Device Authorization Profile enables the administrator to authorize user/user groups (controlling the level of access) to perform actions on devices through CLI session and File Management.
Navigation: Authorization Profile is grouped under the User Management icon on the left panel.
Authorization Profile contains five tabs - Profile details, SSH & Telnet, RDP & VNC, File Management and Access Control.
Profile Details contains options to configure profile details including Vendor, IP, Device Group and User Group.
SSH & Telnet tab is used to define access levels of users for establishing an SSH or Telnet connection. Here, the user can also decide if Infraon SecuRA must record and maintain a CLI Session Log for all CLI sessions. By default, Infraon SecuRA, records each session and the log is accessible from the Device View page.
Once SSH & Telnet protocol is enabled, additional fields appear. There is an option to enable recording of CLI Session which enables Infraon SecuRA to track all terminal activities. This can be accessed from the CLI Jobs/Sessions page.
There are five types of command input options that can be defined in an Authorization Profile. They are:
- Terminate Commands - Command (sets) that are denied for execution by the User/User Group. When a user tries these set(s) of commands, Infraon SecuRA terminates the CLI Session immediately.
- Block Commands - Command (sets) that are denied for execution by the User/User Group. When a user tries these set(s) of commands, Infraon SecuRA blocks these commands from being executed. The CLI session is not terminated here.
- Notify Commands - When a user tries these set(s) of commands,Infraon SecuRA executes the same and triggers a notification about the action. If this option is selected, Notifier (Notification Alert) must be selected using the dropdown menu.
- Permit Commands – Command (sets) that are permitted for execution by the User/User Group. Commands that are not added in the ‘Permit’ section will be blocked at the time of execution.
- System Commands – used to ignore inputs like password and other User credential input. For example: When a user tries to execute a Command, that requires authentication by the system, the user is prompted by the system to provide additional information. In this case, system prompt must be added in the ‘Ignore’ section. If not, system runs the command through the Permit command list and may end up blocking the command/command set.
Use the below checkboxes to enable blocking of Up/Down key and Tab key.
RDP & VNC tab lets the user configure parameters required to establish remote access of a Device.
- RDP or Remote Desktop Protocol is a proprietary protocol built by Microsoft which enables the users to graphically control a remote computer.
- VNC or Virtual Network Computing is a platform independent Graphical Desktop Sharing System designed to remotely control another computer.
Based on the device type and the protocol enabled in the end Devices, users can choose between RDP or VNC configurations on Infraon SecuRA. Additional fields appear based on the option selected. Select Screen recording options, Security Mode, Display and Performance Options for RDP and Screen Recording and VNC Display options for VNC.
File Management tab is used to define access control using SCP or SFTP protocols for file management actions like adding and deleting files/folders in addition to upload, download and renaming files through SecuRA. Users authorized to perform file management actions can see an additional icon on the Device View/Device Grid pages. Restrictions on File types, File Size, Protocol and MD5 Hash check (Uploading) and virus scans can be defined too.
Access Control tab lets the user choose privacy level of the profile.
- Users can Add, Edit, Delete, Clone, Enable and Disable Authorization Profiles using the action icons on the page.
- Multiple users can be authenticated for a single IP, enabling multiple users to access the same IP.
- Device and User Selection can be done by selecting a pre-defined Authentication Profile using the dropdown menu.
- Clone Profile option can be used to copy a profile i.e. to duplicate an existing profile with minimal changes in the profile using the quick action icon. Add Authorization Profile page appears with pre-filled details. Make changes as required and save the profile.
- Default Authorization Profile or System Authorization Profile is an in-built authorization profile that provides access controls to RDP/VNC/SSH/Telnet/File Management protocols, in absence of an Authorization Profile, for specific device access. Default Authorization Profile controls can only be edited by a System Administrator, for any individual protocol access requirement.
- Infraon SecuRA checks for an Authorization profile configured for the specific device. When it is not found in the database, the system uses the Default Authorization Profile.
- Creating an 'Authorization Profile' for specific device(s) will override the default Authorization Profile.
- In absence of a device specific authorization profile, access to the remote device(s) can be controlled using the below parameters on 'System Parameters' module (0 to disable or 1 to enable):
- Depending on the default values specified, the respective icons will be displayed on ‘Device View’ page for all users. The next level of control can be defined using the multiple tabs – SSH & Telnet, RDP & VNC and File Management tabs of ‘Default Authorization Profile'. Changes can be made to the Default Authorization Profile, which is accessible by clicking from the 'Authorization Profiles' page.