User Guide: AMF Security Controller version 1.8.0

Account Group



This section describes how to create multiple Accounts and manage them in multiple Account Groups.

What is Account Group

Accounts can be divided into accounts with permission to edit the Authorization database and accounts with permission to modify system settings. System administrators and general users can be registered separately.
Account Groups associate accounts with switches (OpenFlow Switches and AMF Members). For each Account Group, you can view OpenFlow Switches and AMF Members that can be managed, and the devices under their management.

Using Account Groups not only clarifies switches to be managed and the devices connected to switches, but also enhances security by not being able to display switches that are not managed.


Add Account Group

Set the following items in Account Group.
Note
There is no default Account Group. If you do not create Account Group, you cannot select "Account Group ID" when creating Account or registering Device.

Refer to System Settings > Account Group List for how to create Account Group.


Add Account

Set the following items in Account.
The "Account Name" registered by default is "manager" and cannot be changed or deleted. For "manager" account, password is "friend", "Account Group ID" is not set, authentication database can be edited (cannot be changed), and system settings can be changed (cannot be changed).

Note
The AT-SESC configurations must be initialized if you forget passwords for all accounts with the permission of "Configure system settings" including the "manager" account. Please make sure that you keep your passwords safely and never forget them.
Note
Allied Telesis recommends that you do not set Account Group for the default "manager" or for Account created to manage the entire network.

Refer to System Settings > Account List for how to create Account.


Example of device management using Account Group

Account Group associates Accounts and Switches (OpenFlow Switches and AMF Members).
In the page below, only Switches that have the same Account Group as the Account Group set for the logged-in Account and devices connected to the Switch are displayed.
For example, the following describes an example in which there is one AMF Master (AT-x930) in the machine room and one AMF Member (AT-x510) for each floor, and Account Group is created for each floor.

- Creating Account Name and Account Group

Table 1: Sample Configuration Data
Account Name Account Group Switch / Installation location
manager (None) All Switches / Machine room
1F_admin
1F_user
group_1 AMF Member (AT-x510_1F) / First floor
2F_admin
2F_user
group_2 AMF Member (AT-x510_2F) / Second floor

- Account Group associated with each Switch

Table 2: Sample Configuration Data
Switches Account Group
AMF Master (AT-x930) admin_group
AMF Member (AT-x510_1F) group_1
AMF Member (AT-x510_2F) group_2

In this case, the display example of the Devices > Active Device List page is as follows.
By associating Account Group with a registered Switch as described above, Switches that can be displayed differ depending on the logged-in user, and Switch to be managed and the devices connected to that Switch become clear.
Note that the Switches > Active AMF Member List page and the Switches > Active OpenFlow Switch List page, the related Switches are also displayed. However, in the above example, no Account Group has been set for the system administrator Account "manager" that manages the entire system, and AMF Master (AT-x930) has Account Group "admin_group" that is different from AMF Members for each floor. By setting, AMF Master (AT-x930) is displayed only with "manager" Account.


Registering Device

Refer to Quick Tour for the instruction on how to register Device.
By selecting "Account Group ID" on the page for adding or editing Device, you can associate that device with the "Account Group ID".
The following is an example of the Switches > AMF Member Add page.


Note
Devices associated with "Account Group ID" is not displayed unless you log in with Account belonging to that "Account Group ID" or "manager" (no Account Group). Be careful not to register another "Account Group ID" by mistake.



14 Jun 2021 09:30