Data on Lumeta is segregated by an enterprise-grade user management facility that controls who can see Lumeta system options, components, and zones. Access to individual zones is controlled by an administrator who assigns users to organizations and zones. User-defined system configurations can be reused in all zones to which the user has access.
In the context of Lumeta and for the purpose of linking users to zones, an Organization is a set of Zones with a common set of permissions. There can be many organizations and these are associated with one another in a single layer without hierarchy. Organizations do not nest within other organizations.
Each organization has three fully defined roles belonging to it: SysAdmin, Manager, and Viewer. The organization segregates users and controls what information they can see and manipulate. You can add, edit, and delete most organizations. The default organization, called Organization 1, can be renamed but not deleted.
This structure of access control enables you to restrict zone access to particular users. Now, New York Lumeta users can have access to the New York Zone and not the London Zone, for example. London users can be granted access to London Lumeta Zone and blocked from New York Lumeta Zone.
Example: User Sally
Example: User Bob
Available Zones are sets of network devices you want to monitor as a unit. For example, a zone might describe a subnet, an enclave, boxes containing classified financial data, machines belonging to a particular business unit, devices affiliated by region or purpose, machines over which a security or operations professional is responsible.
A zone may also describe a set of network devices that are to be monitored using defined indexing methods. In the screencap on the left, several zones have been set up to target the same IPs/CIDRs. The indexing methods each zone uses to explore the area, however, vary. The zones have been named to indicate the indexing methods that have been configured to perform. Host+Port+DP, for example, contains collectors configured to identify host, port, and device profiling information. This method is especially useful when you want to find out or better understand what Lumeta can discover using one indexing technique versus another.
Typically, one organization contains several zones.
When you add a zone, consider giving it a name that's associated with its user base such as Corporate Zone, Guest Zone, or Wi-Fi Zone. Or give it a name with geographical or business significance such as Manufacturing, Finance, West Coast Office, or New York Office.
See Adding & Managing Zones for step-by-step procedures on how to add, edit, view, monitor, and map zones.
A user is a login and password combination that identifies individuals entitled to use Lumeta. Lumeta=> Username can be a combination of alphanumeric characters but cannot start with number.
A superuser is not a role but a flag that allows a user to manage all aspects of the system regardless of zone affiliation. The entire system is accessible to a user with superuser privileges. CRUD operations can only be performed by a superuser. Also, the superuser can see the Support menu option.
The superuser permission is required to grant superuser status to another user. It is also required to add the first user to an organization. At least one user must have this superuser flag set. Any attempt to delete the last superuser is ignored by the system and a message is returned to the user. The password for this user is "admin". See
Lumeta comes with two default users: admin and manager - The admin has the SysAdmin role and superuser privileges.
|Has SysAdmin role and superuser privileges|
Has Manager role of the default Organization 1.
Has Viewer role of the default Organization 1.
Browse to Settings > Users to set up user accounts and system access.
Roles define the system features and commands users can access. Each user is assigned a set of permissions, or role.
Lumeta comes with three pre-defined roles that you can assign to a user. You can assign all three rolls to a user, two of the roles to a user, or none of the rolls to a user.
SysAdmin - Manages the system. Is concerned with details at device level (i.e., software and hardware). Can manage the Lumeta System (Installation of License, Upgrading the System, Configuring CEF, Resetting the IP, Restarting services or system). The SysAdmin cannot log in to the Lumeta GUI unless he or she has also been given the Viewer role, the Manager role, or has been flagged as a superuser.
Manager - Concerned with Lumeta-specific details. Manages the Organization to which he/she belongs. Creates zones and collectors, assigning roles to users, subscribes to notifications, configures dashboards.
Manager can access the following commands in CLI:
Viewer - Read only. User cannot manipulate zones or Lumeta system software or hardware. Views the organization to which he/she belongs. Can view zones, collectors, maps, and dashboards.
Every GUI and CLI command calls an API. Every API call has either a single permission associated with it, or no permissions at all. If no permission, or the permission NONE, anyone can use that API.
|NO_ACCESS||API is disabled|
|NONE||No permission required (default) – Anyone can use the API|
|VIEW_ZONE||Viewing reports and dashboards|
|MANAGE_USERS||Adding and deleting users, assigning roles|
|MANAGE_ZONES||Adding/deleting/configuring zones and collectors|
|MANAGE_SYSTEM||All system-wide functions, like importing configs, starting/stopping services, etc.|
|MANAGE_SCOUT||Interpreted as "manage remote" for adding and deleting remote systems|
|BYPASS_ACCESS||Only superuser may use this API|
Every role has a group of permissions. If a user has a role, then that role's permissions define which APIs the user can call, and in turn which GUI and CLI commands. Superuser is not a role; it's a flag. When a user has the superuser flag enabled, the system bypasses (ignores) the roles and allows the user to run any API, and therefore any command.Some APIs require BYPASS_ACCESS permission, which means that only a superuser can use those APIs.
|Manager||MANAGE_USERS, MANAGE_ZONES, VIEW_ZONE|
If a user needs access to all zones, view only, what access would they need?
A user has admin right access, why can't that user see all zones?
Is there any conflict or issue with multiple users logging into the same CC at the same time, under the default admin account?