Note
-
cnMaestro X account supports up to 200 users.
-
cnMaestro Essentials account supports only up to 10 users.
This chapter provides the following details:
cnMaestro allows you to add Users using the Administration > Users page.
|
|
Note
|
Figure 1 Adding Users
cnMaestro supports the following user Roles:
Super Administrator – Super Administrators can perform all operations.
Administrator – Administrators can modify cnMaestro application functionality, but they are not able to edit User, API, or Server configuration.
Operator – Operators are able to configure device-specific parameters and view all configuration.
Monitor - Monitors have only the view access.
CPI - CPI can perform onboarding the devices using the CBRS tool and has the view access only.
|
|
Note
|
The table below defines how Roles are authorized to access specific features.
|
Feature |
Description |
|---|---|
|
Access Control Policies |
Configure policies to control users connectivity to the network.
|
|
Application Operations |
Application level operations such as to create, update and delete operations for Networks, Towers/Sites. Bulk device configuration.
|
|
Application Settings |
Change global application configuration and onboarding key.
|
|
Assists |
Scan device configurations and generate assists scores, which in turn helps in isolating configuration issues in a deployment.
|
|
Citizen Broadband Radio Service Subscription (CBRS) |
Support CBRS-compliant devices in the 3.6 GHz band (from 3550 MHz to 3700 MHz)
|
|
cnArcher Installation Summary |
View installation summary of PMP ePMP, and cnRanger SMs installed using the cnArcher Mobile Application.
|
|
Configuration/Software Update |
Manage configuration/software update jobs.
|
|
Custom Applications |
Configure applications with a specific IP address or a domain name, and apply filter rules.
|
|
Device Operations |
Device operations such as reboot device, link test, connectivity test, tech support file download, and Wi-Fi performance test.
|
|
Device Overrides |
Per-device configuration, including updating AP Group and applying configuration.
|
|
EasyPass |
Create captive portal using EasyPass to allow clients to access the network through Free Tiers, Vouchers, or Paid Access types.
|
|
Floor Plan |
Floor Plan configuration
|
|
Global Configuration |
The ability to create and apply configuration for global features such as Templates, WLANs, AP Groups, and bulk sync configuration.
|
|
Guest Portal |
Guest Portal configuration.
|
|
LTE |
Manage cnRanger LTE devices.
|
|
Monitoring |
Display of monitoring data at all levels.
|
|
Notifications |
Alarms and Events management.
|
|
Onboarding |
Device approval, modifying individual device configuration, and performing software update.
|
|
Reporting |
Report generation.
|
|
Session Management |
Capability to view and logout other users sessions.
|
|
Software Upgrade |
Upgrade the device with the latest software.
|
|
Spectrum Analyzer |
Analyze and monitor wireless spectrum for optimizing network performance on PMP devices.
|
|
User Management |
User management operations such as manage users and roles.
|
To add an administrator:
Navigate to page.
Click Add User button. The following window is displayed:
Enter the email address in the Email box.
To configure the User Role, select any one of the role for the user from the Role drop-down list:
Super Administrator
Administrator
Operator
Monitor
CPI
Click Send button to add this user.
To edit or delete a user, click the Edit icon or the Delete icon against the user in the Administration > Users page.
Using the Administration > Users page, you can allow (or whitelist) a specific domain (for example, gmail.com). When users from the whitelisted (or allowed) domain are added, an invite email is sent directly to them. When the users accept the invite, they are allowed to access a particular cnMaestro UI account.
You can also blacklist or disallow a specific domain to prohibit all users of that domain from accessing the UI account.
|
|
Note
|
To whitelist or blacklist a specific domain, perform the following steps:
Navigate to page.
The Manage Users page appears.
To add a new domain (for example, a gmail ID ), click on the Add User button.
The Add User window appears. You must set the fields, as described in the Creating Users and Configuring User Roles section. The Add User window also displays that the email ID used is a new domain, as shown in the following ex
ample (in this case, gmail.com is the new domain):
Select the Allow users in "gmail.com" domain checkbox (the domain name varies based on the email ID you add).
The new domain is added to the database.
When users who belong to this allowed domain (for example, gmail.com) are added (using the Add User button), an invite email is directly sent to the users. When the users accept the invite, they can access a particular cnMaestro UI account. The Allow users in "gmailail.com" domain checkbox is available only when you are adding a new domain.
To blacklist or disallow a specific domain, click on the Allowed Domains button on the Manage Users page.
The Allowed Domain window appears with a list of whitelisted domains.
Clear the required domain checkbox to blacklist that specific domain.
Select Update.
All users from that blacklisted domain are not allowed to access the UI. To allow the blacklisted domain, you must check the required domain checkbox on the Allowed Domain window.
A group mapping is a link between cnMaestro roles and IdP roles or groups. When signing in to cnMaestro, roles can be automatically assigned based on roles in the IdP. This can be used to maintain roles in Active Directory or a similar central identity provider.
Create a group mapping for each set of roles that you want to assign to a user based on the user’s IdP group memberships. Your organization might have groups with different sets of permissions based on teams, Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions. For example, you might create a group mapping that assigns the roles DeveloperWrite and ResourceOwner to a user who is a member of the data-science group in your IdP server.
|
|
Note The IdP role mapping configuration is applicable only to cnMaestro X accounts. |
To set up IdP role mapping, contact Cambium Support who will ask for some information and generate an IdP role mapping key.
With the IdP role mapping key, IdP groups or roles can be mapped to a role in cnMaestro for the IdP domain users. For example, with an Active Directory group called app-cnmaestro-superadmin mapped to the "Super Administrator" role in cnMaestro, members of this Active Directory group will be assigned the Super Administrator role automatically when logging in.
The advantages of IdP-based domain user role configuration are:
Authentication can be centralized and users can access multiple accounts with the same login.
Security policies, such as password or authentication requirements, can be managed through a single policy.
User experience improves as there is no need for multiple passwords and logins, making access seamless across all platforms.
Using the Administration > Users > IdP Role-Mappings UI page in cnMaestro, a new IdP role-mapping can be added and roles can be assigned to the IdP domain users.
Before adding IdP role-mappings and assigning roles in cnMaestro, make sure to complete the following prerequisite tasks:
An IdP must be registered by the Cambium Support team.
The IdP must have the IdP Role Mapping Key, which is generated and provided by the Cambium Support team.
To add a new role-mapping and assign a role for the IdP-based domain users, complete the following steps:
Navigate to .
Click Add IdP Role Mapping.
The Add IdP Role-Mapping box appears.
In the IdP Role Mapping Key text box, enter the key provided by the Cambium Support team.
Click Validate.
On successful validation of the IdP, you can view the IdP details configured on the Support site. For example, IdP name and domain.
In the Add IdP Role-Mapping box, assign the required roles to the user groups.
Click Add.
When domain users log in to the cnMaestro UI, they can access multiple accounts with a single log-in.
View and optionally log out current cnMaestro administrator sessions. The users with Super Administrator role can logout all other users sessions and the users with Administrator roles can logout Operator and Monitor accounts.
Displays the detailed information on the user sessions.
