Getting Started : Managing Orchestrator User Accounts and Authentication
Managing Orchestrator User Accounts and Authentication
For a user to successfully log into the Orchestrator client, the Orchestrator server must authenticate and authorize the user. Only then does the user have access to the Orchestrator server and, by extension, the appliances.
Based on its configuration, the Orchestrator authenticates the user via its own built-in local database or via a network server used for access control.
n
The AAA server (Authentication Authorization Accounting server) can be either a RADIUS server or a TACACS+ server.
n
Add users to the Orchestrator server’s local database via the Orchestrator client’s Orchestrator Administration > User Management menu. The user profile includes the user role, which maps to a particular level of authorization and determines what the user can do.
n
The Orchestrator has three user roles: Admin Manager (Superuser), Network Manager, and Network Monitor. Authorization always maps to one of these three levels:
Admin Manager has all privileges. It’s the equivalent of Superuser.
Network Manager has read/write privileges. In practice, these are the same privileges that Admin Manager has.
Network Monitor has view-only privileges.
n
Although there are three authentication options to choose from, you can only configure one.
If Local Only is selected, then authentication defaults to the Orchestrator server’s local database.
If Local Only is not selected, then either a (remote) RADIUS or TACACS+ server is also involved.
If Remote first is selected and fails, then the Orchestrator tries the Local database.
If Local first is selected and fails, then the Orchestrator tries the Remote database.
n
The Secret Key enables the Orchestrator to talk to the access control server. The Orchestrator has hard-coded keys for TACACS+, so no user entry is required.
n
You can also use Orchestrator templates to create remote authentication profiles for direct access to individual appliances via Appliance Manager or the CLI. Be aware, though, that that is different than creating a remote authentication profile for the Orchestrator.
Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.