|
|
Domains provide a hierarchical organizational structure for the management of elements (devices) and templates. Templates and associated data are the means by which configurations are generated for devices, either individually or as a group.
Individual users derive their access levels (permissions to manipulate domains, elements and templates) from the permission group to which they belong.
Domains are the organizational containers in which elements and templates are created and maintained.
The system always includes at least one domain, the root domain. This domain is reserved for system use. It is a special-purpose domain that serves as the starting point and common ancestor for other top-level domains.
The template data object contains the data values that are used in place of the variable names when configurations are generated.
Templates are created as objects within specific domains, but a template can be used to configure devices in any domain if the user belongs to a group that has sufficient permission.
A template can reference another template. The referenced template is called a subtemplate.
The subtemplate must be in the same domain as the calling template or in a domain higher in the domain hierarchy (must be in a direct line of ancestry from the calling template's domain---that is, it cannot be in a subdomain of any of the ancestor domains).
Templates can be nested only one level deep. A subtemplate cannot reference another subtemplate.
When you create a user, you are only providing the system with a name and password for the user entity, which can be either a person or an application. Users derive working privileges (access to domains, elements, and templates) from the permission group to which they are assigned. A user can belong to only a single permission group.
Only the admin user can create or modify a user profile.
User access to domains, elements, and templates is controlled by the permissions that are granted to permission groups.
Permissions describe what level of access is permitted for various resources; a permissions group defines the permissions that are assigned to its members. Every user who is included in a group has all of the access privileges granted to that group.
Only the admin user can create a permissions group and assign or modify privileges.
Permissions are granted as follows (in any combination):
To work on an element or a template, the user must belong to a group that has been given the appropriate access to the element or template and has been given at least read access to the domain in which the element or template resides.
Permissions descend downward from the topmost domain in which the group has rights.
Consider the following example:
domainA subdomainA-1 subdomainA-2 subdomainA-2.1 domainB subdomainB-1
If a permission group is granted the right to create and delete elements and templates in domainA only, users in that group can also create and delete elements and templates in subdomainA-1, subdomainA-2 and subdomainA-2.1, but not in either domainB or subdomainB-1.
If the permission group is granted permission to create domains in domainA, users in that group automatically gain the right to create subdomains in any of the domains that exist within domainA.
If the permission group is granted permission to delete domains in domainA, users in that group automatically gain the right to delete any domains within domainA.
Once a domain has been created, however, the administrator can change these inherited permissions.
When the administrator creates domains, for these domains to be useful for nonadministrative users, the permissions create, read, and modify should be granted. Create permission is necessary for domain creation, read permission is required to get the content of the domain, and modify permission is needed to assign the NEM server in the domain.
The three element manager gateways (NEMServer, SGServer, and TGServer) must be on a machine that has LAN access to devices it is handling.
For information on running the GUI, see the chapter "Running the GUI."
For information about creating and managing domains and elements, see the chapter "Managing Network Elements."
For information about working with templates, see the chapter "Managing Templates."
For information about managing users and permission groups and about the log viewer, see the chapter "System Administration and Log Management."
For information about the archive manager, see the chapter "Archive Administration."
Posted: Mon Feb 14 14:15:46 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.