Working with user accounts and authentication
Authentication is the verification that a given password matches a given username. Authorization is the granting of an access level based on a username.
NetIM supports local accounts, as well as the following authentication/authorization services:
• Security Assertion Markup Language (SAML)
• Terminal Access Controller Access-Control System Plus (TACACS+)
User roles
NetIM supports the following user roles:
• Administrator—The Administrator role is the NetIM super-user and as such has full and complete access to NetIM data and configuration
• Privileged—The Privileged role has some ability to perform configuration (like create/edit/turn on/off alerts and create maintenance windows) but not full administrator rights. A user with privileged access has some, but limited, wizard access.
• User—The User role lacks the ability to modify collection, monitoring, and alerting behavior but does have access to grouping operations, custom attribute operations, custom view operations, and monitored path creation (without scheduling)
The User role has no wizard access.
• Restricted—The Restricted role has read-only or view-only access. A user with the restricted role does not have the ability to modify any configuration option or setting that controls system operations. The restricted user is also prevented from viewing sensitive information.
Adding, modifying, deleting, and logging out users
To add, modify, or delete a user account or log off a user
1. Log in to the NetIM UI as admin.
2. Choose Configure > All Settings > Administer > User Management. The User Management page appears.
To add a user
1. Click the Add icon (
) beneath the Local User frame. The Create Local User pop-up appears.
– Determine if the user should be active (default) or inactive.
– Enter a username, assign a role and password, and then click Save.
2. To add a SAML or TACACS+ user, click the (
) icon beneath that frame. The Create SAML/SCAS/TACACS+ User pop-up appears.
– Determine if the user should be active (default) or inactive.
Enter the user’s Username (exactly as they would enter it to log in to the SAML identity provider) and Role.
Role assignment is not necessarily required for SAML users if SAML attribute-to-NetIM-role mapping is set up. NetIM uses the assigned roles provided by SAML if you do not assign the user a role using NetIM’s User Management page. For more information on configuring SAM, see
Configuring SAML authentication.
– Select a valid SAML or TACACS+ username, assign a role, and then click Save.
To delete a user account
• Click the X icon in the Actions column at the end of that user’s entry.
To modify a user account
• Click the pencil icon in the Actions column at the end of that user’s entry. An Edit User pop-up appear.
To log out a user
To log out a user, click the logout icon under the Action column at the end of that user’s entry in the Active User Sessions frame.
You can also log out all users simultaneously, by clicking the Logout All icon above the Username column of the Active User Sessions frame.
About password compliance
Password compliance (complexity, expiration, set, and reset) are restrictions on local user passwords to meet the requirement for NIST compliance.
Any password for a local user account must meet the following requirements:
• Be at least eight characters long.
• Be different than the current password and all of the previous 10 passwords.
• Fulfill at least three of the following criteria:
– Contain an uppercase letter.
– Contain a lowercase letter.
– Contain both a number and a special character.
– Have no more than three repeated characters.
– Contain no more than two consecutive characters from the user’s username.
Users may not change their own password until at least 48 hours after their last password change.
All passwords expire 90 days after they are changed. Users will be warned when their password is near expiration by an orange warning icon at the top of the page.
Password expiration warning icon
Clicking this icon redirects the user to a page to change the password. If a user does not change the password before it expires, the user is required to do so during the first login after it has expired.
Passwords may only be set by the actual user. When an admin adds a new user, or resets an existing user’s password, a random password is generated that should be given to the user.
This password is valid for 48 hours and must be changed the first time the user logs in. (A user can always change a temporary password, even if it would violate the 48-hour restriction mentioned above.)
A user’s account will be locked if there are five or more failed log in attempts over the last minute. The account will unlock automatically once failed log in attempts fall below this threshold.
Tracking user logins
User login and logout activity is tracked in the following log file on NetIM core:
<install_dir>/log/vnes_analytics_logins_logouts
The following information is written to the log:
• Username
• Timestamp
• Machine name or IP address
• Browser type and version
• Login/logout success or failure
Example:
2021/08/23 07:09:45 INFO - [OPNETVnesWebService] Successful log in from 10.49.9.250. -- User: admin. Method: Local. SessionId: eK5Xu0pE/1XpO+nx0WDgyw==.
2021/08/23 07:10:07 INFO - There are currently 1 users logged in to the system.
2021/08/23 07:10:07 INFO - 1 users with role ADMIN.
2021/08/23 11:40:39 INFO - Forced to log out. -- User: admin. Method: Local. SessionId: java.util.HashMap$KeyIterator@4fcf3a2e.
2021/08/23 11:41:29 INFO - [OPNETVnesWebService] Successful log in from 10.49.9.250. -- User: admin. Method: Local. SessionId: tXJj8g0tMXJ3WZ7LvN9P5A==.