Juniper ISG1000

Hello,

the problem might seem easy but it's not to me:

I'm trying to administrate ISG1000 (NSMXpress) through the NSM only.

I have created some users:
Configure -> Object Manager -> UserObjects
and here I have created Admin and Superuser groups and then I have put two individual users into Superuser group

In Configure -> DeviceManager -> Devices
I have my ISG1000

My question is: how to assign access rights/priviledges to my users created in Superuser group (and differentiate them from future members of Admin group with higher rights), please?

Thank you in advance.

Kind regards,
Darko
darko68_Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
0
darko68_Author Commented:
Hello, thx for the answer but I'm not sure it fits, namely:
on ISG1000 I do not have the "path" that is referenced in the solution link. What I do have is what can be seen on the ISG1000-img1
ISG1000-img1and in this way I know I can assign admin role e.g.
My problem is how to assign any access rights to the users made through Configure->ObjectManager-> UserObjects.
As can be seen on ISG1000-img2
ISG1000-img2I have made 2 groups and then I have made two users in one of the groups (Superuser).
Now, I don't know how to apply/give/assign any access right/privilege to those two users - to be differentiated (as super-users) from potential users with admin rights in other (Admin) group.

Is this the way to do such a thing at all? Or do I have missed the path/way of doing it completely?

It certainly can not be done in a way of a kind of a right-click on a user and then do something because nothing about access can be done there - see please the ISG1000-img3
ISG1000-img3What about the AccessProfiles - pls. see ISG1000-img4
ISG1000-img4and the relation with users in UserObjects?

Kind regards,
Darko
   
0
mindwiseCommented:
Hi Darko,

If you're configuring the ISG from NSM only, you don't need to set up any local users...

All the admins should be created in the NSM / DOMAIN area.

the DOMAIN determines access to devices, and ROLES determine what a user can do on devices within their 'Domain'.

So you can create an admin in the GLOBAL domain (the one you are using) and assign him a ROLE that you like (or create yourself).

The LOCAL users are only needed when you manage the device via CLI or WEBUI. (or for vpn or firewall authentication obviously)...

So go to the domain admin section of the NSM, not the local users on the ISG :)

Hope this helps,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

dpk_walCommented:
Thank you for the screenshots I understand what you wish.

The local user in Object Manager [as per NSM admin guide]:
User objects represent the users of your managed devices. You can include user objects
or groups in security policies or VPNs to permit or deny access to individuals or groups.
NSM supports two types of user objects:

Local Users—Users with accounts that are managed by your security devices. You can
create local user groups that include multiple users simplify user administration and
make policies and VPNs easier to create.

Local users created here would be used in firewall policy or VPN but not for device management.

Hope this clears what you wish to implement.

Thank you.
0
darko68_Author Commented:
A lot more description and explanation would be very welcomed.
But, thank you anyway
0
mindwiseCommented:
That's exactly what i said 11.5 hours earlier with at least a mention of which admins would need.

thanks for nothing  Darko.
0
dpk_walCommented:
You could have better deleted this question rather than grading C; if you needed more explanation you SHOULD HAVE ASKED.
0
darko68_Author Commented:

Thank you ALL for your help, truly .
And please - no comments any more - I am not going to reassign points again.

Kind regards.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.