Groups are used to grant privileges to users. When a user is made a member of a group, they inherit its per-group privileges in addition to any per-user privileges they may already have.
Privileges include lists of accessible serial/USB console ports and controllable RPC (PDU) outlets, these can be defined per-user or per-group. Privileges controlling access to the Opengear device itself via web UI and CLI, and other services, are associated with specific groups, this are detailed in the table below.
Note: Groups are particularly useful for setting the privileges of users that don't have a native local account, i.e. users managed by remote AAA server. Using the Authentication -> Use Remote Groups feature, the AAA server responds to a successful authentication with a list of groups, and the user is automatically created and added to these groups.
The following table details privileges of the groups built-in to the Opengear firmware:
|Group Name||Privileges & Behavior||Services|
Full administration privileges via CLI and web UI. Full configuration management and firmware upgrades. Full access to all managed consoles and other devices. Note that admin users can become root with the sudo -s command.
admin group users must be absolutely trusted.
|Full CLI; full web UI; full portmanager|
Limited CLI and web UI (Manage menu only). Read-only configuration management via CLI only. No access to managed consoles and other devices unless explicitly granted via Accessible Port(s), Accessible Outlet(s), etc.
users group users must be significantly trusted.
Hint: Combine users and pmshell group membership to revoke CLI access while maintaining web UI access.
|Limited CLI; limited web UI|
Set default CLI shell to pmshell for managed console access for convenience only. This does not control a user's access to otherwise accessible managed consoles (which may be accessed using e.g. the username:serial or TCP port 2000 + port number conventions).
Hint: To disable a users group user's access to the CLI, e.g. to prevent the user from viewing configuration, add them to pmshell and ensure Services -> Enable Web Terminal is unchecked (this is the default).
Upload, download and delete files using the FTP service. The FTP service is restricted to a chroot jail directory, e.g. /var/mnt/storage.*/tftpboot. Note that the FTP service is disabled by default.
Allow user to start a PPP connection upon PSTN modem dial-in (any user with CLI access can dial and login to a terminal-only session). Note that that PSTN dial-in is unconfigured by default.
Note: dialin group membership requires the user's password to by stored unencrypted, therefore we recommended using a separate, dedicated account to establish the PPP connection. Once the IP connection is up, you can login to the web UI, CLI, etc. using your regular account and protocols.
Allow user to connect using a PPTP VPN client. Note that that the PPTP server is unconfigured by default.
Note: pptpd group membership requires the user's password to by stored unencrypted, therefore we recommended using a separate, dedicated account to establish the PPTP connection. Once the IP connection is up, you can login to the web UI, CLI, etc. using your regular account and protocols.
After successful authentications using remote AAA, users that do not have local accounts are created and added to this group.
You may edit this group and grant it "Full administration & access" and "Basic management privileges via shell and WebUI" Roles which are equivalent to admin and users group-level privileges respectively.
This is intended as a convenient way to grant remote AAA users privileges, with no modification to the AAA server configuration.
You may add custom groups via the web UI under Serial & Network -> Users & Groups -> Add Group. Custom groups may be assigned Roles and Accessible Port(s), Outlet(s) and Host(s).
Roles: The "Full administration & access" and "Basic management privileges via shell and WebUI" roles are equivalent to admin and users group-level privileges respectively. A custom group assigned these roles behaves as per its built-in group counterparts, as described in the table above. Note that as with all privileges, roles are additive (i.e. adding both roles grants the greater of the two sets of privileges).
Accessible Port(s): Allow access to these serial/USB console ports via portmanager, using any of the configured Console Server Mode connection methods.
Accessible Outlet(s): Allow power control of these RPC (PDU) outlets. Users with web UI access may control outlets under Manage -> Power, users with CLI access may use the pmpower command. Users with neither web UI or CLI access (i.e. access to specific ports via portmanager only) may control power from inside a portmanager session, if this feature has been configured.
Accessible Host(s): Allow SSH local port forwards to be established to Permitted Services on a Serial & Network -> Network Host. For example, operator1 would access the HTTP web interface of a network host at 10.11.12.13 via SSH port forward first by starting the SSH port forward with this OpenSSH command:
ssh -L 60080:10.11.12.13:80 firstname.lastname@example.org
After authenticating, operator1 would then browse to http://127.0.0.1:60080/ and be redirected via the Opengear device to the network host's web interface.
Note: The Network Hosts feature is only effective when using the Opengear device as an SSH "GatewayPorts" bastion, and does not control or restrict routed or firewalled access to the network host.