FireMon Asset Manager
Page tree

Versions Compared

Old Version 13

changes.mady.by.user user-05670

Saved on

compared with

New Version Current

changes.mady.by.user Dong Pak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Data on Lumeta Asset Manager is segregated by an enterprise-grade user management facility that controls who can see Lumeta Asset Manager system options, components, and zones. Access to individual zones is controlled by an administrator who assigns users to organizations and zones. User-defined system configurations can be reused in all zones to which the user has access.

Anchor
co
co
Organizations

In the context of Lumeta Asset Manager and for the purpose of linking users to zones, an Organization is a set of Zones with a common set of permissions.  There There can be many organizations and these are associated with one another in a single layer without hierarchy. Organizations do not nest within other organizations.  

...

This structure of access control enables you to restrict zone access to particular users. Now,  New York Lumeta Asset Manager users can have access to the New York Zone and not the London Zone, for example.  London users can be granted access to London Lumeta Asset Manager Zone and blocked from New York Lumeta Asset Manager Zone. 

About Organizations

...

A zone may also describe a set of network devices that are to be monitored using defined indexing methods.  In the screencap on the left, several zones have been set up to target the same IPs/CIDRs.  The indexing methods each zone uses to explore the area, however, vary.  The zones have been named to indicate the indexing methods that have been configured to perform.  Host+Port+DP, for example, contains collectors configured to identify host, port, and device profiling information. This method is especially useful when you want to find out or better understand what Lumeta Asset Manager can discover using one indexing technique versus another.

Typically, one organization contains several zones.

  • The zone that comes with Lumeta Asset Manager by default is called Zone1. This default zone can be renamed but not deleted.
  • You can add, edit, or delete zones.  Select the zone you want to manage before clicking Edit Zone or Delete Zone.
  • You may add as many zones as you need.

...

A user is a login and password combination that identifies individuals entitled to use Lumetause Asset Manager

Valid usernames: 

  • Use this set of characters: A-Za-z0-9_.-
  • Are one or more characters (but not a single dot, digit or hyphen)
  • Do not start with a hyphen
  • If the id starts with a dot, then there has to be at least one non-dot character afterwards
  • If the id starts with a number, then there must be one non-numeric character afterwards

...

The superuser permission is required to grant superuser status to another user.  It is also required to add the first user to an organization. At least one user must have this superuser flag set.  Any attempt to delete the last superuser is ignored by the system and a message is returned to the user. The password for this user is "admin". See  Managing Lumeta Asset Manager via the CLI for the "Adding a superuser" command. The superuser can oversee the complete Lumeta Asset Manager system. This role is equivalent to the root user of linux or the Administrator of Windows.

Lumeta Asset Manager comes with two default users: admin and manager - The admin has the SysAdmin role and superuser privileges. 

...

  • The "superuser" is a flag associated with a user, and not with a Role or Organization. It provides complete access to the Lumeta Asset Manager system. The superuser can access everything. The superuser flag is set via the CLI only.  Multiple superusers can be created.  Superusers can be deleted as long as there is more than one of them. The last superuser cannot be deleted.
  • You can add, edit, and delete usernames.
  • You can add, edit, and delete user accounts.

...

Excerpt

Roles define the system features and commands users can access. Each user is assigned a set of permissions, or role.

Lumeta Asset Manager comes with three pre-defined roles that you can assign to a user. You can assign all three rolls to a user, two of the roles to a user, or none of the rolls to a user.

SysAdmin - Manages the system. Is concerned with details at device level (i.e., software and hardware). Can manage the Lumeta Asset Manager System (Installation of License, Upgrading the System, Configuring CEF, Resetting the IP, Restarting services or system). The SysAdmin cannot log in to the Lumeta Asset Manager GUI unless he or she has also been given the Viewer role, the Manager role, or has been flagged as a superuser.

Manager - Concerned with LumetaAsset Manager-specific details. Manages the Organization to which he/she belongs. Creates zones and collectors, assigning roles to users, subscribes to notifications, configures dashboards.
Manager can access GUI for the following functionality:

  • Can modify users – can edit the roles and password of a user.

  • Can add/modify/delete zones

  • Can add/modify collectors (and all its sub functionality)

  • Can configure notifications

  • Can not configure CEF notifications

  • Can view reports, maps and zones

Manager can access the following commands in CLI:

Viewer - Read only. User cannot manipulate zones or Lumeta Asset Manager system software or hardware. Views the organization to which he/she belongs. Can view zones, collectors, maps, and dashboards.

...

Every GUI and CLI command calls an API. Every API call has either a single permission associated with it, or no permissions at all. If no permission, or the permission NONE, anyone can use that API.

Permission

Notes

NO_ACCESSAPI is disabled
NONENo permission required (default) – Anyone can use the API
VIEW_ZONEViewing reports and dashboards
MANAGE_USERSAdding and deleting users, assigning roles
MANAGE_ZONESAdding/deleting/configuring zones and collectors
MANAGE_SYSTEMAll system-wide functions, like importing configs, starting/stopping services, etc.
MANAGE_SCOUTInterpreted as "manage remote" for adding and deleting remote systems
BYPASS_ACCESSOnly superuser may use this API

...


Every role has a group of permissions. If a user has a role, then that role's permissions define which APIs the user can call, and in turn which GUI and CLI commands. Superuser is not a role; it's a flag. When a user has the superuser flag enabled, the system bypasses (ignores) the roles and allows the user to run any API, and therefore any command.Some APIs require BYPASS_ACCESS permission, which means that only a superuser can use those APIs.

Role

Permissions

ManagerMANAGE_USERS, MANAGE_ZONES, VIEW_ZONE
SysAdminMANAGE_SCOUTS, MANAGE_SYSTEM
ViewerVIEW_ZONE
PortalUserMANAGE_SCOUTS, VIEW_ZONE

FAQs

Excerpt

If a user needs access to all zones, view only, what access would they need?
 This user would need the "Viewer" role for each organization.

A user has admin right access, why can't that user see all zones?
Assuming the user has the "SysAdmin" role, this role is focused on managing the Lumeta Asset Manager appliance. It does not provide view access.

Is there any conflict or issue with multiple users logging into the same CC at the same time, under the default admin account?
This is not recommended as a standard operation as there is no individual accountability in such a process. As to conflict, the only area where there would be an issue is around the map. The map automatically saves changes for the user. This means that if User Bob goes to the map, moves stuff around, and makes certain display choices; these get saved. Bob then goes off duty, and Mary logs in. Mary goes to the map and makes changes. Mary goes off duty, Bob logs in, goes to the map and the map is different than what he expects from his last save because Mary's (more recent) choices have overwritten Bob's. 

...