Overview
Groups are used to grant privileges to users. When a user is made a member of a group, they inherit its per-group privileges in addition to any per-user privileges they may already have.
Privileges include lists of accessible serial/USB console ports, these can be defined per-user or per-group. Privileges controlling access to the Opengear device itself via web UI and CLI, and other services, are associated with specific groups, this is detailed in the table below.
Note: Groups are particularly useful for setting the privileges of users that don't have a native local account, i.e. users managed by a remote AAA server. The AAA server responds to a successful authentication with a list of groups, and the user is automatically created and added to these groups.
Products and Firmware
List of products and firmware versions
| Family | Product |
Article written using version |
Supported on firmware |
| OM/CM810 | all | 23.03 | 22.10 and above |
Built-in groups
The following table details the privileges of the groups built-in to the Opengear firmware:
| Group Name | Privileges & Behavior | Services |
| admin |
Full administration privileges via CLI and web UI. Full configuration management and firmware upgrades. Full access to all managed consoles and other devices. Note that admin users can become root with the sudo -s command. admin group users must be absolutely trusted. |
Full CLI; full web UI; full portmanager |
| netgrp |
After successful authentications using remote AAA, users that do not have local accounts are created and added to this group. You may edit this group and grant it "Full administration & access" and "Web UI, PM Shell, Port Configuration" Access Rights. This is intended as a convenient way to grant remote AAA users privileges, with no modification to the AAA server configuration. |
- |
Access rights: (Only visible for Groups with Admin Access Disabled)
Access rights are specific privileges you can assign to users or groups who are not admins.
| Access Rights | Behavior |
| Web UI | Permits access for an authenticated user to basic status information via the web interface and rest API. |
| PM Shell (Restricted CLI) | Permits access to devices connected to serial ports. |
| Port Configuration | Permits configuration of serial ports. |
Custom groups
You may add custom groups via the web UI under Configure -> User Management -> Groups. Custom groups may be assigned Roles and Accessible Port(s).
You can assign specific Access rights as well as which ports and what users belong to this group all on this page.
Examples:
Admin Access: When Admin access is Enabled, users no longer see any Access rights or Device access options as the admins have access to both.
Specific Access Rights: You can narrow down the type of access a user or a group can have when accessing an Opengear appliance.
Accessible Port(s):
Allow access to these serial/USB console ports via portmanager, using any of the configured Console Server Mode connection methods.
In Conclusion:
You can take advantage of the built-in groups or create your own custom groups to ensure that each user that logs in only has access to what they should i.e. specific ports and how they should i.e. CLI/Web UI/PM Shell Menu.
Comments
0 comments
Please sign in to leave a comment.