Account security roles
Each system user has a role (Administrator, Operator, Read-only, None).
Access to various parts of the application is limited according to users access role.
This article describes the access that each role has.
System access table
|
Administrator |
Operator |
Read-only |
None |
---|---|---|---|---|
Login |
✓ |
✓ |
✓ |
X |
Access to all features |
✓ |
✓ * |
read-only access * |
X |
Change any settings |
✓ |
✓ * |
X |
X |
License settings |
✓ |
read-only access |
X |
X |
User management |
✓ |
X |
X |
X |
-
- see details for additional limitations
Administrator
Accounts with the Administrator access role have full access to NCM and all features within.
In other words, Administrator users are not limited in any way.
Operator
Accounts with the Operator role have full read/write access to NCM, except:
-
Operators have no access to the User management screen
-
Operators can not delete Device Tags (as this can affect access policies)
-
Access to License settings is read-only (can see, but can't change license key)
-
Access to Sensitive data stripping is read-only
We recommend that most users have Operator set as their access role.
Users authenticated from Radius are assigned the Operator role.
Access for operator accounts can be further restricted using Device access tags.
Please see this wiki article for more information: Device access restrictions.
Read-only
Read-only role accounts have read-only access to NCM - they can not configure or change any settings.
Additionally, read-only accounts have these limitations:
-
Read-only accounts have no access to the User management screen
-
Read-only accounts have no access to the License settings menu
-
Read-only account do not have access to Show Password and Show All Passwords in the Credentials screen
Access for read-only accounts can be further restricted using Device access tags.
Please see this wiki article for more information: Device access restrictions.
None
Accounts with the None role have no access to the application - they can not even log in.
This role is meant to deny access to NCM for a particular account, without the need to delete that account.