In this article
1. Feature Description
2. Users
3. Groups
4. Custom Policies
5. Authorizations
6. Active Directory
7. Login Banner
Users & Groups is for Administrators to define users, login banners, local groups, group membership, authorizations and LDAP/Active Directory connections / group mappings.
Minimum Release: 1.0
Application: N/A
License: Enterprise
Privilege level: Enterprise Admin
To view user settings, navigate to Admin > Users and Groups.
ℹ️ Users must belong to the Enterprise Administrator group to access this page
Users
Local users and group memberships are managed under this section along with password changes, account status, last login timestamp and user tools.
ℹ️ User accounts are disabled after 45 days of inactivity
ℹ️ User accounts are locked for 15 minutes after 5 failed consecutive login attempts
ℹ️ Users are logged out automatically after 15 minutes of inactivity
User Lookup – search for a user and view their effective permissions. Effective permissions is a calculation performed based upon a user who may belong to multiple groups.
ℹ️ A user’s effective permission is the highest permission granted per group. For example, if the user belongs to an Audit role with read-only for IP Sets while also belonging to Security Engineer with view/edit/delete access, the effective permission is view/edit/delete.
The sample below shows the per-user rights as calculated by ReSTNSX.
Audit – perform a real-time permissions audit to view a summary of the effective permissions per user and per function (Network Virtualization, Security, Compute, Tools, Reporting and Workflows) of the application. This data can be exported to CSV format.
Groups
The user group section displays the system and custom defined groups. To review the permissions for a given group, click the search or edit icon. Below is an example group – Network Engineer – showing a user of this groups view, create, edit, delete, NSX Mover (Copy b/w Managers), allow launch (workflows) and Authorization required (see workflow authorizations).
ℹ️ System defined groups cannot be edited, only cloned to a new group
Custom Policies To top
Beginning in ReSTNSX version 3.3, Administrators can now define policies based upon specific objects; specific data sources (NSX Managers) and name patterns.
Previously, group permissions were limited to all objects of that same type. For example, Group1 can edit IP Sets. This applied to all IP Sets across all data sources.
Custom permissions allows administrators to lock down a group to a specific data source or object. In the following example, the administrator defined two sample policies.
Edit rights to any IP Set that begins with the characters “Customer1” on any NSX Manager
Edit rights to a specific IP Set with a specific name (object ID) of “1111” on NSX Manager 172.16.100.232
Authorizations To top
Work Authorizations provide a three tier request – approval – implementation process. For further information on this topic, see the Work Authorization Feature Guide.
Active Directory To top
ReSTNSX supports local and AD/LDAP-based users and groups. Multiple servers (via ldap or ldaps) are supported. Below is an example of a mapping between AD group Administrator to local ReSTNSX group Authgroup2.
In the setup or edit screen, users can test a user permission against the configured LDAP host. The results will show a success or fail of being able to read the user from the directory with a list of the first 1,000 groups discovered and the group membership of the user. User Groups can be copied and used in the Group-Role Mappings tab.
ℹ️ For each LDAP/AD user who authenticates, their username is added to the ReSTNSX user list as read only. This is required for auditing and functions where permissions are referenced by username instead of group. ReSTNSX does not store the user’s password.
Once configured and validated with a successful test authentication, directory-based logins are now possible and the domain drop-down will be displayed on the login page.
ℹ️ When an LDAP/AD user logs in, select the domain from the drop-down. Usernames should not have the @domain included in the username field.
Login Banner To top
A ReSTNSX login banner requires a user to confirm, by selecting the confirmation checkbox, that they have read the terms defined by the Administrator. These terms are applied to every user’s login.
Comments