|
|
CMNM provides user access control which allows a system administrator to control what different users are able to do. Each user has a different login name and password, with a specific set of privileges within the system.
A standard administrator user (admin) is available by default. The administrator user has access to all features at all times. The administrator user may not be edited other than to change the password.
CMNM requires every user to have a login ID and password. Before users can start the application, they must specify their login ID and enter the correct password. An administrator account is provided to allow for creating, modifying, resetting, and deleting user accounts.
Within CMNM, access to features can be restricted on the basis of the user's access level to a subset (or group) of these features.
For example, administration of particular managed objects should be performed only by operators who are responsible for that particular site or for a region in which that site belongs. However, these operators may also require visibility of objects outside their own area of control.
The basic building blocks used to control user access are described below.
CMNM user accounts can be collected by an administrator into groups. These user groups can be used to model user roles. A typical setup might involve a user group for system administrators, for network fault detail users, and for operators to manage a given site.
It is on the basis of these user groups that CMNM applies access control. The CMNM administrator configures access control by assigning access specifications to the relevant user groups.
All features offered to a user are grouped together into feature lists. The benefit of feature lists is that it is easy to give access to a related set of features by simply choosing a feature list instead of having to assign features individually. Any given feature may appear in more than one feature list.
The feature lists available in CMNM are described in Table 5-1.
 |
Note In CMNM, features are preassigned to feature lists and cannot be modified. |
Table 5-1 Feature Lists in CMNM
Access specifications connect together the user groups, the features that can be invoked by a group, and the objects upon which these features can be invoked.
A number of access specifications are provided by default with the CMNM. More access specifications can be built at the discretion of the system administrator.
Each access specification may include the following components:
CMNM allows the administrator to associate privileges with user accounts. For example, regular users can be prevented from performing certain management functions, while more technically sophisticated users can be given full management privileges.
CMNM provides the following security features:
You must set up new accounts for all users. You may also define user groups.
To create a new account for a user and assign a password:
You see the Access Manager screen.
Step 2 From the Access Manager screen, select Edit, Create, then User as shown in Figure 5-2.
You see the screen in Figure 5-3.
Step 3 Enter the requested information and then click Forward.
You see the screen in Figure 5-4.
Step 4 To use an existing user as a template for the user you are adding, click Yes, select the user you want to copy, then click Forward. If you do not want to copy an existing user or none exists, click No then click Forward.
You see the screen in Figure 5-5.
Step 5 Select a user group, click an arrow to move it to the select user groups list, and click Forward.
If no user groups are defined at this time, you may define a user group later and assign the user to it at any time. For more information on user groups, see the "" section.
You see the screen in Figure 5-6.
Step 6 Enter a password for the user and confirm it. Passwords must contain 8 to 32 alphanumeric characters and at least one punctuation character such as _, %, (, or ^. Click Forward.
If you typed a valid password, you see the screen in Figure 5-7. If you typed an invalid password, you see Figure 5-6 again with an error message. Reenter a valid password.
Step 7 To make changes, click Back and enter the corrected information. To add the user, click Finish.
You see the screen in Figure 5-8 listing the defined users.
Users can be divided into groups by creating user groups.
You see the screen in Figure 5-10.
Step 2 Type the name of a user group in the field and click Forward.
Step 3 You see the screen in Figure 5-11.
Step 4 If you:
Step 5 Select each user you want in the new group and click the arrow to move each to the selected users list. When you are finished, click Forward.
You see the screen in Figure 5-13.
Step 6 Select each access specification you want for the new group and click the arrow to move each to the selected acess specification list. When you are finished, click Forward.
 |
Caution Giving a user group full access allows each user in the user group to add or delete other users and to change specifications for all other users. |
For more information about access specfications, see the "Creating New Access Specifications" section.
You see the screen in Figure 5-14.
Step 7 To make changes, click Back and enter the corrected information. To add the user group, click Finish.
To create new access specifications:
You see the screen in Figure 5-16.
Step 2 Type the name of a new access specification and click Forward.
You see the screen in Figure 5-17.
Step 3 If you:
Step 4 Select the permission level desired and click Forward.
You see the screen in Figure 5-19.
Step 5 Select a user group from the available user groups list and click the right arrow to move it to the selected user groups list. Click Forward.
You see the screen in Figure 5-20.
Step 6 Select each feature you want for the new access specification and click the right arrow to move each to the selected feature list. When you are finished, click Forward.
You see the screen in Figure 5-21.
Step 7 Select each object group you want for the new access specification and click the right arrow to move each to the selected object groups list. When you are finished, click Forward.
You see the screen in Figure 5-22.
Step 8 To make changes, click Back and enter the corrected information. To add the access specification, click Finish.
Table 5-2 summarizes how you would create three typical users.
Table 5-2 Creating Typical Users
| To Create This Type of Account: | Peform These Steps: |
|---|---|
Using the instructions in the "Setting Up New Accounts" section, create a new account and create the user by copying the existing administrator template. |
|
Operator with read permission that can deploy and launch tools |
Using the instructions in the "Creating New Access Specifications" section, create a new access specification with the following features: Using the instructions in the "Creating User Groups" section, create a new user group with the access specification you just created. Then using the instructions in the "Setting Up New Accounts" section, create a new account, create the user, and assign them to the group you just created. |
Using the instructions in the "Creating New Access Specifications" section, create a new access specification with the following features: Using the instructions in the "Creating User Groups" section, create a new user group with the access specification you just created. Then using the instructions in the "Setting Up New Accounts" section, create a new account, create the user, and assign them to the group you just created. |
You see the screen in Figure 5-23.
Step 2 Select a user from the list and change any information in the fields. To change the user groups that the user belongs to, click the Select User Groups tab and make any changes.
Step 3 Click Apply. To cancel changes, click Revert.
You see the screen in Figure 5-24.
Step 2 Select a user group from the list of available user groups. Select users and click the arrows to add or remove users from the group.
Step 3 To modify access specifications for the user group, click the Select Access Specifications tab.
You see the screen in Figure 5-25.
Step 4 Select access specifications and click the arrows to add or remove access specifications from the group.
Step 5 Click Apply. To cancel changes, click Revert.
To modify an access specification:
Step 2 You see the screen in Figure 5-26.
Step 3 Edit the permission if necessary.
Step 4 Click the Select User Groups tab.
Step 5 You see the screen in Figure 5-27.
Step 6 Select user groups and click the arrows to add or remove users groups from the access specification.
Step 7 Click the Select Feature Lists tab.
You see the screen in Figure 5-28.
Step 8 Select features and click the arrows to add or remove features from the access specification.
Step 9 Click the Select Object Groups tab.
Step 10 You see the screen in Figure 5-29.
Step 11 Select object groups and click the arrows to add or remove object groups from the access specification.
Step 12 When you are finished, click Apply. To discard changes, click Revert. Click Close.
To change the administrative password:
You see the screen in Figure 5-31.
Step 2 Change the password and click Apply.
Posted: Thu Feb 13 11:55:11 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
