Add SEM users

Access to SEM data requires a user account. Even basic access, such as receiving notifications sent by SEM through email or SMS text message, requires a user account.

About SEM roles

To restrict user access to sensitive data, user accounts need to be assigned to a SEM role. There are six SEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports. Role types are described in the following table.

Role Description
Administrator

The default user. This role cannot be deleted and has full access to the SEM console.

SolarWinds does not recommend multiple users sharing the Admin account for auditing purposes.

Auditor User has extensive view rights to the system, but cannot modify anything other than their own filters.
Monitor User has read-only access to the SEM console. See Specify the filters that users assigned the Monitor role can use in the SEM console to configure the filters assigned to this role. Users assigned to this role cannot edit filters.
Contact User cannot log in to the SEM console, but can receive external notifications such as email sent to either the user's email address, imported distribution lists, or cellular email-to-SMS addressees for texts. Use this role if you have an external incident resolution or trouble ticket system, or if you have a user who does not need to access the console.
Guest User has extensive view rights to the system, but cannot modify anything other than their own filters.
Reports User cannot log in to the SEM console, but can access the SEM reports application. This role can access the SEM database over a secure channel if TLS encryption is enabled. See Enable transport layer security (TLS) in the SEM reports application for details.

Do not confuse roles and groups:

  • Roles restrict the actions a user can perform in SEM.
  • Groups organize related elements into logical units so that they can be used in SEM rules and filters.

About SEM user accounts

There are two ways to add a user account in SEM:

  • Add an Active Directory user account
  • Create a local user account

SolarWinds recommends using Active Directory accounts if Microsoft Active Directory is in use at your organization.

Each user should have a valid email address so that the user can receive notifications sent by SEM. SolarWinds recommends that you create distinct users for everyone who needs to receive email notifications from SEM Manager. If you want to send identical notifications to your IT department personnel, associate a distribution list email address to all relevant users.

To establish minimum password requirements for local user accounts in SEM, see Set the global password policy for SEM users.

How Active Directory accounts work in SEM

You can configure SEM to allow users to log in with their Active Directory credentials. Using Active Directory for user authentication means you do not have to maintain duplicate user accounts in SEM, and users do not have to remember an additional user name and password just for SEM.

See Set up Active Directory authentication in SEM to configure SEM to allow users to log in with their Active Directory credentials.

SEM roles are mapped to DS groups in Active Directory if AD authentication is enabled.

See Configure or view Active Directory authentication settings in SEM to look up which Active Directory groups are mapped to SEM roles.

SEM supports Active Directory single sign-on (SSO). If SSO is enabled, users can bypass the SEM login screen and go straight to the application if they are already logged in to another application that accepts the user's AD credentials.

See Set up single sign-on in SEM to configure SEM to allow users to bypass the SEM login screen if they are already logged in to an application that accepts the user's AD credentials.

SEM can use Active Directory groups of Windows users and computer accounts in SEM rules and filters. Any changes made to users or groups in Active Directory propagate to rules and filters in SEM.

See Configure directory service groups in SEM for details.

Import an Active Directory user into SEM

Before you create an Active Directory user account:

  • Complete the steps in this topic: Set up Active Directory authentication in SEM

  • Be sure to either map your Active Directory groups to SEM security groups, or create at least one custom security group in Active Directory for SEM to use. If you created custom SEM security groups in Active Directory, populate the groups with AD users before continuing. See Create custom security groups in Active Directory for SEM to use for details.

  • Verify that the user account includes a valid email address.

    SEM requires an email address to create a user account. SEM uses the email address to send the user a notification when an assigned alert event occurs.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Users.

  3. Click , and then select Import SEM User. The Import Users form opens.

  4. Complete the Import Users form, and then click Import.

    Field Description
    SEM Groups Select the SEM security group that the Active Directory user belongs to.
    Search User Type at least the first three characters of the user name.
    Search Click to find matching users.
    Available Users Select one or more users to import and click the green and white arrow button.
    Selected Users Lists the AD user (or users) to import.

    The Active Directory user is imported.

Create a local SEM user account

  1. Open the SEM console. See Log in to the SEM web console for steps.

    On the SEM toolbar, navigate to Build > Users.
  2. If you have multiple SEM Manager instances, click the drop-down list next to the , and then choose the SEM Manager instance that will be associated with the user account.

  3. Click , and then select SEM User.

  4. Complete the form in the User Information for: <New User> section, and then click Save. See the following table for help with form fields.

    The local user account is added to the Users grid.

Field Description
User Name Enter a user account name. You cannot use admin_role, audit_role, or reports_role for the user name.
First Name Enter the user's first name.
Last Name Enter the user's last name.
Password

Enter a user password to access the Manager. This can be an initial system password or a temporary password that is assigned to replace a forgotten password.

If you are creating a Contact user, a password is not required.

If the Must Meet Complexity Requirements check box is selected in the Manage > Appliance > Properties > Settings tab, the console enforces the following policy:

  • Passwords must have a minimum of six characters. Spaces are not allowed.
  • Passwords must have two of the following three attributes: at least one special character, at least one number, and a mix of lowercase and uppercase letters.
Confirm Password Enter the password again.
SEM Role

Select a SEM role for this user.

  • Administrator - Has full access to the system, and can view and modify everything.
  • Auditor has extensive view rights to the system, but cannot modify anything other than their own filters.
  • Monitor - Can access the console, cannot view or modify anything, and must be provided a set of filters. See "Specify the filters that users assigned the Monitor role can use in the SEM console" for steps.
  • Contact - Cannot access the console, but can receive external notification.
  • Guest - Has extensive view rights to the system, but cannot modify anything other than their own filters.
  • Reports - Cannot log in to the SEM console, but can log in to the SEM reports application. This role can access the SEM database over a secure channel if TLS encryption is enabled. See Enable transport layer security (TLS) in the SEM reports application on page 78 for details
View Role Click to open the role privileges assigned to the new user. Role privileges cannot be changed.
Description Type a brief description (up to 50 characters). For example, provide the user title, position, or area of responsibility.
Contact Information

Enter an email address. SEM Manager notifies users by email about network security events. You can add as many email addresses as required.

  1. Type an email address and click to add the address to the Contact Information box. Use the following format: username@example.com
  2. Click Save, and then click to send a test email to the email address.
  3. Verify that the user received the email test message
  4. Repeat these steps to add additional email addresses.

View user accounts in the SEM console

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Users.

  3. To sort the table, click a column heading. For example, click SEM Role to sort users by role. To reverse sort, click again.

View the system privileges associated with a role

After you select a user role, you can click View Role to view the system privileges associated with the user role.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Users.

  3. In the Users grid, select a user.

    Details about the user display in the User Information pane.

  4. In the User Information pane, click View Role.

    The Privileges window appears.

    The information in the Privileges window is read-only and cannot be changed.

  5. To return to the console, click Close.

Edit user account settings

You can update all user settings in the Build > Users view. Only the description and role can be edited for Active Directory users.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Users.

  3. In the Users grid, click next to a user, and then select Edit.

  4. Update the user information in the User Information pane.

    To delete an email address, click next to each email address you want to delete.

  5. Click Save.

    The user information is updated.

To establish minimum password requirements for local user accounts in SEM, see Set the global password policy for SEM users.

Delete a user account from a SEM Manager instance

You cannot delete the admin user from the system.

  1. Open the SEM console. See Log in to the SEM web console for steps.

  2. On the SEM toolbar, navigate to Build > Users.

  3. In the Users grid, locate the user you want to delete.

  4. In the Users grid, click next to the targeted user, and then select Delete.

  5. When prompted, click Yes to confirm.

    The user is removed from the Users list and is no longer authorized to use the Manager.