|
|
This chapter provides information about the Security Management application. Security Management provides controlled access to multiple users of Cisco WAN Manager (CWM) based on the users' UNIX User ID and password.
Security Management provides user-access profiles that can be customized for each user. The user-access profile is a list of operations or actions a user can perform coupled with assigned access privileges for each action. A user can be assigned access privileges to read, create (write), modify, or delete, or the user can be assigned all privileges.
To launch the Wingz Reports, Network Browser, CWM Admin, and New Reports applications, users are required to have Read access. Users who have been assigned access privileges will be able to perform CWM management functions depending on their security profile.
Only the svplus user can start and stop the CWM core processes. The svplus user has sufficient access privileges to launch all CWM applications and administer the Security Management application.
Other users can be assigned access privileges that enable them to perform operations within security-controlled applications. These operations can be limited depending on the setting of access privileges by those who administer Security Management. Without the proper access privileges, users cannot launch security-controlled applications.
To use CWM Security Management application, you must first do two things:
To add a user, complete the following steps:
Step 1 At the CWM console prompt, enter su and provide a password.
host% su
Password: *****
Step 2 At the root prompt, enter the following:
# ./addnewuser <username>
where <username> is the name of the user to add.
Step 3 Add the user to CWM using CWM Security Manager as described in Configuring Users and Adding New Users.
The Security Management application is launched from the CWM desktop by clicking the Security Management icon. The Security Manager window is displayed as shown in Figure 10-1.
The Security Manager has two menu options: File and View. The only option under the File menu is Exit. When you select Exit, a confirmation dialog box is displayed, giving you the opportunity to save the configuration if there are any unsaved changes.
Two options are provided under the View menu: User and Profile. The Profile option is only available to users who have been assigned the Access Privilege "All" for Security Manager Admin. Selecting Profiles will display the List of All Profiles window. Selecting User will display the List of All Users window, listing users who have Security Manager Admin privileges. Users without Admin privileges can view their own profile information through the List of All Users window.
Security Management is provided at the application level. Users are granted access to controlled applications depending on their access privileges.
Using the Profile Administration window, you can create a security profile to give a user read, create, modify, or delete privileges to one or more of the controlled applications. You can set up a profile to grant all privileges to one of the applications and some privileges to another application. You can create a profile for users who only require read access to enable them to observe an application's windows. In other words, Security Management provides detailed security control. Detailed information about which functions are available is presented with the applications.
The functionality for access privileges depends on the application. Privileges are mapped to different functions in different applications. Table 10-1 lists all access privileges required to use each application.
| Function | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
Connection Manager Connections | X | X | X | X | X |
Cisco View Line/Trunk | X | X | X |
| X |
Cisco View Port | X | X | X |
| X |
Cisco View Device | X | X | X |
| X |
Statistics Collection Manager | X | X | X | X | X |
Image Download |
|
|
|
| X |
Node Resync |
|
|
|
| X |
Configuration Save |
|
|
|
| X |
Configuration Restore |
|
|
|
| X |
Network Topology | X | X | X | X | X |
SvOv Topology |
|
|
|
|
|
Wingz | X |
|
|
|
|
CWM Admin | X |
|
|
|
|
Network Browser | X |
|
|
|
|
New Reports | X |
|
|
|
|
Event Log |
|
|
|
|
|
Conn Proxy |
|
|
|
|
|
Port Proxy |
|
|
|
|
|
Security Manager Admin |
|
|
|
| X |
With read privileges a user can view displays and topology windows, list connections, and other functions where information is read. Read privileges are similar to the svplus-r account from earlier releases of CWM.
With create privileges, a user can create and configure connections, perform association backup, and add nodes, ports, and trunks.
With modify privileges, a user is also granted read privileges. A user with modify access can modify connections, ports, and trunks, and add and delete nodes and groups.
With delete privileges, a user is also granted read privileges. A user with delete access can delete connections, ports, trunks, nodes and groups.
If granted all privileges, a user has read, create, modify and delete privileges for the associated application.
You can provide each user with their own access profile. An access profile is the set of access privileges checked by CWM when a user attempts to launch a security-controlled application. A user's access privileges are applied to CWM applications based on the user's access profile.
To configure profiles, launch Security Management from the CWM desktop, then select View > Profiles. The List of All Profiles is displayed in the Security Manager window. At the bottom of this window, only the New button is active. The buttons for Modify and Delete are not active unless a profile has been selected from the List of All Profiles.
When you install CWM software, two default access profiles are created:
You can create profiles to allow users to perform specific tasks within CWM. For example, you can create a profile to give a user read privilege for Network Topology or create and modify privileges for Connection Manager.
You create Profiles through the Profile Administration window. When the Profile Administration window is first displayed, as shown in Profile Administration Window, some boxes are labeled in bold typeface. These are the only boxes that can be selected. The All box can be selected for all CWM applications except Wingz, CWM Admin, and Network Browser which allow the Read box to be selected.
To create a new security profile, complete the following steps:
Step 1 Login to the CWM workstation.
Step 2 Launch the CWM application, if necessary, then launch the CWM desktop by selecting Option 3 from the main menu.
Step 3 Launch Security Management by clicking its icon on the CWM desktop.
Step 4 From the Security Manager window, select View > Profiles, then click the New button.
The Profile Administration window is displayed, listing all supported operations and the five access privileges.
Step 5 In the Profile field, enter a name for the new profile you are creating and press Return.
You must enter a name to select any access privileges or to use the Apply button.
Step 6 Select the CWM application for which you want to provide access privileges and click the All box.
Step 7 To select a specific access privilege, click the All box again to highlight the individual access privileges for that application as shown in Profile AdministrationConnection Manager, then select the desired privileges.
Step 8 After selecting all desired access privileges, click Apply to create the new profile.
After a profile has been created, you can easily modify it. To modify an existing profile, complete the following steps:
Step 1 Launch Security Management by clicking its icon on the CWM desktop.
Step 2 From the Security Manager window, select View > Profiles.
Step 3 From the List of All Profiles, select the profile to modify, then click the Modify button.
The Profile Administration window is displayed, listing the selected profile in the Profile field and all supported operations and the five access privileges. The name of the profile cannot be changed.
Step 4 Make any desired changes to the selected access privileges, and click Apply when completed.
After a profile has been created, you can easily delete it. To delete an existing profile, complete the following steps:
Step 1 Launch Security Management by clicking its icon on the CWM desktop.
Step 2 From the Security Manager window, select View > Profiles.
Step 3 From the List of All Profiles, select the profile to delete, then click the Delete button.
Step 4 In the Confirmation dialog window, click OK to delete the selected profile.
The List of All Profiles window is displayed.
After you select View > User from the Security Manager window, the List of All Users window is displayed, as shown in Figure 10-4. The List of All Users window will be blank unless the user has All access privilege for Security Manager Admin.
When first displayed, only the New button at the bottom of the window is active. The Modify and Delete buttons are inactive until you select one of the listed users.
When you install CWM software, three default users are created:
To add a new user, click New on the List of All Users window to display the User Administration window. For new users, all entries are initially blank.
To add a new user, complete the following steps:
Step 1 From the Security Manager window, select View > User, then click New.
The User Administration window is displayed as shown in Security ManagerUser Administration Window.
Step 2 On the User Administration window, provide the new user's user ID.
Step 3 Click Profile to select one from a list of predefined profiles.
After selecting a profile to assign to this user, the Apply button will be active. The Access Privileges pane within the User Administration window displays the access privilege settings for each of the four security-controlled applications.
Step 4 Click Apply to assign the profile to the user.
The List of All Users window is displayed, showing the newly added user.
To modify a user's profile, complete the following steps:
Step 1 From the Security Manager window, select View > User.
Step 2 Select the user to modify by clicking on the user's name, then click Modify.
The Profile Administration window displays the selected user's current profile and access privileges.
Step 3 Select the desired access privileges and click Apply.
To delete a user's profile, complete the following steps:
Step 1 From the Security Manager window, select View > User.
Step 2 Select the user to delete by clicking on the user's name, then click Delete.
Step 3 On the confirmation dialog, click Yes to delete the selected user.
Security management is supported on CWM applications launched from the CWM desktop, from HP OpenView, and from the UNIX command line prompt. The following tables list the CWM applications and their supported access privileges. An "X" within an access privilege column indicates that the privilege applies to the operation. If the column is blank, the access privilege does not apply to the operation.
Table 10-2 lists the access privileges required for applications launched from the CWM desktop.
| Desktop Application | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
Network Topology | X | X | X | X | X |
Topology Image Download |
|
|
|
| X |
Topology Restore Configuration |
|
|
|
| X |
Topology Save Configuration |
|
|
|
| X |
Wingz | X |
|
|
|
|
Connection Manager GUI | X | X | X | X | X |
Network Browser | X |
|
|
|
|
CWM Administrator | X |
|
|
|
|
Summary Reports | X |
|
|
|
|
Table 10-3 lists the access privileges required for applications launched from the HP OpenView.
| HPOV Applications | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
SVOV Topology |
|
|
|
|
|
Event Log |
|
|
|
|
|
Image Download |
|
|
|
| X |
Node Resync |
|
|
|
| X |
Configuration Save |
|
|
|
| X |
Configuration Restore |
|
|
|
| X |
Table 10-4 lists the access privileges required for applications launched from the UNIX prompt.
| UNIX Prompt Applications | Read | Create | Modify | Delete | All |
|---|---|---|---|---|---|
Statistics Collection Manager | X | X | X | X | X |
Cisco View Lines/Trunks | X | X | X |
| X |
Connection Proxy |
|
|
|
|
|
Port Proxy |
|
|
|
|
|
Only users with All access privilege for CWM Admin are able to launch the Security Manager application. Users without access privilege will find the Security Manager icon on the CWM desktop to be grey and inactive.
The CWM Connection Manager is linked to Security Manager which checks a user's access privileges before providing access to Connection Manager. A user without access privileges will find the Connection Manager icon on the CWM desktop to be grey, inactive, and unable to launch the Connection Manager application.
Table 10-11 lists the access privileges required to perform security-controlled operations within the Connections Manager application.
| Access Privilege | Connection Manager Operations |
|---|---|
Read | Able to list connections and view multicast connections and templates. |
Create | Able to configure connections and perform association backup. |
Modify | Able to modify connections; also able to list connections, view multicast connections and templates (read access privileges) |
Delete | Able to delete connections; also able to list connections and view multicast connections and templates (read access privileges) |
The CWM Equipment Manager is linked to Security Manager which checks a user's access privileges before providing access to Equipment Manager or CiscoView. A user without access privileges will not be able to launch Equipment Manager or CiscoView.
Security Manager divides the Equipment Management functions into five separate areas: line, trunk, card, port, and device. You must specify access privileges for each of these separately.
Table 10-6 lists the access privileges required for line and trunk management through Equipment Manager and Cisco View.
Access Privilege | Meaning |
|---|---|
Read | The Configure/Monitor window for lines and trunks will be displayed. Without read access privileges, only status is displayed. |
Create | Not applicable. |
Modify | No modification of line/trunk-level parameters is permitted. |
Table 10-7 lists the access privileges required for card management through Equipment Manager and Cisco View.
Access Privilege | Meaning |
|---|---|
Read | Able to view card images. |
Create | Not applicable. |
Modify | Able to modify card configuration. |
Table 10-8 lists the access privileges required for card management through Equipment Manager and Cisco View.
Access Privilege | Meaning |
|---|---|
Read | The Configure/Monitor window for lines and trunks will be displayed. |
Create | Error messages will be displayed indicating that the user has no permission to create ports. |
Modify | No modification of port-level parameters is permitted. |
Table 10-9 lists the access privileges required for card management through Equipment Manager and Cisco View
Access Privilege | Meaning |
|---|---|
Read | The device will be opened/shown and device status is displayed. |
Create | Not applicable. |
Modify | No modification of device-level parameters is permitted. |
The CWM Network Topology application is linked to Security Manager which checks a user's access privileges before providing access to the Topology application on the CWM desktop. A user without access privileges will find the Topology icon on the CWM desktop to be grey, inactive, and unable to launch the Topology application.
| Access Privilege | Topology Operations |
|---|---|
Read | Able to view topology windows. |
Create | Able to add nodes and view topology windows (read access privileges). |
Modify | Able to make modifications to topology maps. |
Delete | Able to delete nodes, delete groups, and view topology windows (read access privileges). |
The CWM Statistics Collection Manager is linked to Security Manager which checks a user's access privileges before providing access to SCM. A user without access privileges will not be able to launch the SCM application.
Table 10-11 lists the access privileges required to perform security-controlled operations within the SCM application.
| Access Privilege | SCM Operation |
|---|---|
Read | Enables Show Collection Information option |
Create | Enables Stats Enable option |
Modify | Enables Start Collection option |
Delete | Enables Stop Collection option |
Posted: Thu Nov 4 21:22:19 PST 1999
Copyright 1989-1999©Cisco Systems Inc.