Setting Up CMNM Security

CMNM provides user access control, which allows a system administrator to control what different users are able to do. Each user has a different login name and password, with a specific set of privileges within the system.

A standard administrator user (admin) is available by default. The administrator user has access to all features at all times. The administrator user may not be edited other than to change the password.

CMNM requires every user to have a login ID and password. Before users can start the application, they must specify their login ID and enter the correct password. An administrator account is provided to allow for creating, modifying, resetting, and deleting user accounts.

Within CMNM, access to features can be restricted on the basis of the user's access level to a subset (or group) of these features.

For example, administration of particular managed objects should be performed only by operators who are responsible for that particular site or for a region in which that site belongs. However, these operators may also require visibility of objects outside their own area of control.

User Groups

CMNM user accounts can be collected by an administrator into groups. These user groups can be used to model user roles. A typical setup might involve a user group for system administrators, for network fault detail users, and for operators to manage a given site.

It is on the basis of these user groups that CMNM applies access control. The CMNM administrator configures access control by assigning access specifications to the relevant user groups.

Feature Lists

All features offered to a user are grouped together into feature lists. The benefit of feature lists is that it is easy to give access to a related set of features by simply choosing a feature list instead of having to assign features individually. Any given feature may appear in more than one feature list.

Table 5-1 Feature Lists in CMNM

Feature List	Permissions¹	Description
AccessManagement	RWA	Set up users, user groups, assign passwords, and define access params.
AutoDiscovery	RW	Launch the auto-discovery services
Change Password	RWA	Change passwords
Deployment	RW	Deploy sites, regions, and network (generic object deployment)
EventGroupEditFeatureList	RW	Create and edit event groups
EventGroupViewFeatureList	R	View existing event groups
Events-View	R	Launch the event browser in read-only mode
Events-Clear_Acknowledge	RW	Allow user to clear and acknowledge events
GenericConfigApplication	RWA	Launch the object configuration utility
Help	R	Launch online help
Host-Dialplan-Properties	R	View properties of Cisco MGC host dial plan components
Host-Signaling-Performance	RW	View performance statistics for signaling components
Host-Signaling-Properties	R	View properties of Cisco MGC host signaling components
Host-Trunking-Properties	R	View properties of Cisco MGC host trunking components
Launchpad	R	Use the CEMF launchpad (start a CEMF session)
MGC-Node-Accounts	RWA	Change the passwords, login IDs, and SNMP community strings
MGC-Node-Diagnostics	RW	Run diagnostic tools on Cisco MGC node components
MGC-Node-Filesystems	RW	View file system information on BAMS and Cisco MGC host devices
MGC-Node-Properties	R	View properties of Cisco MGC node components
MGC-Node-Provisioning	RW	Deploy all Cisco MGC node components (either manually or via a seed file)
MGC-Node-States	RW	Change the states of Cisco MGC node components
MGC-Node-Tools	RW	Launch Cisco MGC node component tools
MGC-Node-Transfer	RWA	Performance configuration and image upload and download
MGC-Node-Trap-Forwarding	RWA	Configure trap forwarding destinations
MGX-Accounts	RWA	Change the passwords, IDs, and SNMP info for Cisco MGX 8260 components
MGX-Properties	R	View properties of Cisco MGX 8260 components
MGX-Provisioning	RW	Deploy Cisco MGX 8260 components
MGX-States	RW	Change the states of Cisco MGX 8260 components
MGX-Tools	RW	Launch Cisco MGX 8260 component tools
MGX-Trap-Forwarding	RWA	Configure trap forwarding destinations
NotificationEditFeatureList	RW	Create and edit notification profiles
NotificationViewFeatureList	R	View existing notification profiles
ObjectGroups-Edit	RW	Create and edit object groups
ObjectGroups-View	R	View existing object groups
Performance Management	RW	Open the Performance Manager utility
ThresholderEditFeatureList	RW	Allow user to define and edit thresholds
ThresholderViewFeatureList	R	Allow user to view existing thresholds
Viewer-Edit	RW	Use the map viewer in read-write mode
Viewer-View	R	Use the map viewer in read-only mode

1 Use this column to determine the permissions you want to assign to various types of users. For more information, see the "Creating Typical Types of Users" section.

Access Specifications

Access specifications connect together the user groups, the features that can be invoked by a group, and the objects upon which these features can be invoked.

A number of access specifications are provided by default with the CMNM. More access specifications can be built at the discretion of the system administrator.

Setting Up Accounts

CMNM allows the administrator to associate privileges with user accounts. For example, regular users can be prevented from performing certain management functions, while more technically sophisticated users can be given full management privileges.

Setting Up New Accounts

Step 2 From the Access Manager screen, select Edit, Create, then User as shown in Figure 5-2.

Step 4 To use an existing user as a template for the user you are adding, click Yes, select the user you want to copy, then click Forward. If you do not want to copy an existing user or none exists, click No then click Forward.

Step 5 Select a user group, click an arrow to move it to the Selected User Groups list, and click Forward.

If no user groups are defined at this time, you may define a user group later and assign the user to it at any time. For more information on user groups, see the "Creating User Groups" section.

Step 6 Enter a password for the user and confirm it. Passwords must contain 8 to 32 alphanumeric characters and at least one punctuation character such as _, %, (, or ^. Click Forward.

If you typed a valid password, you see the screen in Figure 5-7. If you typed an invalid password, you see Figure 5-6 again with an error message. Reenter a valid password.

Step 7 To make changes, click Back and enter the corrected information. To add the user, click Finish.

Creating User Groups

Step 5 Select each user you want in the new group and click the arrow to move each to the Selected Users list. When you are finished, click Forward.

Step 6 Select each access specification you want for the new group and click the arrow to move each to the Selected Access Specs list. When you are finished, click Forward.

Step 7 To make changes, click Back and enter the corrected information. To add the user group, click Finish.

Creating New Access Specifications

Step 5 Select a user group from the available user groups list and click the right arrow to move it to the Selected User Groups list. Click Forward.

Step 6 Select each feature you want for the new access specification and click the right arrow to move each to the Selected Feature Lists. When you are finished, click Forward.

Step 7 Select each object group you want for the new access specification and click the right arrow to move each to the Selected Object Groups list. When you are finished, click Forward.

Step 8 To make changes, click Back and enter the corrected information. To add the access specification, click Finish.

Creating Typical Types of Users

Table 5-2 Creating Typical Users

To Create This Type of Account:

Peform These Steps:

Administrator

Using the instructions in the "Setting Up New Accounts" section, create a new account and create the user by copying the existing administrator template. The administrator should have all the features labeled with the permissions R, RW, and RWA in Table 5-1.

Operator with read permission that can deploy and launch tools

Using the instructions in the "Creating New Access Specifications" section, create a new access specification with the features labeled with the permissions R and RW in Table 5-1.

Using the instructions in the "Creating User Groups" section, create a new user group with the access specification you just created.

Then using the instructions in the "Setting Up New Accounts" section, create a new account, create the user, and assign the user to the group you just created.

Operator with read-only permission

Using the instructions in the "Creating New Access Specifications" section, create a new access specification with the features labeled with the permission R in Table 5-1.

Using the instructions in the "Creating User Groups" section, create a new user group with the access specification you just created.

Then using the instructions in the "Setting Up New Accounts" section, create a new account, create the user, and assign the user to the group you just created.

Modifying Users

Step 2 Select a user from the list and change any information in the fields. To change the user groups that the user belongs to, click the Select User Groups tab and make any changes.

Modifying User Groups

Step 2 Select a user group from the list of available user groups. Select users and click the arrows to add or remove users from the group.

Step 3 To modify access specifications for the user group, click the Select Access Specifications tab.

Step 4 Select access specifications and click the arrows to add or remove access specifications from the group.

Modifying Access Specifications

Step 6 Select user groups and click the arrows to add or remove users groups from the access specification.

Step 8 Select features and click the arrows to add or remove features from the access specification.

Step 11 Select object groups and click the arrows to add or remove object groups from the access specification.

Step 12 When you are finished, click Apply. To discard changes, click Revert. Click Close.

Changing the Admininstrative Password

Table of Contents