How do I import users and groups from NFM-P?

Purpose

NFM-P users must be imported into NSP when NSP is deployed using OAUTH2 authentication mode. The Import feature migrates all user accounts and user groups from your NFM-P user database into NSP. The imported users become local NSP users, authenticated through OAUTH2, which must be enabled during NSP deployment. The imported user groups can be assigned roles that provide the users in the groups with access to NSP functions and resources.

NFM-P users that are imported to NSP must be created with new passwords. Users that have an email address will have a random password emailed to them. Users that do not have an email address will be assigned a global default password, set by the administrator. All imported users will be required to change their password at their first login after import. It is recommended that the NFM-P system administrator assign email addresses to users before the import to NSP to ensure maximum user security.

Before importing users from NFM-P, be aware of the following requirements and limitations:

  • If you intend to use email notification of new user passwords, you must ensure that the NSP email server is configured in NSP system settings, and that email Notifications option is enabled in the NSP system settings.

  • If NFM-P is configured with remote identity providers, those identity providers must be configured in nsp.sso section of nsp-config.yml.

  • The NFM-P user parameters imported to NSP are: user name, description, user group, account state, and email address.

  • All NFM-P user IDs are converted to lower case upon import since OAUTH2 authentication is case-insensitive. If two NFM-P user IDs are identical except for case, only one of them is imported. You must clean up any duplicate user IDs in NFM-P prior to import to ensure that all users are imported.

  • NSP user groups are case sensitive, as are NFM-P user groups. When NFM-P user groups are imported to NSP, they keep uppercase and lowercase characters. For example, if NFM-P has user groups GROUP1, Group1 and group1, all three are imported into NSP.

  • Any NFM-P user names that conflict with existing NSP local users are not imported and do not cause any change to local users.

  • NSP supports a maximum of 1000 local users. To ensure that only necessary users are included in the migration, clean up your NFM-P user database before importing to NSP.

  • NFM-P remote users are not imported into NSP (remote users include NSP, LDAP, RADIUS, and TACACS users that have access to the NFM-P GUI.)

  • OAUTH2 authentication does not support both local and remote user authentication (LDAP, RADIUS, TACACS) with the same user ID. To preserve the use of a remote user ID, the local user ID should be changed to a unique value.

Steps
 

Open Users and Security.

Select Users from the drop-down list on the toolbar.

Click png1.png More Actions, Import NFM-P Users and Groups.

In the Temporary Password for Imported Users form, specify and confirm a global temporary password for all imported users.

The global temporary password is only applied to imported users with no email address.

Click OK.

The imported users are listed in the Users view. The imported user groups are listed in the User Groups view.

The NFM-P imported users can now login to NSP. All imported users will be required to change their password during first login. NFM-P users with an email address should check their email for their random login password.

Note: In the event that the import fails for certain users or user groups, you can investigate problems in the nspos-tomcat pod logfile at:

/opt/nsp/os/tomcat/logs/AccessControlApi.log

End of steps

Post-import considerations

After importing users from NFM-P, be aware of the following requirements and limitations: