|
|
Cisco EMF User Access Control, which is a component of Carrier Class Security, provides system administrators with the opportunity to control which features of their system can be accessed by various levels of personnel. This is important for security and efficient and effective network management.
Reliable security and ease-of-use plays a key role in a network management application. For example, given the rapid growth in high speed data services, many organizations have concurrently grown rapidly. Experienced Network Operations Center (NOC) personnel may spend more of their time training new employees in the skills of network management.
Additionally, complex new equipment technologies are being launched into the market by both existing and new equipment providers. Faced with many new equipment features, personnel may make mistakes, for example in equipment configuration, which could affect network uptime.
Service Provider organizations may be obligated under law to protect sensitive information contained within management systems. The ability to provide secure customer network management is therefore a valuable service to offer customers.
Cisco EMF Security allows system administrators to set up Access Manager objects using the Access Manager GUI. Access Manager objects can be classed as either personnel or services as follows:
The Access Manager object is set up to allow or restrict user access to features within Cisco EMF. For example, an administrator could set up a user to have access only to those parts of Cisco EMF which are relevant to their specific tasks. A user would only be aware of their own access to the system and the use of their password.
For example, Joe may be the NOC expert on xDSL modems, but he may be a relative ATM novice. Helen, on the other hand, may be the ATM expert but she may know very little about the intricacies of xDSL technologies. With Cisco EMF Access Control, the systems administrator is able to ensure Joe has read/write access to all xDSL network elements for configuration and test purposes, while Helen can only view the status information for these elements. Helen, on the other hand, can reconfigure ATM equipment, whereas Joe is refused access to the Element Manager windows which permit such reconfiguration.
Three levels of user access are available. These names describe the type of access available to each:
Cisco EMF Security also enables administrators to define security levels for specific managed object attributes. This is key to restricting access to sensitive or critical parameters of managed equipment (for example, the IP address of an item of equipment.) A user with Read-Write access may be able to apply a new configuration to that piece of equipment, but they may not be able to modify its IP address, as this could invalidate normal management of the device. Control of the IP address may be the specific responsibility of the network topology manager.
This section describes administration tasks you can accomplish with the Cisco EMF Access Manager.
The Access Manager is launched using the 
icon in the Cisco EMF Launchpad window or
from other Cisco EMF applications,
select Access Manager from a pop up
menu. This menu is accessed by right clicking a selected object.
The Access Manager window, similar to Figure 9-1, is displayed.
To display a list of names in this window, select one of the following options from the drop down list:
An Access Manager object is either an Access Specification, a User Group, or a User. These objects can only be created by a system administrator. A typical work flow is to first create an Access Specification; then create an Object Group; and finally, create the User.
Step 1 From the Edit drop down menu, select Create, then Access Spec.
Step 2 The Create Access Specification wizard starts. A window similar to Figure 9-2 is displayed. Enter the name of the specification to be created, then click Forward.
You are now required to select settings for the new specification. You can copy settings from a previously created specification or create a new specification.
Step 3 You may want to use settings from an existing access specification, and then create a new specification by adding or removing details using Edit (refer to "Editing an Access Specification" section. To copy settings from a previously created access specification:
(a) Click Yes. A list of specifications is displayed. Select the one you wish to copy, then click Forward.
(b) A Summary Details window is displayed. If any details are incorrect, you can either click Back and make any corrections, or click Cancel.
(c) Click Finish to create the access specification.
Step 4 To create a new access specification:
(a) Click No, then click Forward. The Select Permission window is displayed. Select either Read Only, Read Write, or Read Write Admin. Click Forward.
(b) The Select User Groups window is displayed. Select the user group(s) you wish to include in the specification, then click the right arrow. This moves the selected item into the right hand panel. An alternative method is to double click a selected object. The left arrow moves the selected item back into the left panel. When the group is complete, click Forward.
(c) The Select Feature Lists window is displayed. Select the feature list you want to apply to the new specification, then click the right arrow. When the group is complete, click Forward.
(d) The Select Object Groups window is displayed. Select the object group you want to associate with the new specification, then click the right arrow. When the group is complete, click Forward.
The Summary Details window, similar to Figure 9-4 is displayed. If any details are incorrect, you can either click Back and make any corrections, or click Cancel to exit the wizard.
(e) Click Finish to create the user group.
Step 1 From the Edit drop down menu, select Create, then select User Group.
The Create User Group wizard starts. A window similar to Figure 9-5 is displayed.
Step 2 Enter the name of the User Group to be created, then click Forward.
You are required to select settings for the new User Group. You can copy settings from a previously created User Group or create a new User Group. A window similar to Figure 9-6 is displayed.
Step 3 To copy settings from a previously created group:
(a) Click Yes. A list of User Groups is displayed. Select the User Group you wish to copy, then click Forward.
(b) The Summary Details window is displayed. If any details are incorrect, you can either click Back and make any corrections, or click Cancel to exit the wizard.
(c) Click Finish to create the User Group.
Step 4 To create a new User Group:
(a) Click No, then click Forward. The Select Users window, shown in Figure 9-7 is displayed. The left hand panel displays a list of users.
(b) Select the users you wish to include in the User Group, then click the right arrow. This moves the selected item into the right hand window. The left arrow moves the selected item back into the left panel. When the User Group is complete, click Forward.
Step 5 The Select Access Specifications window, shown in Figure 9-8 is displayed. Select the access specification you want to apply to the new User Group, then click the right arrow.
Step 6 The Summary Details window, shown in Figure 9-9 is displayed. If any details are incorrect, you can either click Back and make any corrections, or click Cancel to exit the wizard.
Step 7 Click Finish to create the User Group.
Step 1 From the Edit drop down menu, select Create, then select User or
select the New icon 
on the Toolbar.
Step 2 The Create User Wizard starts. A window similar to Figure 9-10 is displayed. Enter the details of the user to be created. You must enter a name for login; the other fields can be left blank. Click Forward.
Step 3 The Copy from Existing User window, similar to Figure 9-11, is displayed.
You can select settings from an individual user or from a previously set up user group.
(a) Click Yes if you want to copy settings from a previously created user. A list of users is displayed. Select the user you wish to copy, then click Forward.
(b) Click No if you do not want to copy settings from another user. The Select User Groups window, similar to Figure 9-12, is displayed. The left hand panel displays a list of user groups. Select the user group you wish to copy, then click the right arrow. This moves the selected item into the right hand panel. The left arrow deselects the option. Click Forward.
Step 4 The User Password Entry window, shown in Figure 9-13, is displayed. Enter the password for the new user. Enter the password again to verify. Click Forward.
Step 5 A Summary Details window, similar to Figure 9-14, is displayed. If any details are incorrect, you can either click Back and make any corrections, or click Cancel to exit the wizard.
Step 6 Click Finish to create the User.
An Access Manager object is either a User, a User Group, or an Access Specification. Objects can only be modified by a system administrator.
Two options exist to initiate modifying an object:
1. From the Edit drop down menu, select the Modify option.
2. Double-click the desired object in the Access Manager window.
The Edit User window is displayed.
The Edit User window, shown in Figure 9-15, has a panel on the left which lists all users and a panel on the right that has two tabs: User Details and Select User Groups.
Step 1 Select the user to be edited.
Step 2 Click the User Details tab, then edit the details as required. A value must be entered in each box (a blank is considered a value). Click Apply.
Step 3 To change the user group within which the user is included, click the Select User Group tab. A window similar to Figure 9-16 is displayed. Make your selection from the list, then click the right arrow. The selected item is moved into the right hand panel. The left arrow moves the selected item back into the left panel. When the group is complete click Apply. You can then choose to make other changes and click Apply again.
Step 4 Click Close.
A dialog box asking if you want to Save Changes before Closing? is displayed.
Step 5 Click Yes to save changes before closing, or No to discard the changes and close the editor window, or Cancel to discard the changes and return to the editor window.
The User Group Editor window, shown in Figure 9-17, has a panel on the left which lists all user groups and a panel on the right that has two tabs: Select Users and Select Access Specifications.
Step 1 Select the user group to be edited.
Step 2 To change the members of the user group, click the Select Users tab. Make your selections from the list.To include a user in a group, select the name, then press the right arrow to move the selected item into the right hand panel. The left arrow removes the selected user from the group. When the group is complete, click Apply to save the changes.
Step 3 Click the Access Specifications tab to change the specifications which apply to a user group. To include a specification, select the name, then press the right arrow to move the selected item into the right hand panel. The left arrow removes the selected specification from the list. When the list is complete, click Apply.
Step 4 Click Close.
A dialog box asking if you want to Save Changes before Closing? is displayed.
Step 5 Click Yes to save changes before closing, or No to disregard changes and close the editor window, or Cancel to disregard the changes and return to the editor window.
The Access Specification Editor window, shown in Figure 9-19, has a panel on the left which lists all access specifications. The panel on the right has four tabs, Select Permission, Select User Groups, Select Feature Lists, and Select Object Groups.
Some tabs have two panels, Available Values and Selected Values. For example, on the Select Object Groups tab, to include an available item (value), select the name, then press the right arrow to move the selected item into the right hand panel. The left arrow removes the selected item (value) from the list. When the list is complete, click Apply. Refer to Figure 9-20.
Step 1 In the left hand panel, select the access specification to be edited.
Step 2 To change the permissions for the access specification, click the Select Permission tab, then select either Read Only, Read Write, or Read Write Admin, then click Apply.
Step 3 Click the Select User Groups tab. Select or deselect User Groups from the lists as required, then click Apply.
Step 4 Click the Select Feature Lists tab. Select or deselect Feature Lists from the lists as required, then click Apply.
Step 5 Click the Select Object Groups tab. Select or deselect Object Groups from the lists as required, then click Apply.
A User, a User Group, or an Access Specification can only be deleted by a system administrator using the Access Manager.
Step 1 In the Access Manager window, select the User, User Group, or Access Specification to be deleted.
Step 2 From the Edit menu, select Delete or
select the Delete icon 
from the Toolbar.
A dialog box asking Are you sure? is displayed.
Step 3 Click Yes to proceed, No to cancel.
You must have a user name and password to login to Cisco EMF. The password is initially set up by the system administrator and you can change it if necessary.
A valid password must have between eight and thirty two alphanumeric characters with at least one punctuation character.
You can change your own password. An administrator can change their own password and any other user's password. To make administrative password changes:
Step 1 Open the Access Manager window and select the name of the user whose password is to be changed.
Step 2 From the Edit menu, select Change Password or
select the Change Selected User's Password icon 
from the Toolbar.
To change the Admin Password, select
Change Admin Password.
The Change User Password window, shown in Figure 9-21, is displayed.
Step 3 Enter the existing password in the Old Password box. Enter a new password in the New Password box, re-enter the new password to verify your choice, then click Apply.
Step 4 If an invalid password is entered or the new password is not verified correctly, an error message is displayed. Click Ok to try again.
Posted: Wed Feb 2 09:26:44 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.
