Authorization Group Capabilities (Legacy)

---

As part of configuring Authorization and Device Access, users are assigned to authorization groups that define their access privileges to Extreme Management Center application features. These access privileges (called Capabilities) grant specific capabilities in the application. For example, you may have an authorization group called "IT Staff" that grants access to a wide range of capabilities, while another authorization group called "Guest" grants a very limited range of capabilities.

Capabilities are defined when you create an Authorization group and assign users to the group using the Users and Groups tab in the Authorization/Device Access tool, accessed from the Tools menu in any Management Center application. In the Add/Edit Group window, the Capabilities tab lists all the various capabilities for your selection. The capabilities are divided into suite-wide and application-specific capabilities. Checking a capability in the tree grants access to that capability.

See below for a description of each capability.

The following sections provide a description of each capability:

• Extreme Management Center Suite
  • Authorization/Device Access
  • Devices
  • Events and Alarms
  • Server Information
  • Extreme Management Center All User Options
  • Common Web Services
  • Credentials Web Service
  • Device Local Management WebView
• Extreme Management Center Application Analytics
• Extreme Management Center Automated Security Manager
• Extreme Management Center Console
  • RoamAbout Wireless Manager
  • Wireless Manager
  • Wireless Advanced Services
  • ACL Manager
  • RMON Models
  • VLAN Models
  • Basic Policy
• Extreme Management Center Inventory Manager
• Extreme Management Center Mediation Agent
• Extreme Management Center Policy Control Console
• Extreme Management Center Policy Manager
• Extreme Management Center NAC Manager
• Extreme Management Center OneView

Extreme Management Center Suite

The following capabilities apply to all Extreme Management Center applications.

Authorization/Device Access

View Authorization/Device Access

Allows the ability to view, but not to configure the Authorization/Device Access tool, which can be accessed from the Tools menu in any Management Center application. Users who attempt to access the tool without this capability see an error message.

Configure Users, User Groups, and Capabilities

Allows access to the Users/Groups tab in the Authorization/Device Access tool and the ability to create and edit users and authorization groups.

Configure Profiles/Credentials

Allows access to the Profiles/Credentials tab in the Authorization/Device Access tool and the ability to define the SNMP credentials used to access network devices and the profiles that use those credentials.

Configure Profile/Device Mapping

Allows access to the Profile/Device Mapping tab in the Authorization/Device Access tool and the ability to specify the SNMP profiles each authorization group uses when communicating with each device.

Configure LDAP and RADIUS Servers

Allows the ability to configure RADIUS Servers and LDAP Configurations in the Users/Groups tab in the Authorization/Device Access tool.

Manage SNMP Passwords

Allows access to the Manage SNMP Passwords tab in the Authorization/Device Access tool and the ability to manage the credentials set on network devices.

Allow Tools to Use All Profiles

In MIB Tools, this capability allows users to select from all available profiles when using a Console profile to contact the device.

Allow View of No Access Devices

If an authorization group is configured with "No Access" to specific devices (in the Profile/Device Mapping tab), this capability allows members of that group to view the No Access devices in the left-panel tree, even though they cannot access the devices.

Devices

Add, Discover, and Import

Allows the ability to add devices using the Add Device window, discover devices using the Discover tool, and import devices using the File > Device List > Import Devices option.

Configure Groups

Allows the ability to create device groups and add and remove devices to and from device groups.

Delete

Allows the ability to delete devices from the Management Center database.

Export

Allows the ability to export a device list using the File > Device List > Export option.

Configure Status Polling Options

Allows the ability to set suite-wide Status Polling options available from the Tools > Options window.

Execute Command Scripts

Allows the ability to execute command scripts (using the Command Script tool) on a device in Console or Inventory Manager.

Events and Alarms

Events

Allows the following Event configuration capabilities:

• View Event Logs - View event logs in all Management Center applications.
• View Events for No Access Devices - If you configured an authorization group with "No Access" to specific devices (in the Profile/Device Mapping tab), this capability allows members of that group to view events for the No Access devices, even though they cannot access the devices.
• Configure Event Options - Set suite-wide Event Logs options available from the Tools > Options window.
• Acknowledge Events - Acknowledge events in the event log.
• Configure Server Log Managers - Add, edit, and remove Log Managers using the Event View Manager window.
• Clear and Roll Server Log Managers - Clear and roll event logs on the Management Center Server using the button in the lower-right corner of the event log.

Alarms

Allows the following Alarm configuration capabilities:

• View - View alarms in the Event Log.
• Configure - Configure alarms using the Alarms Manager window.

Server Information

View Server Information

Allows the ability to view, but not to configure the Server Information tool, which can be accessed from the Tools menu in any Management Center application. Users who do not have this capability see an error message when they attempt to access the tool.

Configure Server View

Allows the ability to view and configure Management Center Console client connection options:

• View - Access and view the Client Connections Options window.
• Configure - Configure the type and number of clients that can connect to your server.

Extreme Management Center Database

Allows the following Management Center database management capabilities:

• View or Change Database Password - View and change the password the Management Center Server uses to access the database.
• Change Database URL - Change the URL the Management Center Server uses when connecting to the database.
• Backup Database - Save the currently active database to a file.
• Restore or Initialize Database - Restore the initial database or restore a saved database.
• Initialize Plugin Data - Initialize a specific Management Center application's components in the Management Center database by using the File > Database > Initialize Components menu option.

Disconnect Clients

Allows the ability to disconnect clients in the Client Connections tab and to configure the User Inactivity option in the Client Connections Suite-Wide options panel.

Revoke Locks

Allows the ability to revoke operation locks in the Locks tab.

Extreme Management Center (formerly NetSight) All User Options

These capabilities provide the ability to set suite-wide options that apply to all users, using the Tools > Options window.

Configure Services for NetSight (Management Center) Server Options

Allows the ability to specify TFTP settings.

Configure SMTP E-mail Options

Allows the ability to specify the SMTP E-Mail server used by the Management Center E-Mail notification feature.

Request and Configure ExtremeNetworks.com Support

Allows the ability to request information about the latest Management Center product releases via the Help  > Check for Updates option from the menu bar in any application and request information about firmware releases via the Help > Check for Firmware Updates option in Inventory Manager. It also allows you to configure the check for updates operation (including scheduled updates) in the Suite options. These features tell you when updated versions of Management Center products and firmware are available and allow you to download newer versions to keep your software and firmware current.

Configure Web Server

Allows the ability to specify the port ID for HTTP web server traffic.

Open GTAC Support Case

Allows the ability to create a GTAC support case or RMA case from the Network tab.

Common Web Services

Read access to the Web Services APIs2

Provides read access to the Management Center Common web service, which is a third-party integration point. The Common web service exposes methods for manipulating Management Center infrastructure components.

Read/write access to the Web Services APIs

Provides read/write access to the Management Center Common web service, which is a third-party integration point. The Common web service exposes methods for manipulating Management Center infrastructure components.

Credentials Web Service

Read operations

Provides read access to the Management Center Credentials web service, allowing programmatic access to authentication profiles and credentials used for device access.

Read/write operations

Provides read/write access to the Management Center Credentials web service, allowing programmatic access to authentication profiles and credentials used for device access.

Device Local Management WebView

Auto Login to Web Local Management for NAC Appliances

Allows the ability to launch local management for Extreme Access Control engines without requiring a login, as long as the user has the necessary credentials. Users who do not have this capability are required to log in.

Auto Login to Web Local Management for ExtremeWireless Wireless Controllers

Allows the ability to launch local management for wireless controllers without requiring a login, as long as the user has the necessary credentials. Users who do not have this capability are required to log in.

Extreme Management Center Application Analytics

Application Analytics Read Access

Allows the ability to access the OneView Analytics tab and view the Application Analytics reports. The Application Analytics feature is available with the Extreme Management Center (NetSight) Advanced (NMS-ADV) license.

Application Analytics Read/Write Access

Adds the ability to view the OneView Analytics > Configuration tab and configure Application Analytics engines and NetFlow Collecting devices. Also adds the ability to create and modify fingerprints.

Extreme Management Center Automated Security Manager

Launch NetSight (Extreme Management Center) Automated Security Manager

Allows the ability to launch the Automated Security Manager (ASM) application. An error message appears for users who do not have this capability when they attempt to launch ASM.

Manage Activities

Allows the ability to use the ASM Activity Monitor.

Manage Configuration

Allows the ability to use the ASM Configuration Tool, launched from the Tools menu. Users who do not have this capability can open the tool and view the information, but cannot edit the information.

Reset Summary Statistics

Allows the ability to reset the Summary Statistics counters from the Tools > Statistics > Reset Counters menu option.

Use Incident Test Tool

Allows the ability to access and use the Incident Test Tool, launched from the Tools menu.

Extreme Management Center Console

Launch a NetSight (Management Center) Console Client

Allows the ability to launch the Console application. An error message appears for users who do not have this capability when they attempt to launch Console.

MIB Tools

Allows the ability to launch MIB Tools from the Console menus.

Allow SNMP sets to Devices

Allows the ability to write SNMP sets to network devices.

Modify Compass SNMP MIBs

Allows the ability to select Compass SNMP MIBs in the Compass options panel.

Modify Device Access

Allows the ability to modify device access information in the Access Properties tab.

Show Passwords in Clear Text

Allows the ability to view passwords in clear text in various Console windows.

Device Manager

Allows the ability to launch Device Manager from a device.

TFTP Download

Allows the ability to perform a configuration upload/download or firmware image download on a device.

Trap Configuration

Allows the ability to launch and use the Trap Receiver Configuration window.

Configure FlexViews

Allows the ability to create and modify FlexViews.

Syslog Configuration

Allows the ability to launch and use the Syslog Receiver Configuration window.

RoamAbout Wireless Manager

View

Allows the ability to launch the RoamAbout Wireless Manager tool from the Console Tools menu.

Configure

Allows the ability to use the AP Templates tool to create customized AP configurations.

Wireless Manager

Launch

Allows the ability to launch Wireless Manager from the Console Tools menu.

Configure

Allows the ability to configure Wireless Manager.

Wireless Advanced Services

Launch

Allows the ability to launch Wireless Advanced Services.

Operator

Allows the ability to perform the following functions:

• Modify and delete events.
• Add, delete, and modify devices (APs and clients).
• Add, delete, and modify locations.
• Calibrate location tracking.
• Add, delete, modify, and schedule reports.
• Move devices in and out of quarantine.
• Troubleshoot devices.

Configure

Allows the ability to modify screens on the Administration tab.

ACL Manager

View

Allows the ability to view ACL information for a device using the ACL Manager tab in Console.

Configure

Allows the ability to create a new ACL or modify an existing ACL using the ACL Editor.

RMON Models

View

Allows access to the RMON port tools from the right-click Port Tools menu.

Configure

Allows the ability to configure RMON port tools.

VLAN Models

View

Allows the ability to view VLAN Models using the VLAN Elements Editor, accessed from the VLAN tab in Console.

Configure

Allows the ability to configure VLAN Models using the VLAN Elements Editor, accessed from the VLAN tab in Console.

Basic Policy

View

Allows the ability to view port role and end user session information using the Basic Policy tab in Console.

Configure

Allows the ability to configure port role and end user session information using the Basic Policy tab in Console.

Extreme Management Center Inventory Manager

Launch NetSight (Management Center) Inventory Manager

Allows the ability to launch the Inventory Manager application. An error message appears for users who do not have this capability when they attempt to launch Inventory Manager.

Firmware/Boot PROM Management

Allows the ability to perform the following firmware and boot PROM management tasks:

• Use the Firmware Upgrade Wizard and Boot PROM Upgrade Wizard.
• Assign Firmware
• Discover Firmware
• Set Firmware/Boot PROM Reference
• Change Firmware/Boot PROM Image Type - Allows the ability to change the image type on the Firmware Image General tab.
• Remove Firmware - Allows the ability to remove a firmware image from a firmware group using the Tools > Remove Firmware from Group menu option.
• Send Firmware File to Server
• Create BOOTP Tab File
• Add Alternate Firmware Servers
• Create Firmware Records
• Delete Firmware Records

Configuration Archive Management

Allows the ability to perform the following configuration archive management tasks:

• Use the Archive Save Wizard.
• Use the Archive Restore Wizard.
• Archive Compare
• View/Compare Configurations - Allows the ability to access the Configuration File Viewer and the Compare Configuration Files window.
• Modify Archives
  • Refresh - Perform a configuration discovery and update archive information using the View > Refresh menu option.
  • Delete - Delete an archive, an archive version, or a saved configuration from the Archive Mgmt tree using the right-click Delete option.
  • Rename - Rename an archive using the right-click Rename menu option.
  • Edit Configurations - Edit an archive's parameters using the Archive General tab.
  • Stamp New Versions - Save (stamp) a new version of a configuration using the Tools > Stamp New Version menu option.
  • Lock/Unlock Versions - Lock and unlock an archive version using the Tools > Lock/Unlock menu option. A locked archive version will not be deleted when the maximum number of saved versions for the archive has been reached.
• Retrieve Configuration File from Server - Allows a user to download an archive configuration file from the Management Center Server to their local machine.

Configuration Templates Management

Allows the ability to perform the following configuration templates management tasks:

• Use the Configuration Templates Download Wizard.
• Create/Edit Templates - Create and edit configuration templates using the Edit Configuration Template window.
• Preview Templates - Preview a configuration template from the Device Configuration Templates tab.
• Modify Templates
  • Assign - Assign a template to one or more device types using the Assign Configuration Template window.
  • Rename - Rename a template using the Tools menu Rename Template menu option.
  • Delete - Delete a configuration template using the right-click Delete option.
  • Refresh - Perform a configuration template discovery and update the template information using the View > Refresh menu option.
  • Remove from Groups - Remove a configuration template from the template group using the Tools > Remove Configuration Template from Group menu option.
  • Create Variables - Define variables for use in configuration templates.

Reset Device Wizard

Allows the ability to use the Reset Device Wizard.

Capacity Planning

Allows the ability to use the Capacity Planning tool.

Modify Schedules

Allows the ability to modify schedules for configuration archives and capacity planning reports.

Change MIB Overrides

Allows the ability to change MIB Overrides in the Image Information tab.

Extreme Management Center Mediation Agent

Read access to the Mediation Agent Web Services API

Provides the Application Analytics engine with read access to Management Center via web services API.

Read/Write access to the Mediation Agent Web Services API

Provides the Application Analytics engine with read/write access to Management Center via web services API.

Extreme Management Center Policy Control Console

Launch Policy Control Console

Allows the ability to launch the Policy Control Console tool from the Console Tools menu. Users who do not have this capability see an error message when they attempt to launch Policy Control Console.

Edit Policy Control Console Configuration

Allows the ability to use and configure Policy Control Console.

Extreme Management Center Policy Manager

Launch NetSight (Extreme Management Center) Policy Manager

Allows the ability to launch the Policy Manager application. Users who do not have this capability see an error message when they attempt to launch Policy Manager.

Read/Write capabilities for Policy Enforcement and Management

Allows the ability to manage and enforce policy to network devices using Policy Manager.

Read/Write access to the Policy Web Service APIs

Provides read/write access to the Policy web service, which is a third-party integration point. The Policy web service allows programmatic access to policy management.

Extreme Management Center NAC Manager

Launch NAC Manager

Allows the ability to launch the NAC Manager application. Users who do not have this capability will see an error message when they attempt to launch NAC Manager.

Edit NAC Manager Configuration

Allows the ability to edit all aspects of the NAC Manager configuration including rule components, NAC profiles, assessment, registration, and managing advanced configurations.

Force reauthentication and scan (assess) End-Systems

Allows the ability to force end-systems to be reauthenticated and scanned, but does not allow the ability to edit the NAC Manager configuration.

Read access to the NAC Web Services API

Provides read access to the NAC web service, which is a third-party integration point. The NAC web service exposes methods for manipulating NAC infrastructure components.

Read/write access to the NAC Web Services API

Provides read/write access to the NAC web service, which is a third-party integration point. The NAC web service exposes methods for manipulating NAC infrastructure components.

Read access to the NAC System Web Services APIs

Provides read access to the NAC System web services, allowing programmatic access to advanced web services that are not publicly documented.

Read/write access to the NAC System Web Services APIs

Provides read/write access to the NAC System web services, allowing programmatic access to advanced web services that are not publicly documented. Also provides the ability to use the NAC Request Tool.

Extreme Management Center OneView

Access OneView

Allows the ability to launch the OneView application but does not provide any OneView report access. Selecting only this capability without any other OneView capabilities would be the same as not allowing OneView access.

Access OneView Reports

Adds the ability to view all OneView reports accessed from the Reports tab.

Access OneView Search

Adds the ability to use the OneView Search tab.

Access OneView Administration

Adds the ability to access OneView administration tools and enable data collection.

NetFlow Read Access

Adds the ability to view the OneView Flows tab.

Maps

Allows the ability to perform the following OneView map functions:

• Maps Read Access - Adds the ability to access the OneView Map tab and view the maps.
• Maps Read/Write Access - Adds the ability to access the OneView Map tab, and view and modify maps. This includes adding devices to the maps, drawing on the maps, changing map scale, and changing map properties (for example, the map name and background image).

Events and Alarms

Allows the ability to perform the following OneView event and alarm functions:

• OneView Event Log Access - Allows the ability to view device information and event log details.
• OneView Alarms Read Access - Allows the ability to view current alarms in the Alarms and Events tab.
• OneView Alarms Read/Write Access - Allows the ability to view and clear alarms in the Alarms and Events tab.

FlexView

Allows the ability to perform the following OneView FlexView functions:

• OneView FlexView Read Access - Allows the ability to launch a FlexView from the Network tab.
• OneView FlexView Read/Write Access - Allows the ability to launch and edit a FlexView from the Network tab.

Identity and Access

Allows the ability to perform the following OneView Identity and Access functions:

• Access OneView Control Reports - Provides access to the Dashboard view, System view, Health view, and Data Center view from the Control tab.
• OneView End-Systems Read Access - Provides access to the End-Systems view from the Control tab.
• OneView End-Systems Read/Write Access - Provides access to the End-Systems view from the Control tab, and allows the ability to perform actions such as forcing reauthentication and changing an end-system's group membership.
• OneView Group Read Access - Allows the ability to launch the Group Editor tool from the Control tab > End-Systems view, and view group information.
• OneView Group Read/Write Access - Allows the ability to launch the Group Editor tool from the Control tab > End-Systems view, and edit group information.

NetSight (Management Center) Manager Access

Adds the ability to access the OneView NetSight (Management Center) Manager.

NOTE:

Access to some OneView components is determined by capabilities in other capabilities groups: NetSight (Management Center) Console > Wireless Manager > Launch Adds the ability to view the OneView Wireless tab. NetSight (Management Center) Suite > Devices > Add, Discover and Import Adds the ability to add devices in the OneView Network tab. NetSight (Management Center) Suite > Devices > Delete Adds the ability to delete devices in the OneView Network tab. Inventory Manager > Configuration Archive Management > View/Compare Configurations Adds the ability to compare archived device configurations in either the OneView Network tab or the Archive Details Report available in the OneView Reports tab.