Hi,
I backup my Mikrotik routers with a read-only account.
Now, I will start to use "Mass config push" feature to configure and not anymore only retrieve informations.
I know we can bind an "enable/configure passwords" and force it when running Presets.
But Mikrotik need a RW account to run script with 'write' operations.
There is a way to do a kind of "privilege escalation" ?
I prefer to ask here first before doing a feature request.
I've some ideas in mind about roles segregation for Mass config.
Regards,
[Solved] Mass config : Mikrotik and Read-Only account
Hi,
Enable/Configure mode passwords are only used with vendors that have a privilege separation system.
(such as Cisco, HP ProCurve, and many others)
They are used to switch between User Exec, Privileged Exec, and Configure modes.
MikroTik does not have such a privilege system.
There is also no way to change user access levels in an already active CLI session.
This is just how MikroTik does things, nothing we can do about this in Unimus.
As such, you will simply need to use an account that has proper access set in the "group" used for that user.
You can create a new group and set it's desired access in "/user group"
You can then set that group for the user your Unimus uses to connect to the MikroTik with:
Enable/Configure mode passwords are only used with vendors that have a privilege separation system.
(such as Cisco, HP ProCurve, and many others)
They are used to switch between User Exec, Privileged Exec, and Configure modes.
MikroTik does not have such a privilege system.
There is also no way to change user access levels in an already active CLI session.
This is just how MikroTik does things, nothing we can do about this in Unimus.
As such, you will simply need to use an account that has proper access set in the "group" used for that user.
You can create a new group and set it's desired access in "/user group"
You can then set that group for the user your Unimus uses to connect to the MikroTik with:
Code: Select all
/user
set [find name=xxx] group=yyy
Hi Thomas,
Yes, I understand how Mikrotik and others work, and this is not something Unimus can change.
I think I don't have explained my problematic correctly.
I like to keep, in general, accounts with minimum rights. I want to keep my "Backup" account with RO.
I think adding a third credential category could be a helpfull feature, at least for Mikrotik but some others devices too.
For device not compatible with Enable mode, add a "Mass Config Credential" or somethings like that.
I can switch to "Feature requests" subforum if you want, I will explain more how I see this.
Yes, I understand how Mikrotik and others work, and this is not something Unimus can change.
I think I don't have explained my problematic correctly.
I like to keep, in general, accounts with minimum rights. I want to keep my "Backup" account with RO.
I think adding a third credential category could be a helpfull feature, at least for Mikrotik but some others devices too.
For device not compatible with Enable mode, add a "Mass Config Credential" or somethings like that.
I can switch to "Feature requests" subforum if you want, I will explain more how I see this.
I see what you mean now.
Currently - you will have to give sufficient access to the Unimus credentials to perform all operations you want to do from Unimus.
Going forward:
Adding a 3rd credential category would not really be good from a UX point of new.
New users would be really confused what the differences are, and what is used how and when.
I think we can add an "Advanced mode" menu to Mass Config Push tho.
Here, you could specify credentials used for this push, which would be different from credentials used for other device communication in Unimus.
Please create a post in the Feature Requests section and we can discuss it further there
Currently - you will have to give sufficient access to the Unimus credentials to perform all operations you want to do from Unimus.
Going forward:
Adding a 3rd credential category would not really be good from a UX point of new.
New users would be really confused what the differences are, and what is used how and when.
I think we can add an "Advanced mode" menu to Mass Config Push tho.
Here, you could specify credentials used for this push, which would be different from credentials used for other device communication in Unimus.
Please create a post in the Feature Requests section and we can discuss it further there
I understand the UX problem, but linking this to device level allow to have different admin account but still group all devices inside the same preset.
Maybe a checkbox in the device, unchecked by default, saying "Use a different account for presets".
When checked, the scroll-down menu for binding account appear.
let continue the discussion in feature-request, I will create a post, I've also an nice idea for security's paranoids.
Maybe a checkbox in the device, unchecked by default, saying "Use a different account for presets".
When checked, the scroll-down menu for binding account appear.
let continue the discussion in feature-request, I will create a post, I've also an nice idea for security's paranoids.
Just an update for anyone finding this topic in the future - this has been implemented starting with 2.1.0.
More info in the "Feature requests" topic: viewtopic.php?p=3106#p3106
More info in the "Feature requests" topic: viewtopic.php?p=3106#p3106