https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/xmc-user-group-with-only-read-only-access-to-some-devices/m-p/91252#M9582 Hi,<BR /> <BR /> i'm actually designing user right to device in xmc 8.2.<BR /> <BR /> For the example, the user "DIT" should be able to have full right on certain devices and only read-only right to certain other device.<BR /> <BR /> I created a local user "DIT" in a specific user-group "DIT_LILLE" with standard netsight right (allow set snmp to devices is checked)<BR /> <BR /> I created 2 profiles :<BR /> <UL> <LI>the first profile (RW) have Read-write CLI and Read-write SNMP credentials (SNMPv3) </LI><LI>the second profile (RO) have read-only CLI and read-only SNMP credentials (SNMPv3) </LI></UL> I mapped the RW profile to a device "sw-bur30" and the RO profile to a second device "SW-alsit" for the user group "DIT_LILLE" in the device-mapping.<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="72174e2296c8419ebb1c037b01f79eb2_1b737046-cd7b-4123-acf4-1b9491989ad8.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/183i8CE1844F2FFD152E/image-size/large?v=v2&amp;px=999" role="button" title="72174e2296c8419ebb1c037b01f79eb2_1b737046-cd7b-4123-acf4-1b9491989ad8.png" alt="72174e2296c8419ebb1c037b01f79eb2_1b737046-cd7b-4123-acf4-1b9491989ad8.png" /></span></P><BR /> <BR /> <BR /> Both of the device have a default administration profile set to the RW profile.<BR /> <BR /> When I log on with the "DIT" user, I can make change to interface status and i can enforce device configuration on both device so the RO profile seems to not being used ...<BR /> <BR /> If I uncheck the ''allow set snmp to device'', the user is unable to make change to both devices.<BR /> <BR /> So it seems that the user "DIT" is using the administration profile set globally to the devices instead of the specific one made in the device-mapping .<BR /> <BR /> here is the SNMPv3 user configuration on the device:<BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="72174e2296c8419ebb1c037b01f79eb2_9a2ed35f-02a2-475d-9c68-5d55456f6f88.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5590i3E70E06CAE37C649/image-size/large?v=v2&amp;px=999" role="button" title="72174e2296c8419ebb1c037b01f79eb2_9a2ed35f-02a2-475d-9c68-5d55456f6f88.png" alt="72174e2296c8419ebb1c037b01f79eb2_9a2ed35f-02a2-475d-9c68-5d55456f6f88.png" /></span></P><BR /> <BR /> I made a tcpdump of a disable port sent to the read-only device and I can see that XMC didn't use the specific SNMPv3 user xmc_ro but the RW one xmc.<BR /> <BR /> 16:22:35.659049 IP pns1scmgb001.prod-exp.justice.fr.39111 &gt; 10.79.252.245.snmp: F=apr U="xmc" [!scoped PDU]83_54_9e_aa_11_f9_05_7d_8d_84_20_77_f0_f8_32_27_10_a8_f4_e5_a4_aa_71_e3_25_0c_49_a9_2c_33_c1_fa_89_c8_1a_ba_33_ac_01_f6_b3_62_38_e6_8e_d8_84_13_b1_c7_c7_f9_c1_64_fa_e6_01_50_16<BR /> 16:22:35.671323 IP 10.79.252.245.snmp &gt; pns1scmgb001.prod-exp.justice.fr.39111: F=ap U="xmc" [!scoped PDU]92_e9_b2_94_6f_89_f9_87_2f_cb_f8_ab_0a_f9_f9_92_f3_7e_38_be_3e_3e_04_39_2d_5e_c7_4a_d2_96_fe_cc_0c_49_ba_e9_2e_cc_54_b5_9f_05_c4_1b_da_12_26_48_08_18_1f_f7_12_13_af_ef_53_a9_f0<BR /> <BR /> Is there someone here that managed to deal with this ?<BR /> <BR /> thanks! Tue, 12 Mar 2019 21:45:06 GMT Sbinet 2019-03-12T21:45:06Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/xmc-user-group-with-only-read-only-access-to-some-devices/m-p/91252#M9582 Hi,<BR /> <BR /> i'm actually designing user right to device in xmc 8.2.<BR /> <BR /> For the example, the user "DIT" should be able to have full right on certain devices and only read-only right to certain other device.<BR /> <BR /> I created a local user "DIT" in a specific user-group "DIT_LILLE" with standard netsight right (allow set snmp to devices is checked)<BR /> <BR /> I created 2 profiles :<BR /> <UL> <LI>the first profile (RW) have Read-write CLI and Read-write SNMP credentials (SNMPv3) </LI><LI>the second profile (RO) have read-only CLI and read-only SNMP credentials (SNMPv3) </LI></UL> I mapped the RW profile to a device "sw-bur30" and the RO profile to a second device "SW-alsit" for the user group "DIT_LILLE" in the device-mapping.<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="72174e2296c8419ebb1c037b01f79eb2_1b737046-cd7b-4123-acf4-1b9491989ad8.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/183i8CE1844F2FFD152E/image-size/large?v=v2&amp;px=999" role="button" title="72174e2296c8419ebb1c037b01f79eb2_1b737046-cd7b-4123-acf4-1b9491989ad8.png" alt="72174e2296c8419ebb1c037b01f79eb2_1b737046-cd7b-4123-acf4-1b9491989ad8.png" /></span></P><BR /> <BR /> <BR /> Both of the device have a default administration profile set to the RW profile.<BR /> <BR /> When I log on with the "DIT" user, I can make change to interface status and i can enforce device configuration on both device so the RO profile seems to not being used ...<BR /> <BR /> If I uncheck the ''allow set snmp to device'', the user is unable to make change to both devices.<BR /> <BR /> So it seems that the user "DIT" is using the administration profile set globally to the devices instead of the specific one made in the device-mapping .<BR /> <BR /> here is the SNMPv3 user configuration on the device:<BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="72174e2296c8419ebb1c037b01f79eb2_9a2ed35f-02a2-475d-9c68-5d55456f6f88.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5590i3E70E06CAE37C649/image-size/large?v=v2&amp;px=999" role="button" title="72174e2296c8419ebb1c037b01f79eb2_9a2ed35f-02a2-475d-9c68-5d55456f6f88.png" alt="72174e2296c8419ebb1c037b01f79eb2_9a2ed35f-02a2-475d-9c68-5d55456f6f88.png" /></span></P><BR /> <BR /> I made a tcpdump of a disable port sent to the read-only device and I can see that XMC didn't use the specific SNMPv3 user xmc_ro but the RW one xmc.<BR /> <BR /> 16:22:35.659049 IP pns1scmgb001.prod-exp.justice.fr.39111 &gt; 10.79.252.245.snmp: F=apr U="xmc" [!scoped PDU]83_54_9e_aa_11_f9_05_7d_8d_84_20_77_f0_f8_32_27_10_a8_f4_e5_a4_aa_71_e3_25_0c_49_a9_2c_33_c1_fa_89_c8_1a_ba_33_ac_01_f6_b3_62_38_e6_8e_d8_84_13_b1_c7_c7_f9_c1_64_fa_e6_01_50_16<BR /> 16:22:35.671323 IP 10.79.252.245.snmp &gt; pns1scmgb001.prod-exp.justice.fr.39111: F=ap U="xmc" [!scoped PDU]92_e9_b2_94_6f_89_f9_87_2f_cb_f8_ab_0a_f9_f9_92_f3_7e_38_be_3e_3e_04_39_2d_5e_c7_4a_d2_96_fe_cc_0c_49_ba_e9_2e_cc_54_b5_9f_05_c4_1b_da_12_26_48_08_18_1f_f7_12_13_af_ef_53_a9_f0<BR /> <BR /> Is there someone here that managed to deal with this ?<BR /> <BR /> thanks! Tue, 12 Mar 2019 21:45:06 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/xmc-user-group-with-only-read-only-access-to-some-devices/m-p/91252#M9582 Sbinet 2019-03-12T21:45:06Z