Mass config : Mikrotik and Read-Only account

General discussion of anything Unimus
Post Reply
Seb
Posts: 4
Joined: Fri Mar 15, 2019 11:24 am

Fri Mar 15, 2019 12:50 pm

Hi,

I backup my Mikrotik routers with a read-only account.
Now, I will start to use "Mass config push" feature to configure and not anymore only retrieve informations.
I know we can bind an "enable/configure passwords" and force it when running Presets.
But Mikrotik need a RW account to run script with 'write' operations.

There is a way to do a kind of "privilege escalation" ?
I prefer to ask here first before doing a feature request.
I've some ideas in mind about roles segregation for Mass config.


Regards,
User avatar
Tomas
Posts: 675
Joined: Sat Jun 25, 2016 12:33 pm

Fri Mar 15, 2019 12:59 pm

Hi,

Enable/Configure mode passwords are only used with vendors that have a privilege separation system.
(such as Cisco, HP ProCurve, and many others)

They are used to switch between User Exec, Privileged Exec, and Configure modes.

MikroTik does not have such a privilege system.
There is also no way to change user access levels in an already active CLI session.

This is just how MikroTik does things, nothing we can do about this in Unimus.
As such, you will simply need to use an account that has proper access set in the "group" used for that user.

You can create a new group and set it's desired access in "/user group"
You can then set that group for the user your Unimus uses to connect to the MikroTik with:

Code: Select all

/user
set [find name=xxx] group=yyy
Seb
Posts: 4
Joined: Fri Mar 15, 2019 11:24 am

Fri Mar 15, 2019 1:23 pm

Hi Thomas,

Yes, I understand how Mikrotik and others work, and this is not something Unimus can change.

I think I don't have explained my problematic correctly.
I like to keep, in general, accounts with minimum rights. I want to keep my "Backup" account with RO.

I think adding a third credential category could be a helpfull feature, at least for Mikrotik but some others devices too.
For device not compatible with Enable mode, add a "Mass Config Credential" or somethings like that.

I can switch to "Feature requests" subforum if you want, I will explain more how I see this.
User avatar
Tomas
Posts: 675
Joined: Sat Jun 25, 2016 12:33 pm

Fri Mar 15, 2019 2:18 pm

I see what you mean now.

Currently - you will have to give sufficient access to the Unimus credentials to perform all operations you want to do from Unimus.

Going forward:
Adding a 3rd credential category would not really be good from a UX point of new.
New users would be really confused what the differences are, and what is used how and when.

I think we can add an "Advanced mode" menu to Mass Config Push tho.
Here, you could specify credentials used for this push, which would be different from credentials used for other device communication in Unimus.

Please create a post in the Feature Requests section and we can discuss it further there :)
Seb
Posts: 4
Joined: Fri Mar 15, 2019 11:24 am

Fri Mar 15, 2019 3:42 pm

I understand the UX problem, but linking this to device level allow to have different admin account but still group all devices inside the same preset.
Maybe a checkbox in the device, unchecked by default, saying "Use a different account for presets".
When checked, the scroll-down menu for binding account appear.

let continue the discussion in feature-request, I will create a post, I've also an nice idea for security's paranoids. ;)
Post Reply