Device Group Actions Menu

there is a list of device groups on the left side of the inventory page clicking a device group action menu opens a window with the following items edit device group the edit group option is used to change the defined device group parameters to edit device group 1 navigate to devices > inventory 2 select a device group, then click options 3 change group name, description or parent group information 4 click next 5 change other relevant information if needed 6 save when the user clicks the edit button for the selected group and goes to the second page (using the next button), the group parameters panel will show up if the user wants to search for a parameter by name, the search textbox shown in the screenshot below can be utilized kron pam will search for the relevant parameter and open the panel that includes it direct credentials users that are predefined in the target device group are called global users the credentials defined for these users (username, password, or private key) are used to access the target devices directly · username specifies the user account used to connect to the target device · password specifies the user used to connect to the target device · private key specifies the private key used for ssh connections to the target device · private key passphrase kron pam allows users to establish an ssh connection using a valid passphrase to use an ssh key, the direct credential username and private key passphrase must be defined for the device group · additional credentials it allows the user to choose the correct account when there are multiple credential options while connecting to the target system it also lets the user include additional credentials from different sources, such as session user, manual login, assigned credentials, or private keys stored in the vault · add session user to credential selection when this option is enabled, the user can connect to the target device using the same account they used to log in to kron pam for passwordless access, the username on the target device must be the same as the session user if direct credentials are empty, kron pam\[hk1] tries to connect using the session user · add manual login to credential selection \ when this option is enabled, users can enter their username and password manually during proxy connections · add assigned credential to credential selection when this option is enabled, users can connect to the target device using assigned credentials if a vault account is assigned to them · add vaulted private key to credential selection \[ea2] \[fk3] when this option is enabled, users can connect to the target device using an ssh private key securely stored in the vault this enables key based, passwordless authentication to the target system without exposing the actual private key to the session user · custom properties it is a configuration area used to add and manage custom parameters that are not available in the default system settings these properties allow users to customize system behavior based on specific needs · tacacs+ secrets used to define authentication secrets for tacacs+ and radius · radius/tacacs+ key this is the shared secret key used between the device and the tacacs+/radius server the same key must be configured on both the server and the device group in kron pam it is used to verify and secure the authentication communication · enable password this password is used to switch from a low privilege level (user mode) to a higher privilege level (enable mode) after authentication it is required when the device uses privilege levels connection approval methods it defines additional controls for user connections · require managerial approval when enabled, users must get approval from their user group manager before connecting to the device group the connection request must be approved before access is allowed · require user to enter a reason for connection when enabled, users must enter a reason before starting a connection (such as rdp or ssh) this reason is saved for audit and tracking purposes notification settings · miscellaneous this section includes additional settings for the device group that are not part of the main configuration these settings are used to customize behavior and visibility · show in device tree it makes the device group and its devices visible in the device tree when enabled, users can see and access devices from the tree structure to use this feature, the following portal functions must be assigned to the user or role · netright discovery modulevisibility · aioc discovery discover device · single connect rdp client modulevisibility · single connect cli modulevisibility if these permissions are missing, devices may not be visible even if this option is enabled · use as role group · use email as username during login when this option is enabled, users can log in using their email address instead of a username · authentication script the “ authentication script”, “switch user script ” and “show without authscript option” fields used under miscellaneous panel are explained in detail in the o session manager ssh proxy running scripts at the beginning of an ssh session o session manager ssh proxy switch user script section duplicate device group this option creates a copy of the device group with the same parameters to create new device group using duplicate button 1 navigate to devices > inventory 2 select defined device group and click options 3 click duplicate 4 choose whether you want to copy the devices of the original group over to the duplicate group if you choose not to, only the device group properties will be carried over to the new group 5 fill out the group information fields as needed 6 save remote apps kron pam enables limiting the accessible applications on windows devices it is possible to allow specific applications for device groups this option also can be used with the auto login feature to define remote apps 1 navigate to devices > inventory 2 select a device group and click options 3 click remote apps 4 switch the enable desktop parameter on if you need to permit full desktop access 5 click save delete device group to delete a device group 1 navigate to devices > inventory 2 select a device group and click options 3 click the delete button on the menu 4 click continue subnet this feature is used for the two solutions below instead of adding devices one by one, a subnet can be added to connect to target devices only the tacacs+ access manager uses this feature all devices in the subnet interval are accessible to connect to the defined subnet can be used for device auto discovery docid ujensqvuhktf80 wrurh to create subnet 1 navigate to devices > inventory 2 select defined device group then click options button 3 click the subnet button on the menu 4 click the + button 5 select an internet protocol 6 fill out the network address , subnet mask, and select interface names 7 click ok, and then continue ip regex pattern i nstead of adding devices one by one, an ip regex pattern can be added to the device group every device whose ip address fits into this pattern will be regarded as a member of this device group similarly, some ip regex patterns can be added with the deny rule, which makes the system deny all aaa requests coming from the ip addresses that fit into this pattern only the tacacs+ access manager uses this feature to create ip regex pattern 1 navigate to devices > inventory 2 select defined device group then click options button 3 click the ip regex pattern button on popup 4 click the + button then fill out the ip regex pattern andselect actions field 5 click the ok button then navigate continue button