View, add, and modify an admin account in this window. Grant access to an external administrator.
From this window you create a new admin account and set parameters such as read/write privileges and device management restrictions based on deployment locations.
To create a new admin account:
- Determine whether the new admin is within your organization or external:
Create a new admin account: Select this option to create an account for an admin within your organization.
Grant access to an external admin: Select this option to grant access to administrators outside of your organization. These administrators include personnel from Extreme Networks resellers, distributors, technical support, and sales engineering.
- External administrators must already have a ExtremeCloud IQ account before they can be added.
When external administrators log in, they first visit the ExtremeCloud IQ Admin Portal window where they can either access their Virtual IQ account or your account by selecting the account name in the Manage Other Deployments list. They can later switch to another Virtual IQ by selecting > Switch ExtremeCloud IQ.
- Enter the following information:
Email Address: Enter the administrator's email address.
Name: Enter the name of the admin. This field only appears for administrators who are internal to your organization.
Organization: (Hierarchical ExtremeCloud IQ only.) Assign an admin to an existing Hierarchical ExtremeCloud IQ organization here. See "Hierarchical ExtremeCloud IQ Organizations" for more information.
Idle Session Timeout: Enter the number of minutes before a session times out. The default is 30 minutes. The range is from 5 to 240 minutes.
Choose a Role: You must assign a role to each admin. For a detailed description of each role, see "Admin Role Overview". To assign a role, select one of the following options in the Choose Role section:
- Help Desk
- Guest Management
Assign Location: Assigning an admin to a location is an optional step that restricts management to the devices deployed at that location. By default, all roles have access to your entire network. In addition, you cannot assign administrator roles to a location because that role requires access to your entire network. Before you assign an admin to a location, you must create a topology map of your network from the Network 360 Plan tab. For information about creating maps, see "ML Insights Network 360 Plan"; and for information about locations, see "Location Access Overview".
Select the check box next to the location to which you want to assign an admin.
- Select Save & Close at the bottom of the window. ExtremeCloud IQ sends an email with a link to set a password to the email address that you specified in the Enter Account Details section.
As an administrator, you can assign the following roles to employees accessing the Extreme Networks network— administrator, operator, monitor, help desk, guest management, or observer. You can assign only one role to each admin account. However, you must assign a role to every admin account. (There is no option to add an admin who is not associated with a role.) The default role is administrator. All of the roles provide access to the assigned individual's personal account information, which allows them to change their password. For more information, see "Account Management".
One of the features of role-based access control is the ability to assign an admin to a location, such as a city (or cities) or a building (or buildings) within your network. As an administrator, you can assign a location to the operator, monitor, help desk, and observer roles. For information about how to assign an admin to a location, see "Location Access Overview".
This table lists the access rights of each role.
|Role||Location Assignment||Dashboard||Client 360° & User 360° Views||Manage, Insights, & Configure
|Administrator||No||Full access||Full access||Full access||Full access||Full access||Full access|
|Operator||Yes||Full access||Full access||Full access||Full access||No access||Full access|
|Yes||Read only||Read only||Read only
(See description below)
|Full access||No access||Read only|
|Monitor||Yes||Read only||Read only||Read only||Full access||No access||Read only|
|Help Desk||Yes||No access||Read only||No access||Full access||No access||No access|
|Guest Management||No||No access||No access||No access||No access||No access||Full access|
|Observer||Yes||Read only||Read only||Read only||Read only||No access||Read only|
|Yes||IoT Only||No access||No access||No access||No access||No access|
The following sections describe these roles.
The administrator has full read-write access to ExtremeCloud IQ and your network. It is the only role that can create and manage administrators as well as ExtremeCloud IQ licenses. One advantage of defining a separate account for each ExtremeCloud IQ administrator is that you can identify which administrator made configuration changes (and when) by examining the audit logs, which are located at admin_name Accounts > Global Settings > Logs > Audit Logs.
In addition, the administrator role is the only role that can restrict other administrators to a specific location, such as a city or a building, within your network. See "Location Access Overview".
The operator role is similar to the administrator role. It has nearly all the same access rights, including full write access to your network, except it cannot manage accounts and licensing. For example, assign an operator role to a third-party vendor who can deploy devices and configure ExtremeCloud IQ.
The operator role can update the network map (located on the Insights > Network 360 Plan tab) to add a building or a floor to a location, unless the operator is restricted to a location, in which case that operator cannot add a new location.
Operators that are restricted to a location can modify network policies but can only push policy updates to devices within their restricted location. The policy update is captured as an event in Account > Global Settings > Logs > Audit Logs. For more information, see "Audit Logs". When a local operator pushes an edited network policy within their restricted location, a red exclamation mark will appear next to the names of the devices outside this location that are using the same network policy. This indicates that the network policy is mismatched. To resolve the mismatch, administrators or global operators (who have access to the entire network) can either push the updated network policy onto all the devices in their network or manually reset the audit status of those devices. Local operators who are restricted to their respective locations can inadvertently clear the status of the device when the device has a mismatched policy. As an administrator best policy, you might want to advise your local operators to not edit network policies.
- The local operator cannot view alarms for locations that they cannot access.
The installer role was designed to work with the mobile app, and so has limited privileges based on the in-build limitations of the app. If you log in to ExtremeCloud IQ as an admin with Installer privileges using the standard web interface, then the Management, Insights, and Configuration tools are read only except for the following exceptions:
Onboard, update, reboot, and delete devices
Assign network policies
The monitor role is granted full read-write access to the Tools tab (Manage > Tools) and restricted (read-only) access to the remaining tabs. For example, assign a monitor role to someone who responds to client issues on the Tools tab and regularly checks the (Undefined variable: Primary.ML Insights) > (Undefined variable: Primary.Network 360 Monitor) tab. With full access to the Tools tab, administrators assigned to the monitor role can diagnose client issues, escalate issues, and mark issues as resolved.
Help Desk role is a limited role that is restricted to staff who are dedicated to resolving client connectivity issues. They are granted full access to the Tools tab. With this access, they can diagnose client issues, escalate issues, and mark issues as resolved. Also, they can select to enter a user name to see details for that user, or a MAC address to see details for a client.
The guest management role is for employees who need to create user accounts for guests, contractors, and employee personal devices that allow access to your wireless network to reach the Internet. The guest management role has access to the guest management admin interface. However, employees using the guest management role cannot view the Onboard,, Manage, Configure, Insights and A3 tabs. You cannot restrict administrators with the guest management role to a location (building or city). For more information, see "Extreme Guest Access Configuration Guide".
The observer role provides read-only access to most of the ExtremeCloud IQ interface. However, this role does not allow access to the account and license management functions. For example, assign the observer role to administrators who only need to see network status information.
- The difference between the observer role and the monitor role is the monitor has write access to the Tools tab and read access to the rest of your network. The observer role has read-only access.
The Application Operator role is designed to be used by non-IT personnel to assign roles to IoT devices. When an installer adds IoT devices to an ExtremeIOT Essentials-supported access point, an application operator can access ExtremeCloud IQ with IoT visibility only, and choose a predefined role. The Application Operator cannot see other menus, nor change configurations on the network. An admin must predefine a profile. The Application operator can view client devices and supported APs with status information, and can change roles for a client device.
In addition to limiting network access by role, you can restrict location access using the operator, monitor, help desk, and observer roles. By default, if you do not assign a location to an admin then that admin has global access to your network. The first step in defining location access is to create a network map (or import one) on (Undefined variable: Primary.ML Insights) Network 360 Plan. You must have a network map before you can assign an admin to a location. For details about how to create a network map, see "ML Insights Network 360 Plan".
The access restrictions of admin roles by location are based on how you have defined your network map. A network map can consist of up to four tiers— network name, location, building, and floor. The top tiers of the network map is often named after your organization. In the following example, "Nature Unlimited" is the network name and the name of the organization. The definition of the second tier depends on how you define your network map. You can assign either a geographic location, such as a city or town, or a building directly to the network name. For role-based access control, tier two is the most important tier because its assignment determines the user access. So, if your map includes an organization, city, building, and floor assignments, then your administrators assigned to a location are restricted to a city (or cities). However, if your map includes an organization, a building (or buildings), and a floor (or floors), then your administrators assigned to a location are restricted to a building (or buildings). You cannot limit admin access to a single floor within a building.
The remaining tiers are assigned depending on if tier two is assigned to a location or a building. For network maps with a tier two assigned to a location, then the tier three on the map is a building on campus. Tier four consists of one or more floors within the building such as floor 1 and floor 2. For a network map assigned with tier two assigned a building, then tier three is assigned to a floor or floors. In this case, there is no tier four.
- The term "tiers" is used to describe the differences between locations. It does not appear in the GUI.
Tier Two Assigned to a Geography
In the Nature Unlimited example, tier two is assigned to a geographic location . Nature Unlimited is a small company located in Kodiak, Alaska. This organization has a single, one-story building at 100 Wildwood Way. In this example, the location is assigned to Kodiak, Alaska and this is the tier two. If you create an operator role and assign it to the location of Kodiak, Alaska, then that operator can access the entire network, including the building with the address of 100 Wildwood Way and floor 1.
For large organizations, you might have a network map that consists of multiple locations and buildings. In the following network map, Windspinner Cruises has offices in Miami, San Diego, and Oslo, Norway. The Miami locations are divided between two campuses.
With multiple locations, you can assign an admin role to one, multiple, or all locations. Applying this strategy to the above example, you can allow an admin to access one, two, or all the Miami, San Diego, and Oslo campuses. Also, allowing access to the Miami campus automatically allows access to both buildings, 171 Channel Way and 4752 Lagoon, on this campus. You cannot limit administrators to a building within a campus when tier two is assigned to a geographic location.
Tier Two Assigned to a Building
You can assign a building directly to an organization. You might want to do this if you only have one building in your organization or if you have several buildings in one geographic location. In either case, the building becomes your second-tier access level. The following section describes location assignment by building.
One Building Example
In a one-building example, a retail store called "San Jose LUX" is the network name. This organization consists of one building with three floors. Tier two is the building "250 South Market Street." Limiting an operator to the 250 South Market Street building allows them access to all three floors in that building.
Multiple Building Example
If your network map has multiple buildings, you can assign an admin role to one, multiple, or all the buildings on your campus. For example, San Jose LUX (now San Jose LUX, Inc) has expanded to three buildings. In this case, you could assign three operators— one to each building.
When you restrict an operator role to a tier-two building, that admin is limited to seeing data only for this building. A local operator who is restricted to a building will only see analytics for that building.
As described previously, an administrator can assign admin roles to either a geographic location or a building. The administrator can see all the devices in your network. The following rules apply to roles with regard to location assignment:
- Roles that are not assigned to a location can see devices that are not assigned to a location.
- Roles that you assign to a location can see the devices assigned to that location as well as devices that are not assigned a location.
- Roles assigned to one location cannot see devices assigned to another location.
For example, you create a local operator account for the San Jose location. This operator can see devices assigned to San Jose as well as devices in your network to which you have not assigned a location. However, this operator cannot view devices that are assigned to another location such as San Francisco. Take this into account when deciding whether to assign devices to a location.
- Best practice is to create a network map and assign devices to locations soon after a device connects to ExtremeCloud IQ.
Copyright © Extreme Networks, Inc. 6480 Via Del Oro, San Jose CA, 95119 USA