|
|
This chapter provides information about the Security Manager application. Security Manager provides controlled access to multiple users of Cisco WAN Manager (CWM) based on the users' UNIX User ID and password.
Security Manager provides user-access profiles that can be customized for each user. The user-access profile is a list of operations or actions a user can perform coupled with assigned access privileges for each action. A user can be assigned access privileges to read, create (write), modify, or delete, or the user can be assigned all privileges.
Only the svplus user can start and stop the CWM core processes. The svplus user has sufficient access privileges to launch all CWM applications and administer the Security Manager application.
Other users can be assigned access privileges that enable them to perform operations within security-controlled applications. These operations can be limited depending on the setting of access privileges by those who administer Security Management. Without the proper access privileges, users cannot launch security-controlled applications.
To use CWM Security Manager application, you must first do two things:
 |
Note You cannot use your existing Unix userID and password. |
|
Note Each CWM Security Manager user must have a unique Unix userID separate from their existing userID. |
To add a user, complete the following steps:
host% su
Password: *****
Step 2 At the root prompt, enter the following:
# ./addnewuser <username>
where <username> is the name of the user to add.
|
Note The # ./addnewuser <username> command must be issued from the /usr/users/svplus/tools/directory. |
Step 3 Add the user to CWM using CWM Security Manager as described in Configuring Users and Adding New Users.
The Security Manager application is launched from the CWM desktop by clicking the Security Manager icon. The Security Manager window is displayed as shown in Figure 6-1.
The Security Manager has two menu options: File and View. The only option under the File menu is Exit. When you select Exit, a confirmation dialog box is displayed, giving you the opportunity to save the configuration if there are any unsaved changes.
Two options are provided under the View menu: User and Profile. The Profile option is only available to users who have been assigned the Access Privilege "All" for Security Manager Admin. Selecting Profiles will display the List of All Profiles window. Selecting User will display the List of All Users window, listing users who have Security Manager Admin privileges. Users without Admin privileges can view their own profile information through the List of All Users window.
Security Management is provided at the application level. Users are granted access to controlled applications depending on their access privileges.
Using the Profile Administration window, you can create a security profile to give a user read, create, modify, or delete privileges to one or more of the controlled applications. You can set up a profile to grant all privileges to one of the applications and some privileges to another application. You can create a profile for users who only require read access to enable them to observe an application's windows. In other words, Security Management provides detailed security control. Detailed information about which functions are available is presented with the applications.
The functionality for access privileges depends on the application. Privileges are mapped to different functions in different applications. Table 6-1 lists all access privileges required to use each application.
| Function | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
Connection Manager Connections | X | X | X | X | X |
Cisco View Line/Trunk | X | X | X |
| X |
Cisco View Port | X | X | X |
| X |
Cisco View Device | X | X | X |
| X |
Statistics Collection Manager | X | X | X | X | X |
Image Download |
|
|
|
| X |
Node Resync |
|
|
|
| X |
Configuration Save |
|
|
|
| X |
Configuration Restore |
|
|
|
| X |
Network Topology | X | X | X | X | X |
SvOv Topology |
|
|
|
|
|
Wingz | X |
|
|
|
|
CWM Admin | X |
|
|
|
|
Network Browser | X |
|
|
|
|
New Reports | X |
|
|
|
|
Event Log |
|
|
|
|
|
Conn Proxy |
|
|
|
|
|
Port Proxy |
|
|
|
|
|
Security Manager Admin |
|
|
|
| X |
|
Note When users are assigned access privileges for Image Download, Node Resync, Configuration Save and Restore functions, access privileges are either all or none. |
With read privileges a user can view displays and topology windows, list connections, and other functions where information is read. Read privileges are similar to the svplus-r account from earlier releases of CWM.
With create privileges, a user can create and configure connections, perform association backup, and add nodes, ports, and trunks.
With modify privileges, a user is also granted read privileges. A user with modify access can modify connections, ports, and trunks, and add and delete nodes and groups.
With delete privileges, a user is also granted read privileges. A user with delete access can delete connections, ports, trunks, nodes and groups.
If granted all privileges, a user has read, create, modify and delete privileges for the associated application.
You can provide each user with their own access profile. An access profile is the set of access privileges checked by CWM when a user attempts to launch a security-controlled application. A user's access privileges are applied to CWM applications based on the user's access profile.
To configure profiles, launch Security Manager from the CWM desktop, then select View > Profiles. The List of All Profiles is displayed in the Security Manager window. At the bottom of this window, only the New button is active. The buttons for Modify and Delete are not active unless a profile has been selected from the List of All Profiles.
|
Note Only users who have the All access privilege for SM Admin can select the Profile window. |
When you install CWM software, two default access profiles are created:
You can create profiles to allow users to perform specific tasks within CWM. For example, you can create a profile to give a user read privilege for Network Topology or create and modify privileges for Connection Manager.
You create Profiles through the Profile Administration window. When the Profile Administration window is first displayed, as shown in Profile Administration Window, some boxes are labeled in bold typeface. These are the only boxes that can be selected. The All box can be selected for all CWM applications except WingZ, CWM Admin, and Network Browser which allow the Read box to be selected.
|
Note To select specific privileges in the applications other than Wingz, CWM Admin, and Network Browser, you must first select the All box, then deselect it. Doing so causes the other access privileges to be labeled in bold typeface and enables them to be selected. |
To create a new security profile, complete the following steps:
|
Note Only users who have the All access privilege for SM Admin can create new profiles. |
Step 2 Launch the CWM application, if necessary, then launch the CWM desktop by selecting Option 3 from the main menu.
Step 3 Launch Security Manager by clicking its icon on the CWM desktop.
Step 4 From the Security Manager window, select View > Profiles, then click the New button.
The Profile Administration window is displayed, listing all supported operations and the five access privileges.
Step 5 In the Profile field, enter a name for the new profile you are creating and press Return.
You must enter a name to select any access privileges or to use the Apply button.
Step 6 Select the CWM application for which you want to provide access privileges and click the All box.
Step 7 To select a specific access privilege, click the All box again to highlight the individual access privileges for that application as shown in Profile AdministrationConnection Manager, then select the desired privileges.
Step 8 After selecting all desired access privileges, click Apply to create the new profile.
After a profile has been created, you can easily modify it. To modify an existing profile, complete the following steps:
Step 2 From the Security Manager window, select View > Profiles.
Step 3 From the List of All Profiles, select the profile to modify, then click the Modify button.
The Profile Administration window is displayed, listing the selected profile in the Profile field and all supported operations and the five access privileges. The name of the profile cannot be changed.
Step 4 Make any desired changes to the selected access privileges, and click Apply when completed.
After a profile has been created, you can easily delete it. To delete an existing profile, complete the following steps:
Step 2 From the Security Manager window, select View > Profiles.
Step 3 From the List of All Profiles, select the profile to delete, then click the Delete button.
Step 4 In the Confirmation dialog window, click OK to delete the selected profile.
The List of All Profiles window is displayed.
After you select View > User from the Security Manager window, the List of All Users window is displayed, as shown in Figure 6-4. The List of All Users window will be blank unless the user has All access privilege for Security Manager Admin.
When first displayed, only the New button at the bottom of the window is active. The Modify and Delete buttons are inactive until you select one of the listed users.
When you install CWM software, three default users are created:
To add a new user, click New on the List of All Users window to display the User Administration window. For new users, all entries are initially blank.
To add a new user, complete the following steps:
The User Administration window is displayed as shown in Figure 6-5.
Step 2 On the User Administration window, provide the new user's user ID.
Step 3 Click Profile to select one from a list of predefined profiles.
After selecting a profile to assign to this user, the Apply button will be active. The Access Privileges pane within the User Administration window displays the access privilege settings for each of the four security-controlled applications.
Step 4 Click Apply to assign the profile to the user.
The List of All Users window is displayed, showing the newly added user.
To modify a user's profile, complete the following steps:
Step 2 Select the user to modify by clicking on the user's name, then click Modify.
The Profile Administration window displays the selected user's current profile and access privileges.
Step 3 Select the desired access privileges and click Apply.
To delete a user's profile, complete the following steps:
Step 2 Select the user to delete by clicking on the user's name, then click Delete.
Step 3 On the confirmation dialog, click Yes to delete the selected user.
Security Manager is supported on CWM applications launched from the CWM desktop, from HP OpenView, and from the UNIX command line prompt. The following tables list the CWM applications and their supported access privileges. An "X" within an access privilege column indicates that the privilege applies to the operation. If the column is blank, the access privilege does not apply to the operation.
Table 6-1 lists the access privileges required for applications launched from the CWM desktop
.
| Desktop Application | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
Network Topology | X | X | X | X | X |
Topology Image Download |
|
|
|
| X |
Topology Restore Configuration |
|
|
|
| X |
Topology Save Configuration |
|
|
|
| X |
Wingz | X |
|
|
|
|
Connection Manager GUI | X | X | X | X | X |
Network Browser | X |
|
|
|
|
CWM Administrator | X |
|
|
|
|
Summary Reports | X |
|
|
|
|
Table 6-2 lists the access privileges required for applications launched from the HP OpenView.
| HPOV Applications | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
SVOV Topology |
|
|
|
|
|
Event Log |
|
|
|
|
|
Image Download |
|
|
|
| X |
Node Resync |
|
|
|
| X |
Configuration Save |
|
|
|
| X |
Configuration Restore |
|
|
|
| X |
Table 6-3 lists the access privileges required for applications launched from the UNIX prompt.
| UNIX Prompt Applications | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
Statistics Collection Manager | X | X | X | X | X |
Cisco View Lines/Trunks | X | X | X |
| X |
Connection Proxy |
|
|
|
|
|
Port Proxy |
|
|
|
|
|
Only users with All access privilege for CWM Admin are able to launch the Security Manager application. Users without access privilege will find the Security Manager icon on the CWM desktop to be grey and inactive.
The CWM Connection Manager is linked to Security Manager which checks a user's access privileges before providing access to Connection Manager. A user without access privileges will find the Connection Manager icon on the CWM desktop to be grey, inactive, and unable to launch the Connection Manager application.
Table 6-4 lists the access privileges required to perform security-controlled operations within the Connections Manager application.
| Access Privilege | Connection Manager Operations |
|---|---|
Read | Able to list connections and view multicast connections and templates. |
Create | Able to configure connections and perform association backup. |
Modify | Able to modify connections; also able to list connections, view multicast connections and templates (read access privileges) |
Delete | Able to delete connections; also able to list connections and view multicast connections and templates (read access privileges) |
The CWM Equipment Manager is linked to Security Manager which checks a user's access privileges before providing access to Equipment Manager or CiscoView. A user without access privileges will not be able to launch Equipment Manager or CiscoView.
Security Manager divides the Equipment Management functions into five separate areas: line, trunk, card, port, and device. You must specify access privileges for each of these separately.
Table 6-5 lists the access privileges required for line and trunk management through Equipment Manager and Cisco View.
| Access Privilege | Meaning |
|---|---|
Read | The Configure/Monitor window for lines and trunks will be displayed. Without read access privileges, only status is displayed. |
Create | Not applicable. |
Modify | No modification of line/trunk-level parameters is permitted. |
Table 6-6 lists the access privileges required for card management through Equipment Manager and Cisco View.
| Access Privilege | Meaning |
|---|---|
Read | Able to view card images. |
Create | Not applicable. |
Modify | Able to modify card configuration. |
Table 6-7 lists the access privileges required for port management through Equipment Manager and Cisco View.
| Access Privilege | Meaning |
|---|---|
Read | The Configure/Monitor window for lines and trunks will be displayed. |
Create | Error messages will be displayed indicating that the user has no permission to create ports. |
Modify | No modification of port-level parameters is permitted. |
Table 6-8 lists the access privileges required for port management through Equipment Manager and Cisco View.
| Access Privilege | Meaning |
|---|---|
Read | The device will be opened/shown and device status is displayed. |
Create | Not applicable. |
Modify | No modification of device-level parameters is permitted. |
The CWM Network Topology application is linked to Security Manager which checks a user's access privileges before providing access to the Topology application on the CWM desktop. A user without access privileges will find the Topology icon on the CWM desktop to be grey, inactive, and unable to launch the Topology application. Table 6-9 lists the access privileges.
| Access Privilege | Topology Operations |
|---|---|
Read | Able to view topology windows. |
Create | Able to add nodes and view topology windows (read access privileges). |
Modify | Able to make modifications to topology maps. |
Delete | Able to delete nodes, delete groups, and view topology windows (read access privileges). |
The CWM Statistics Collection Manager is linked to Security Manager which checks a user's access privileges before providing access to SCM. A user without access privileges will not be able to launch the SCM application.
Table 6-10 lists the access privileges required to perform security-controlled operations within the SCM application.
| Access Privilege | SCM Operation |
|---|---|
Read | Enables Show Collection Information option |
Create | Enables Stats Enable option |
Modify | Enables Start Collection option |
Delete | Enables Stop Collection option |
Posted: Fri Sep 29 12:20:29 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.