Product Documentation

Configuring Security Settings

May 28, 2015

You can configure various parameters to ensure that only authenticated users log on to Command Center. You can also create users and groups and assign specific operations to the groups.

In this section:

Configuring Authentication Settings

Command Center supports authentication policies for external authentication of users.

When users, who are not configured in Command Center, log on for the first time, those users are assigned to the default Users group. Administrators must assign those users to appropriate groups, depending on the privilege levels that they want to grant those users.

The administrator must configure authentication servers to authenticate the users who are not configured in Command Center.

Command Center supports the following authentication servers:

  • Local
  • Active Directory
  • RADIUS (Remote Authentication Dial-In User Service)
  • TACACS (Terminal Access Controller Access Control System)
Note: If you use Active Directory server for authentication, groups in the Command Center are configured to match groups configured on authentication servers. When a user logs on and is authenticated, if a group name matches a group on an authentication server, the user inherits the settings for the group in the Command Center.

To configure authentication settings

  1. On the Administration tab, under Security, click Authentication Settings.
  2. Under Authentication Settings, in Authentication Server, select the type of authentication server you want to use: Local, Active Directory, RADIUS, or TACACS+.
  3. Depending on the authentication server you have selected, type or select the details. If you selected Active Directory, you can, in addition, use the Enable Group Extraction option to apply Active Directory authorization settings to groups configured in Command Center. Under Enable Group Extraction, type or select the Active Directory Server settings. User authorization is then based on the groups with which the users are associated in Command Center.
    Note: If you have selected RADIUS, and if the Command Center servers are configured in a HA mode, you must provide the Secondary Server Client Identifier details.
  4. Click OK.

Configuring Groups

Groups are logical sets of users that need to access common information or perform similar kinds of tasks. You can organize users into groups defined by a set of common operations. By providing specific permissions to groups rather than individual users, you can save time when creating new users.

If you are using an Active Directory server for authentication, groups in the Command Center can be configured to match groups configured on Active Directory servers. When a user belonging to a group whose name matches a group on an authentication server, logs on and is authenticated, the user inherits the settings for the group in the Command Center.

In this section:

  • Adding Groups
  • Assigning Users to Groups
  • Modifying Groups
  • Deleting Groups

Adding Groups

You can add groups and assign permissions to the groups.

To add groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, click Add.
  3. Under Add Group, in Group Name, type the name of the new group or multiple comma-delimited groups that you want to create. In case you have enabled group extraction from Active Directory, you can browse and add groups extracted from the Active Directory server after you have configured Active Directory settings under Authentication settings. Click on the Browse button to select the group name from the retrieved Active Directory group names.
    Note: The Browse button is available only if you have enabled group extraction and provided the Active Directory group attributes.
    Important: When creating groups in the Command Center for group extraction from Active Directory, group names must be the same as those defined in Active Directory. Group names are also case-sensitive and must match those in Active Directory. Special characters are supported in group names.
  4. Select the check boxes against the permissions you want to assign for each feature. Note that selecting Grant administrative privileges assigns permission to perform all operations on only the Administration tab.

Assigning Users to Groups

You can assign Command Center users to a group depending on the permissions that you want to grant them.

To assign user to groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, click the group to which you want to assign users , and then click Assign To.
  3. Under Configure Group, in Available Users, click the user(s) that you want to include in the group, and then click the + icon.

Note: To remove a selected user, click the user you want to remove in Configured Users, and then click the- icon.

Modifying Groups

After you have added a group, you can modify the permissions assigned to that group. You can also add or remove users assigned to a group.

You can also modify a group to provide fine-grained authorization support. You can ensure that the user performs operations only on those devices or data defined by the authorization settings assigned to his or her account or group. For example, if you want to restrict any operations that the user performs to a specific set of devices (for example, NetScaler VPX), then you must set the authorization criteria with the relevant property values as described in the following procedure.

To modify groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, click the group you want to modify.
  3. To add or remove a user, click Assign To , and make the modifications as required.
  4. To change the permissions assigned to a group, click Modify, make changes to the permissions you want to assign for each feature.
  5. To configure authorization settings, click Advanced Settings.
  6. Under Advanced Settings, in Property Name, select the property for which you want to add the authorization settings (for example, Device Type), and in Property Value, enter the value of the property (for example, NetScaler VPX), and then click OK.
    Note: You can enter the property value along with the wildcard character %. For example, you can if you enter the server name as webin%, or %storfron%, then Command Center looks for server names beginning with 'webin' or server names containing the term 'storfron', then adds the authorization settings.

Deleting Groups

You can delete groups that you no longer want to use from the database. Ensure that all the users assigned to the group are removed from the group before deleting the group.

To delete groups

  1. On the Administration tab, under Security, click Groups.
  2. Under Groups, select the groups that you want to remove, and then click Delete.

Configuring Users

A user is an individual entity that logs on to Command Center to perform a set of device management tasks. To allow someone access to Command Center, you must create a user account for that user. After you create a user account, you can associate the user with groups and set permissions according to the group requirements.

From the Command Center interface, you can seamlessly specify local or external as the authentication type for a user. You can specify the authentication type when adding the user to Command Center, or you can edit the user's settings later.

Important: The external authentication type is supported only when you set up one of the authentication servers: Radius, Active Directory or TACACS+.

This topic includes the following details:

  • Adding Users
  • Assigning Groups to a User
  • Viewing Permissions Assigned to Users
  • Modifying User Profiles
  • Changing the Root User Password
  • Deleting Users

Adding Users

You can add new users whenever you need to provide a user access to Command Center. By default, a new user has only log on permission. You can provide access to various modules by making the user a member of pre-configured groups that contain those modules.

To add users

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click Add.
  3. In User name, type a user name for the new user and in Password and Confirm Password, type a password for the user name.
  4. In Groups, click Available, and then, select the groups to which you want to add the new user.
    Note: To add the new user account to a new group, type the name of the group, and click Add.
  5. In Password Expires In, type the number of days after which you want the password to expire.
    Note: If the user logs on after the password expires, the user is directed to the Change Password page to reset the password. The user can change the password only if the authentication type of the user is Local.
  6. In Account Expires In, type the number of days after which you want the account to expire.
  7. Set the authentication type for the user. Select Local Authentication User value as True for local authentication. For external authentication, select False.
    Note: The external authentication type is supported only when you set up one of the authentication servers: Radius, Active Directory or TACACS+.
  8. Click Create. The user is added to Command Center, with the selected authorization type. You can view the details on the Users page.

Assigning Groups to a User

You must associate a user to a minimum of one group.

To assign groups to a user

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click a user name to which you want to associate a group , and then click Assign To.
  3. In Configure User, click + Add, click the groups that you want to associate with the user, and then click OK.

Viewing Permissions Assigned to Users

You can view the permissions that are assigned to a user.

To view permitted operations assigned to users

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click the user name for which you want to view the permitted operations , and then view the groups associated with the user by clicking Assign To.
  3. In Groups page, for the groups associated, view the permitted operations by clicking Modify.

Modifying User Profiles

You can modify the user profiles you have created. You can make changes to various parameters, such as the state of a user, password to log on, password expiration, account expiration, authentication type, assigned groups, and permitted operations.

To modify user profiles

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click the user profile you want to modify, click Modify.
  3. Under Configure User, make changes as required. To modify the authentication type of the user, select the options in Local Authentication User.
    Note: If you modify the authentication type for a user from external to local, the default password is same as the username.
  4. Click OK.

Changing the Root User Password

The root user account is the super user account in Command Center. The default password for the root account is public. Citrix recommends that you change the password after you install the Command Center server.

If you specify the password expiry value for the user account, the password expires after the number of days specified. When the password is about to expire, a notification is displayed when you log on to Command Center server, and you are prompted to navigate to the Change Password screen to modify the password.

 

In Command Center appliance, when you modify the root user credentials on the primary, the password for the root user in Command Center, SSH root user of the CentOS, SSH root user of the XenServer, and the database password in both primary and secondary devices are modified.

To change the root user password

  1. On the Administration tab, under Security, click Users.
  2. Under Users, select the root user name, and then click Modify.
  3. Under Configure User, in New password and Re-type password, type and retype the new password you want to use, and then click OK.

Deleting Users

You can remove user accounts you do not want to use.

To delete users

  1. On the Administration tab, under Security, click Users.
  2. Under Users, click the user name(s) you want to delete, and then click Delete.

Viewing Audit Logs for All Users

Use audit logs to view the operations that a Command Center user has performed. The audit log identifies all operations that a user performs, the date and time of each operation, and the success or failure status of the operation. Citrix recommends that you periodically clear audit logs after reviewing them.

You can perform the following operations on audit logs:

  • View the audit log details of all users or a single user.
  • Sort the details by user, operation, audit time, category, AuditedObject, and status by clicking the appropriate column heading.
  • Clear the audit logs when you no longer need to manage them.

To view audit logs for all users

  1. On the Administration tab, in the right pane, under Security, click Audit Logs.
  2. Under Audit Logs, you can view and do the following:
    • Name: Specifies the user name of the user for which you can view the audit logs. Click the user name to view the audit details of that user.
    • Operation: Specifies the operation the user has performed for which the audit log is available.
    • Time: Specifies the time when the audit log was generated.
    • Status: Specifies the status of the audit, such as Success or Failed.
    • Category: Specifies the category of the operation that is audited, such as Authentication.
    • Audited Object: Specifies the security administration operations, such as operations on users or groups, that are audited by Command Center.
    • Export: Click Export if you want to export all the audited information to a CSV file.