Hi everybody, we use IMC on a large scale and we would like to give access to some information at different operators for monitoring purpose.
We would like them to be allowed to see some custom topologies and the switches in it. They should also be able to see which port carries which vlan and how (tagged/untagged).
We've been able to do it by creating a group with specific permission.
The problem is that if such an operator goes to the "device information" page He could see the SNMP Community in plain text. Obviously we don't what that to happen.
hmm. not seen any other override - at least that's exposed in the UI. My account is in the default admin group, and functions as expected both at the template and device level - see attached pics. It toggles based on the system setting.
Is it working for the default groups but not when using a custom group? haven't checked that.
Is there some other part of the UI you are using where it is not hidden?
Was this a new 7.2 install?
Mine has been upgraded from 7.0, so maybe there is some data item that's been carried forward but recently missing?
On the trap destination page, if I understand correctly - see image - the Auth parameter is displayed in clear text. (if its a different screen, send a screen shot)
In this case I'd rate that as a lower concern, as this is the credential used by the end device to send traps to imc.
Knowing this credential only authorizes an end device to send alerts (traps) to the management tool, in this case IMC,. Someone could not use this to change a device's settings unless you used the same value for Read/Write snmp.
Are you restricting your operators from reading the trap messages in imc?
Seeing the trap credential has little affect, as it can only be used to recieve the traps. I suppose someone could send spoofed traps to imc, but they'd have to know all the device details.
I did find another place a credential is not encrypted. That is under User> User Access Policy > access device management. The radius server key can be displayed if you modify an existing device. I find that a bit more concerning, but you could probably limit operator access to that function.
