OSPF interface and enable OSPF)
  • user list
  • user password (only his or her own)

Manager - Concerned with Asset Manager-specific details. Manages the Organization to which they belong. Creates zones and collectors, assigning roles to users, subscribes to notifications, configures dashboards.

Manager can access GUI for the following functionality:

  • Can modify users – can ONLY edit the roles of a user.
  • Can add/modify/delete zones

  • Can add/modify collectors (and all its sub functionality)

  • Can configure notifications

  • Can not configure CEF notifications

  • Can view reports, maps and zones

Manager can access the following commands in CLI:

  • certificate – cannot see
  • collector – all sub-commands
  • Asset Manager – can only view help,history,logout,top commands this is because in GUI, Manager role can not configure connect/disconnect systems
  • log – cannot run any log commands. Even if you run, it generates an error.
  • organization list
  • role - all sub-commands (list, users) 
  • system {hardware_id, type, version, interface list}
  • user – ALL except superuser subcommand.
  • zone - all sub-commands 

Viewer - Read only. User cannot manipulate zones or Asset Manager system software or hardware. Views the organization to which he/she belongs. Can view zones, collectors, maps, and dashboards.

  • Viewer cannot run postinstall_wizard
  • Viewer can access limited GUI and can only access Notifications under Admin drop-down menu
  • Can click on Dashboard, Maps, Zones, Notifications menu item
  • Viewer can access the following commands in CLI:
    • collector list
    • Asset Manager - cannot run this command
    • og – cannot run this command
    • organization active
    • organization list
    • role list
    • system {hardware_id, interface, type, version}
    • user list
    • user password (only his own)
    • zone list

Permissions

  • GREEN: If the role can perform the task
  • RED: If the role is not allowed to perform the task
  • A user with ONLY the SysAdmin Role will not be allowed to log in to GUI.
  • A user with the superuser flag is allowed EVERYTHING

The following chart can help answer role-related questions such as  . . .

  1. Which role can subscribe to notifications? (superuser, Manager and Viewer)
  2. Which role can add Reports/Dashboards? (superuser, Manager and Viewer)
  3. When a user adds Reports/Dashboards, it is visible for other users who log in? (yes)
  4. OSPF, CEF configuration, which role can perform this? (superuser)
Permissions
Features superuser flag SysAdmin Role Manager Role Viewer Role
Settings
Zones
    • Add
x x
    • Modify
x x
    • Delete
x x
    • View
x x x
Users
    • Add
x
    • Modify
x x
    • Delete
x
    • View
x x x
Organizations
    • Add
x
    • Modify
x
    • Delete
x
    • View
x x x
  • Asset Manager Systems
  • OSPF Config
x


CEF Config x


    • CEF Notifications
x
    • License Installation
x
    • Upgrade
x
    • Add/Modify/Delete Scouts
x
    • View
x x x
Device Profile Patterns x
Notifications x x x
Email Server Configuration x
Connections x
Tables x
Cluster Nodes x
Reports
    • Browse Real-time
x x x
    • Browse Historical
x x x
    • Schedule
x x x
Search
    • Basic
x x x
    • Advanced
x x x
Dashboard Manager
    • Add Dashboards
x x x
    • Delete
x x x
    • View
x x x
Maps x x x

FAQs

If a user needs access to all zones, view only, what access would they need?
 This user would need the "Viewer" role for each organization.

A user has admin right access, why can't that user see all zones?
Assuming the user has the "SysAdmin" role, this role is focused on managing the Asset Manager appliance. It does not provide view access.

Is there any conflict or issue with multiple users logging into the same CC at the same time, under the default admin account?
This is not recommended as a standard operation as there is no individual accountability in such a process. As to conflict, the only area where there would be an issue is around the map. The map automatically saves changes for the user. This means that if User Bob goes to the map, moves stuff around, and makes certain display choices; these get saved. Bob then goes off duty, and Mary logs in. Mary goes to the map and makes changes. Mary goes off duty, Bob logs in, goes to the map and the map is different than what he expects from his last save because Mary's (more recent) choices have overwritten Bob's.