Add SEM users
Access to SEM data requires a user account. Even basic access, such as receiving notifications sent by SEM through email or SMS text message, requires a user account.
About SEM roles
To restrict user access to sensitive data, user accounts need to be assigned to a SEM role. There are six SEM role types: Administrator, Auditor, Monitor, Guest, Reports, and Contact. Role types are described in the following table.
See View system privileges associated to roles for more information.
Role | Description |
---|---|
Administrator |
The default user. This role cannot be deleted and has full access to the SEM console. SolarWinds does not recommend multiple users sharing the Admin account for auditing purposes. |
Auditor | User has extensive view rights to the system, but cannot modify anything other than their own filters. |
Monitor | User has read-only access to the SEM console. See Monitor role users and filters to configure the filters assigned to this role. Users assigned to this role cannot edit filters. |
Guest | User has extensive view rights to the system, but cannot modify anything other than their own filters. |
Contact | User cannot log in to the SEM console, but can receive external notifications such as email sent to either the user's email address, imported distribution lists, or cellular email-to-SMS addressees for texts. Use this role if you have an external incident resolution or trouble ticket system, or if you have a user who does not need to access the console. |
Reports | User can access the SEM Console and generate query reports. |
Do not confuse roles and groups:
- Roles restrict the actions a user can perform in SEM.
- Groups organize related elements into logical units so that they can be used in SEM rules and filters.
About SEM user accounts
There are two ways to add a user account in SEM:
- Add an Active Directory user account
- Create a local user account
SolarWinds recommends using Active Directory accounts if Microsoft Active Directory is in use at your organization.
Each user should have a valid email address so that the user can receive notifications sent by SEM. SolarWinds recommends that you create distinct users for everyone who needs to receive email notifications from SEM Manager. If you want to send identical notifications to your IT department personnel, associate a distribution list email address to all relevant users.
See Set the global password policy for SEM users for details about establishing minimum requirements for local SEM user accounts.
How Active Directory accounts work in SEM
You can configure SEM to allow users to log in with their Active Directory credentials. Using Active Directory for user authentication means you do not have to maintain duplicate user accounts in SEM, and users do not have to remember an additional user name and password just for SEM.
See Set up Active Directory authentication in SEM to configure SEM to allow users to log in with their Active Directory credentials.
SEM roles are mapped to DS groups in Active Directory if AD authentication is enabled.
See Set up Active Directory authentication in SEM to look up which Active Directory groups are mapped to SEM roles.
SEM supports Active Directory single sign-on (SSO). If SSO is enabled, users can bypass the SEM login screen and go straight to the application if they are already logged in to another application that accepts the user's AD credentials.
See Set up single sign-on in SEM to configure SEM to allow users to bypass the SEM login screen if they are already logged in to an application that accepts the user's AD credentials.
SEM can use Active Directory groups of Windows users and computer accounts in SEM rules and filters. Any changes made to users or groups in Active Directory propagate to rules and filters in SEM.
Create a local SEM user account
Access to SEM data requires a user account. Even basic access, such as receiving notifications sent by SEM through email or SMS text message, requires a user account.
User accounts need to be assigned to a SEM role to restrict access to sensitive data. There are five SEM role types: Administrator, Auditor, Monitor, Guest, and Reports. Role types are described in the following table.
- On the SEM Console, navigate to Configure > Users.
- On the Users toolbar, click Add user.
- Complete the user account form, and then click Add. Reference the table below for information on the form fields.
Field Description Username User account name. Password User password to access the Manager. This can be an initial system password or a temporary password that is assigned to replace a forgotten password.
If password restrictions are enabled ( > Authentication > Local Users), SEM enforces the following policy:
Passwords must:
- Be between 6-40 characters
- Not include user names
- Not include forbidden characters
Passwords must also include at least three of the following:
- One upper case letter
- One lower case letter
- One special character
- One digit
Confirm password Enter the password again.
Role Select a SEM role for this user.
- Administrator - Has full access to the system, and can view and modify everything.
- Auditor - Has extensive view rights to the system, but cannot modify anything other than their own filters.
- Monitor - Can access the console, cannot view or modify anything, and must be provided a set of filters. See "Specify the filters that users assigned the Monitor role can use on the SEM Console" for steps.
- Guest - Has extensive view rights to the system, but cannot modify anything other than their own filters.
- Reports - Can log in to the SEM console and generate reports. This role can access the SEM database over a secure channel.
First name User's first name Last name User's last name Description Type a brief description (up to 50 characters). For example, provide the user title, position, or area of responsibility. Contact e-mail Email address. SEM notifies users by email about network security events. You can add as many email addresses as required. - Select a user in the list to edit the user account, change the user's password, require the user to change passwords, or delete the user account.
In the Refine Results pane, you can filter users based on account type and last login. Under Last modified, click the time setting to adjust the login time frame.
Edit user account settings
- On the SEM Console, click the Configure tab, and select Users from the drop-down list.
- Select a user account in the list:
- To edit the user account settings, click Edit user.
- To remove a local user account from the system, click Delete.
- To change a user's password, click Change password, then enter and confirm the password in the pop-up window.
- To require that a user change their password when first logging in, click Require password change.