Authorization Group Capabilities

As part of configuring Authorization and Device Access, users are assigned to authorization groups that define their access privileges to ExtremeCloud IQ Site Engine application features. These access privileges (called Capabilities) grant specific capabilities in the application. For example, you may have an authorization group called "IT Staff" that grants access to a wide range of capabilities, while another authorization group called "Guest" grants a very limited range of capabilities.

Capabilities are defined when you create an authorization group and assign users to the group by selecting the Add button in the Authorization Groups section of the Administration > Users tab. In the Add/Edit Authorization Group window, the Capability list displays all the various capabilities for your selection.

There are two Categories of capabilities : Basic and Advanced.

Basic — Select Basic in the Add Authorization Group window or in the Edit Authorization Group window to enable ExtremeCloud IQ Site Engine to resolve many dependencies automatically (for example, enabling XIQ-SE OneView Administration automatically selects the Initialize Plugin Data capability) and order capabilities based on the product menu structure.
Advanced — Select Advanced in the Add Authorization Group window or in the Edit Authorization Group window to list all capabilities. To ensure capabilities are properly configured for Authorization Groups, enable required dependencies as noted in this help topic.

Selecting a capability grants access to that capability.

The list below includes capabilities that are only available when the Advanced Category is selected.

The following sections provide a description of each capability:

Event Correlation
Fabric Manager
Northbound API
XIQ-SE Console
XIQ-SE Mediation Agent
XIQ-SE NAC Manager
XIQ-SE OneView
XIQ-SE Suite

ExtremeCloud IQ Site Engine Event Correlation

Event Correlation Read Access: Allows ExtremeCloud IQ Site Engine to correlate similar events and respond to a perceived threat to the network. This is an experimental feature. Contact GTAC for additional information.

Event Correlation Read/Write Access: Adds the ability to configure ExtremeCloud IQ Site Engine's threat response behavior and event correlation. This is an experimental feature. Contact GTAC for additional information.

ExtremeCloud IQ Site Engine Fabric Manager

Fabric Manager Read Access: Allows the ability to access Fabric Manager and view topologies. Selecting this capability requires you to select the capability for Northbound Interface Read Access.

Fabric Manager Read/Write Access: Adds the ability to access Fabric Manager topologies and provision fabric topologies. Selecting this capability requires you to select the capability for Northbound Interface Read/Write Access.

Northbound API

Northbound API capabilities control only the queries and mutations that are not under Access Control and Policy. To use the queries and mutations included in the Northbound Interface but managed by Access Control or Policy, you must provide access to both. For example, to use Access Control queries, you must enable two choices in the Add Authorization Group dialog: Access Control Northbound Interface Read Access and Northbound Interface Read Access.

Select the capabilities for which the user requires access in ExtremeCloud IQ Site Engine:

Access Control Northbound Interface Read Access: Provides the user with access to the Access Control queries in the Northbound Interface. To use Access Control queries included in the Northbound Interface, you must enable this capability and the Northbound Interface Read Access capability.

Access Control Northbound Interface Read/Write Access: Provides the user with access to the Access Control mutations in the Northbound Interface. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read/Write Access capability.

Administration Northbound Interface Read Access: Provides the user with access to the Administrative Northbound Interface queries. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read Access capability.

Administration Northbound Interface Read/Write Access: Provides the user with access to the Administrative Northbound Interface queries and mutations. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read/Write Access capability.

Inventory Northbound Interface Read Access: Provides the user with access to the Inventory Northbound Interface queries. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read Access capability.

Inventory Northbound Interface Read/Write Access: Provides the user with access to the Inventory Northbound Interface queries and mutations. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read/Write Access capability.

Network Northbound Interface Read Access: Provides the user with access to the Network Northbound Interface queries. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read Access capability.

Network Northbound Interface Read/Write Access: Provides the user with access to the Network Northbound Interface queries and mutations. To use ExtremeControl mutations, you must enable this capability and the Northbound Interface Read/Write Access capability.

Northbound Interface Read Access: Provides the user with access to Northbound Interface queries. This capability is required for Access Control and Policy NBI queries and to use the NBI tools, accessible via the Administration > Diagnostics tab.

Northbound Interface Read/Write Access: Provides the user with access to the Northbound Interface mutations. This capability is required for Access Control and Policy NBI mutations. This capability requires the capability for Northbound Interface Read Access.

Policy Northbound Interface Read Access: Provides the user with access to the Policy queries in the Northbound Interface. To use policy queries included in the Northbound Interface, you must enable this capability and the Northbound Interface Read Access capability.

Policy Northbound Interface Read/Write Access: Provides the user with access to the Policy queries and mutations in the Northbound Interface. To use policy mutations, you must enable this capability and the Northbound Interface Read/Write Access capability.

Workflows Northbound Interface Read Access: Provides the user with access to the Workflows queries in the Northbound Interface. To use policy queries included in the Northbound Interface, you must enable this capability and the Northbound Interface Read Access capability.

Workflows Northbound Interface Read/Write Access: Provides the user with access to the Workflows queries and mutations in the Northbound Interface. To use policy mutations, you must enable this capability and the Northbound Interface Read/Write Access capability.

XIQ-SE Console

Configure FlexViews: Allows the ability to create and modify FlexViews.

Device Manager: Allows the ability to configure devices.

Launch a XIQ-SE Console Client: Allows the ability to launch a console client.

MIB Tools: Allows the ability to access the MIB tools.

Modify Compass SNMP MIBs: Allows the ability to select Compass SNMP MIBs.

Modify Device Access: Allows the ability to modify device access information.

Show Passwords in Clear Text: Allows the ability to view passwords in clear text.

TFTP Download: Allows the ability to perform a configuration upload/download or firmware image download on a device.

Topology Manager

Allows the ability to launch and use the Topology Manager options:

Configure Map Discovery & Overlay Update Options - Allows the ability to configure map discovery and overlay the topology update options.
Save Maps - Allows the ability to save maps.
Start - Allows the ability to launch Topology Manager.

VLAN Models

Allows the ability to view or configure VLAN Models using the VLAN Elements Editor, accessed from the VLAN tab in Console:

Configure - Allows the ability to configure VLAN Models.
View - Allows the ability to view VLAN Models.

XIQ-SE Mediation Agent

Read access to the Mediation Agent Web Services API: Provides the ExtremeAnalytics engine with read access to ExtremeCloud IQ Site Engine (ExtremeCloud IQ Site Engine) via web services API.

Read/Write access to the Mediation Agent Web Services API: Provides the ExtremeAnalytics engine with read/write access to ExtremeCloud IQ Site Engine via web services API.

XIQ-SE NAC Manager

Edit NAC Manager Configuration: Allows the ability to edit all aspects of the NAC Manager configuration including rule components, NAC profiles, assessment, registration, and managing advanced configurations.

Force reauthentication and scan (assess) End-Systems: Allows the ability to force end-systems to be reauthenticated and scanned, but does not allow the ability to edit the NAC Manager configuration.

Launch NAC Manager: Allows the ability to launch the NAC Manager application. Users who do not have this capability see an error message when they attempt to launch NAC Manager.

Read access to Guest and IoT Management: Provides read access to the Guest and IoT management options.

Read access to End-System REST API: Provides read access to the end system web service, which is an external integration point. The web service exposes methods for manipulating end system infrastructure components.

Read access to the NAC System Web Services APIs: Provides read access to the NAC System web services, allowing programmatic access to advanced web services that are not publicly documented.

Read access to the NAC Web Services API: Provides read access to the NAC web service, which is an external integration point. The NAC web service exposes methods for manipulating NAC infrastructure components.

Read/Write access to Guest and IoT Management: Provides read/write access to the Guest and IoT management options.

Read/Write access to End-System REST API: Provides read/write access to the end system web service, which is an external integration point. The web service exposes methods for manipulating end system infrastructure components.

Read/Write access to the NAC System Web Services APIs: Provides read/write access to the NAC System web services, allowing programmatic access to advanced web services that are not publicly documented. Also provides the ability to use the NAC Request Tool.

Read/Write access to the NAC Web Services API: Provides read/write access to the NAC web service, which is an external integration point. The NAC web service exposes methods for manipulating NAC infrastructure components.

XIQ-SE OneView

Access Control

Allows the ability to perform the following ExtremeControl functions:

Access OneView Access Control Reports - Provides access to the Dashboard view, System view, Health view, and Data Center view from the Control tab.
OneView End-Systems Read Access - Provides access to the End-Systems view from the Control tab. Selecting this capability requires you to select the capability for Access OneView.
OneView End-Systems Read/Write Access - Provides access to the End-Systems view from the Control tab, and allows the ability to perform actions such as forcing reauthentication and changing an end-system's group membership.
OneView Group Read Access - Allows the ability to launch the Group Editor tool from the Control tab > End-Systems view, and view group information.
OneView Group Read/Write Access - Allows the ability to launch the Group Editor tool from the Control tab > End-Systems view, and edit group information.
Policy Domain Read Access - Allows the ability to launch the Policy Manager application. Users who do not have this capability see an error message when they attempt to launch Policy Manager.
Policy Enforce/Verify and Domain Write Access - Allows the ability to manage and enforce policy to network devices using Policy Manager.

Access OneView: Allows the ability to access ExtremeCloud IQ Site Engine (formerly OneView).

Access OneView Search: Adds the ability to use the Search tab.

Access Operation Status Log: Adds the ability to access the operation status log.

Administration

Access OneView Administration: Adds the ability to access administration tools and enable data collection.

OneView Certificates Read Access: Allows the user read access to certificates in ExtremeCloud IQ Site Engine.

OneView Certificates Read/Write Access: Allows the user read and write access to certificates in ExtremeCloud IQ Site Engine.

Client API Read Access: Allows the ability to access the Administration > Client API Access tab.

Client API Read/Write Access: Adds the ability to access and configure API access for external applications via the Client API Access tab.

Configure Profiles/Credentials: Allows access to the Profiles tab and the ability to define the SNMP credentials used to access network devices and the profiles that use those credentials.

Configure Users, User Groups, and Capabilities: Allows access to the Users tab and create and edit users and authorization groups.

ExtremeCloud IQ Site Engine Database

Allows the following ExtremeCloud IQ Site Engine database management capabilities:

Backup Database - Save the currently active database to a file.
Change Database URL - Change the URL the ExtremeCloud IQ Site Engine Server uses when connecting to the database.
Initialize Plugin Data - Initialize a specific ExtremeCloud IQ - Site Engine application's components in the ExtremeCloud IQ - Site Engine database by using the File > Database > Initialize Components menu option.
Restore or Initialize Database - Restore the initial database or restore a saved database.
View or Change Database Password - View and change the password the ExtremeCloud IQ Site Engine Server uses to access the database.

OneView Device Types Read Access: Allows the user read access to device types in ExtremeCloud IQ Site Engine.

OneView Device Types Read/Write Access: Allows the user read and write access to device types in ExtremeCloud IQ Site Engine.

OneView Options Read Access: Allows the user read access to options in ExtremeCloud IQ Site Engine.

OneView Options Read/Write Access: Allows the user read and write access to options in ExtremeCloud IQ Site Engine.

Configure Server View

Allows the ability to view and configure ExtremeCloud IQ - Site Engine Console client connection options:

View - Access and view the Client Connections.
Configure - Configure the type and number of clients that can connect to your server.

Disconnect Clients: Allows the ability to disconnect clients in the Client Connections table on the Server Information tab.

Revoke Locks: Allows the ability to revoke operation locks in the Locks table on the Server Information tab.

View Server Information: Allows the ability to view, but not to configure the Server Information tab. Users who do not have this capability see an error message when they attempt to access the tool.

Vendor Profiles

Allows the ability to view and configure vendor profiles on the Administration tab and on the Vendor Profile tab in the Configure Device window:

OneView Vendor Profile Read Access - Access and view Vendor Profiles.
OneView Vendor Profile Read/Write Access - Configure the Vendor Profiles in ExtremeCloud IQ Site Engine.

Alarms and Events

Alarms

Allows the following Alarm configuration capabilities:

Configure - Configure alarms using the Alarms Definition tab.
OneView Alarms Read Access - Allows the ability to view alarm information on the Alarms & Events tab.
OneView Alarms Read/Write Access - Allows the ability to view and edit information on the Alarms & Events tab.
View - View alarms in the Event Log.

Application Analytics

Application Analytics Read Access: Allows the ability to access the Analytics tab and view the ExtremeAnalytics reports. Selecting this capability requires you to select the capability for Access OneView Reports.

Application Analytics Read/Write Access: Adds the ability to view the Analytics > Configuration tab and configure ExtremeAnalytics engines and NetFlow and Application Telemetry Collecting devices. Also adds the ability to create and modify fingerprints. Selecting this capability requires you to select the capability for Access OneView Reports.

Compliance

OneView Compliance Read Access: Allows the ability to view configuration compliance information on the Compliance tab.

OneView Compliance Read/Write Access: Allows the ability to view and edit configuration compliance information on the Compliance tab.

Network

Archives

Allows the ability to create and configure an archive to save device configuration data and capacity planning data:

OneView Archives Read Access - View archive data.
OneView Archive Read/Write Access - View and edit archive data.

Configuration Templates

Allows the ability to create and customize the configuration templates used for grouping product and device families by enabling any of the following options:

OneView Templates Read Access - View configuration template data.
OneView Templates Read/Write Access - View and edit configuration template data.

Devices

Access Terminal

The Access Terminal capability controls your access to opening a terminal session from the device menu.

NOTE:

If you are upgrading to ExtremeCloud IQ Site Engine Version 8.5.3 (and future versions), the Access Terminal capability is enabled by default for new Authorization Groups, but is DISABLED by default for existing Authorization Groups. After upgrading to version 8.5.3, you must review and modify your Administrative Groups and configure them for Access Terminal individually.

Add, Discover, and Import: Allows the ability to add devices using the Add Device window, discover devices using the Discovered tab and import devices.

Allow SNMP sets to Devices: Allows the ability to write SNMP sets to network devices.

Authentication Configuration: Allows the ability to configure and change the authentication settings on your devices.

Configure Devices: Allows the ability to configure settings on your devices.

Configure Groups: Allows the ability to create device groups and add and remove devices to and from device groups.

Delete: Allows the ability to delete devices from the ExtremeCloud IQ Site Engine database.

Execute CLI Commands: Allows the ability to execute CLI commands on a device using the command line interface.

FlexView

Allows the ability to perform the following OneView FlexView functions:

OneView FlexView Read Access - Allows the ability to launch a FlexView from the Network tab.
OneView FlexView Read/Write Access - Allows the ability to launch and edit a FlexView from the Network tab.

Configuration Archive Management

Allows the ability to create and configure an archive to save device configuration data and capacity planning data by enabling any of the following options:

Archive Restore Wizard
Stamp New Versions
View/Compare Configurations
Configuration Templates Download Wizard
Firmware/Boot PROM Upgrade Wizard
Restart Device Wizard

Launch WebView

Adds the ability to execute the WebView of a device.

NOTE:

If you are upgrading to ExtremeCloud IQ Site Engine Version 8.5.1 (and future versions), the "Launch WebView" capability is enabled by default for new Authorization Groups. For ExtremeCloud IQ Site Engine Versions 8.5.0 or earlier, the "Launch WebView" capability is DISABLED by default. After upgrading to version 8.5.1, you must review and modify your Administrative Groups and configure them for “Launch WebView” individually.

Maps/Sites

Allows the ability to perform the following map functions:

Maps Write Access -Adds the ability to access the Map tab, and view and modify maps. This includes adding devices to the maps, drawing on the maps, changing map scale, and changing map properties (for example, the map name and background image).
Maps/Sites Read Access - Adds the ability to access the Map and Sites tab, and view maps and site details.
Sites Write Access - Adds the ability to access the Sites tab, and view and modify sites. This includes adding devices to the sites, changing site properties, and deleting sites.

Overwrite Local Changes: Allows the ability to overwrite local changes made to the Devices tab.

RADIUS Configuration: Allows the ability to configure RADIUS Servers and Configurations.

Set Device Profiles: Allows the ability to specify the SNMP profiles each authorization group uses when communicating with each device.

Syslog Configuration: Allows the ability to launch and use the Syslog Receiver Configuration window.

Trap Configuration: Allows the ability to launch and use the Trap Receiver Configuration window.

Firmware

Firmware

Provides the ability to perform the following firmware functions via ExtremeCloud IQ Site Engine:

OneView Firmware Read Access - Allows the ability to view firmware images.
OneView Firmware Read/Write Access - Allows the ability to perform a configuration upload/download or firmware image download on a device.

Reports

Access OneView Reports: Adds the ability to view all reports accessed from the Reports tab.

Wireless Manager

Configure: Allows the ability to configure Wireless Manager.

Launch: Allows the ability to launch Wireless Manager from the Wireless tab.

Workflows/Scripts

Access Scheduled Tasks: Adds the ability to use the Scheduled Tasks tab.

View and Edit Workflows, Scripts, and Saved Tasks: Allows the ability to view, edit, and run workflows, scripts, and saved tasks on the Tasks tab in ExtremeCloud IQ Site Engine.

NOTE:

Access to some ExtremeCloud IQ Site Engine components is determined by capabilities in other capabilities groups:

XIQ-SE Console > Wireless Manager > Launch
Adds the ability to view the Wireless tab.

XIQ-SE Suite > Devices > Add, Discover and Import
Adds the ability to add devices in the Network tab.

XIQ-SE Suite > Devices > Delete
Adds the ability to delete devices in the Network tab.

Inventory Manager > Configuration Archive Management > View/Compare Configurations
Adds the ability to compare archived device configurations in either the Network tab or the Archive Details Report available in the Reports tab.

XIQ-SE Suite

Authorization/Device Access

Allow Tools to Use All Profiles: In MIB Tools, this capability allows users to select from all available profiles when using a Console profile to contact the device.

Allow View of No Access Devices: If an authorization group is configured with "No Access" to specific devices (in the Profile/Device Mapping tab), this capability allows members of that group to view the No Access devices in the left-panel tree, even though they cannot access the devices.

Configure LDAP and RADIUS and TACACS Servers: Allows the ability to configure RADIUS Servers and LDAP Configurations in the Users/Groups tab in the Authorization/Device Access tool.

Manage SNMP Passwords: Allows access to the Manage SNMP Passwords tab in the Authorization/Device Access tool and the ability to manage the credentials set on network devices.

View Authorization/Device Access: Allows the ability to view, but not to configure Authorization/Device Access.

Common Web Services

Web Services APIs Read Access: Provides read access to the ExtremeCloud IQ Site Engine Common web service, which is an external integration point. The Common web service exposes methods for manipulating ExtremeCloud IQ Site Engine infrastructure components.

Web Services APIs Read/Write Access: Provides read/write access to the ExtremeCloud IQ Site Engine Common web service, which is an external integration point. The Common web service exposes methods for manipulating ExtremeCloud IQ Site Engine infrastructure components.

Device Local Management WebView

Auto Login to Web Local Management for ExtremeWireless Controllers: Allows the ability to launch local management for wireless controllers without requiring a login for users with the necessary credentials. Users who do not have this capability are required to log in.

Auto Login to Web Local Management for NAC Appliances: Allows the ability to launch local management for ExtremeControlengines without requiring a login for users with the necessary credentials. Users who do not have this capability are required to log in.

Web Service Credentials

Read operations: Provides read access to the ExtremeCloud IQ Site Engine Credentials web service, allowing programmatic access to authentication profiles and credentials used for device access.

Read/write operations: Provides read/write access to the ExtremeCloud IQ Site Engine Credentials web service, allowing programmatic access to authentication profiles and credentials used for device access.

ExtremeCloud IQ Site Engine All User Options

These capabilities provide the ability to set suite-wide options that apply to all users.

Configure SMTP E-mail Options: Allows the ability to specify the SMTP email server used by the ExtremeCloud IQ Site Engine email notification feature.

Configure Services for NetSight (ExtremeCloud IQ Site Engine) Server Options: Allows the ability to specify TFTP settings.

Configure Web Server: Allows the ability to specify the port ID for HTTP web server traffic.

Open GTAC Support Case: Allows the ability to create a GTAC support case or RMA case from the Network tab.

Request and Configure ExtremeNetworks.com Support: Allows the ability to request information about the latest ExtremeCloud IQ Site Engine product releases via the Help > Check for Updates option from the menu bar in any application and request information about firmware releases via the Help > Check for Firmware Updates option in Inventory Manager. It also allows you to configure the check for updates operation (including scheduled updates) in the Suite options. These features tell you when updated versions of ExtremeCloud IQ Site Engine products and firmware are available and allow you to download newer versions to keep your software and firmware current.

ZTP+ Registration

Allows the ability to configure a ZTP+ enabled device and add it to ExtremeCloud IQ Site Engine.