cc/td/doc/product/dsl_prod/scm/scm201
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Security

Security

This chapter describes the security features built into the Cisco 6400 Service Connection Manager (SCM) application. The Cisco 6400 SCM achieves this through the use of Cisco EMF carrier class security mechanisms. Refer to the Cisco Element Management Framework User Guide for further information.

Cisco EMF User Access Control, which is Cisco EMFs mechanism for Carrier Class Security, provides:


Note   It may be advisable to restrict the Cisco EMF options available to less experienced personnel.

Additionally, complex new equipment technologies are being launched into the market by both existing and new equipment providers. Faced with many new equipment features, personnel may make mistakes, for example in equipment configuration, which could affect network uptime.

Service Provider organizations may be obligated under law to protect sensitive information contained within management systems. The ability to provide secure customer network management is therefore a valuable service to offer customers.

The Cisco 6400 SCM adds additional security mechanisms or feature lists to the standard Cisco EMF security mechanisms. See the "Cisco 6400 SCM Feature Lists" section for details of the additional Cisco 6400 SCM v2.0.x feature lists.

See the "Example" section that describes how to create and configure the features of your system that allow or restrict the access for various levels of personnel.

Access Manager Overview

Cisco EMF Security allows system administrators to set up Access Manager objects using the Access Manager GUI. Access Manager objects can be classed as either personnel or services as follows:

The Access Manager object is set up to allow or restrict user access to features within Cisco EMF. For example, an administrator could set up a user to have access only to those parts of Cisco EMF which are relevant to their specific tasks. A user would only be aware of their own access to the system and the use of their password.

For example, Joe may be the NOC expert on xDSL modems, but he may be a relative ATM novice. Helen, on the other hand, may be the ATM expert but she may know very little about the intricacies of xDSL technologies. With Cisco EMF Access Control, the systems administrator is able to ensure Joe has read/write access to all xDSL network elements for configuration and test purposes, while Helen can only view the status information for these elements. Helen, on the other hand, can reconfigure ATM equipment, whereas Joe is refused access to the Element Manager windows which permit such reconfiguration.

User Access Levels

Three levels of user access are available. These names describe the type of access available to each:

Security Levels

Cisco EMF Security also enables administrators to define security levels for specific managed object attributes. This is key to restricting access to sensitive or critical parameters of managed equipment (for example, the IP address of an item of equipment.) A user with Read-Write access may be able to apply a new configuration to that piece of equipment, but they may not be able to modify its IP address, as this could invalidate normal management of the device. Control of the IP address may be the specific responsibility of the network topology manager.

Refer to the Cisco Element Management Framework User Guide for further information on the Cisco EMF Access Manager application.

Cisco 6400 SCM Feature Lists

A Cisco EMF feature list is a list of one or more windows that can have security access control applied to them. The Cisco 6400 SCM feature lists are those specific to the Cisco 6400 SCM functionality. The Cisco 6400 SCM feature lists are supplied by the Cisco 6400 SCM application, and are not user configurable.


Note   System administrators can add their own Cisco 6400 SCM specific access specifications built from the feature lists described in the following sections.

Service Configuration Windows


Table 11-1: Features List For the Cisco 6400 SCM Service Configuration Windows
Feature List Window

SCM_ATM_Service_Config

ATM Service Configuration

SCM_PPPoA_SD_Service_Config

PPPoA-SD Service Configuration

SCM_L2TP_Service_Config

L2TP Service Configuration

SCM_RFC1483_Bridged_Service_Config

RFC1483 Bridged Service Configuration

SCM_RFC1483_IRB_Service_Config

RFC1483 IRB Service Configuration

SCM_IP_Uplink_Service_Config

IP Uplink Service Configuration

Service Deployment Windows


Table 11-2: Features List For the Cisco 6400 SCM Service Deployment Windows
Feature List Window

SCM_RFC1483_Routed_Service_Config

RFC1483 Routed Service Configuration

SCM_Deploy_ATM_Service

ATM Service Deployment

SCM_Deploy_PPPoA_SD_Service

PPPoA-SD Service Deployment

SCM_Deploy_L2TP_Service

L2TP Service Deployment

SCM_Deploy_RFC1483_Bridged_Service

RFC1483 Bridged Service Deployment

SCM_Deploy_RFC1483_IRB_Service

RFC1483 IRB Service Deployment

SCM_Deploy_IP_Uplink_Service

IP Uplink Service Deployment

SCM_Deploy_RFC1483_Routed_Service

RFC1483 Routed Service Deployment

Service Profile Windows


Table 11-3: Features List For the Cisco 6400 SCM Service Profile Windows
Feature List Window

SCM_Deploy_Connection_Template

Connection Template Deployment

SCM_Connection_Template_Config

Connection Template Configuration

SCM_PPPoA_SD_Service_Profile

PPPoA-SD Service Profile Configuration

SCM_L2TP_Service_Profile

L2TP Service Profile Configuration

SCM_RFC1483_Bridged_Service_Profile

RFC1483 Bridged Service Profile Configuration

SCM_RFC1483_IRB_Service_Profile

RFC1483 IRB Service Profile Configuration

SCM_IP_Uplink_Service_Profile

IP Uplink Service Profile Configuration

SCM_Service_Uplink_Service_Profile

Service Uplink Profile Configuration (for RFC1483 Routed Service Uplinks)

Subscriber Provisioning Windows


Table 11-4: Features List For the Cisco 6400 SCM Service Provisioning Windows
Feature List Window

SCM_Subscriber_Config

Subscriber Configuration

SCM_Subscriber_Connection

Subscriber Connection

SCM_Subscriber_Disconnection

Subscriber Disconnection

SCM_Deploy_Subscriber

Subscriber Deployment

Status Windows


Table 11-5: Features List For the Cisco 6400 SCM Status Windows
Feature List Window

SCM_Service_Status

Service Status

SCM_Connection_Status

Connection Status

Element Manager Windows


Table 11-6: Features List For the Cisco 6400 SCM Element Manager Windows
Feature List Window

SCM_Element_Management

All Element Manager windows (plus the Cisco 6400 UAC, Chassis, State, Commission/Decommission menu option) but not including the SSG Configuration and SONET APS Configuration windows

SCM_SSG_Config

SSG Configuration

SCM_SONET_APS_Config

SONET APS Configuration

Element Manager Deployment Windows


Table 11-7: Features List For the Cisco 6400 SCM Element Manager Deployment Windows
Feature List Window

SCM_Deploy_Chassis_NSP

6400 Chassis/NSP/Shelf Manual Deployment, Quick Start Deployment

SCM_Deploy_NRP

6400 NRP Manual Deployment

SCM_Deploy_OC3

OC3 Line Card Manual Deployment

SCM_Deploy_OC12

OC12 Line Card Manual Deployment

SCM_Deploy_DS3

DS3 Line Card Manual Deployment

Cisco 6400 SCM Chassis Windows


Table 11-8: Features List For the Cisco 6400 SCM Element Manager Deployment Windows
Feature List Window

SCM_Chassis_Backup_Restore

Chassis Backup / Restore

SCM_Chassis_Configuration

Chassis Configuration

SCM_Chassis_Command_Log

Chassis Command Log

SCM_Chassis_IOS_Image_Download

Chassis IOS Image Download

SCM_Chassis_SysLog

Chassis System Log

SCM_Chassis_SNMP_Management

Chassis SNMP Management

SCM_Chassis_Mgmt_Info

Chassis Management Information

Cisco 6400 SCM Module Windows


Table 11-9: Features List For the Cisco 6400 SCM Element Manager Deployment Windows
Feature List Window

SCM_Module_Performance

Module Performance

SCM_Module_Backup_Restore

Module Backup/Restore

SCM_Module_Command_Log

Module Command Log

SCM_Module_SysLog

Module System Log

SCM_Module_IOS_Image_Download

Module IOS Image Download

SCM_Module_Configuration

Module Configuration

SCM_Module_Mgmt_Info

Module Management Information

Cisco 6400 SCM Interface (Port) Windows


Table 11-10: Features List For the Cisco 6400 SCM Element Manager Deployment Windows
Feature List Window

SCM_Interface_Configuration

Interface Configuration

SCM_Interface_Performance

Interface Performance

SCM_Interface_Status

Interface Status

Cisco 6400 SCM Default Access Specifications

Default access specifications are supplied by the Cisco 6400 SCM application. Default access specifications can be changed or removed by authorized users.

SCM_All_Features

Includes ALL the above feature lists, that is, access to everything in the Cisco 6400 SCM application.

SCM_Service_Provisioning

Includes all Service Configuration windows and Service Deployment feature lists.


Note   The SCM_Service_Provisioning access specifications do not include service profile note access, which can be considered as a super user policy definition.

SCM_Service_Profiles

Includes all Service Profiles feature lists (all service profiles, plus Connection Template deployment and configuration).


Note   SCM_Service_Profiles does not include service profile access. Service profile access is considered as a super-user "policy definition" feature.

SCM_Subscriber_Provisioning

Includes all Subscriber Provisioning feature lists (Subscriber deployment, configuration, connection and disconnection).

SCM_Element_Management

Includes all SCM EM window feature lists, EM deployment, and all Generic feature lists above with the exception of Backup/Restore and IOS Image Download.

SCM_Element_Admin

Includes Backup/Restore and IOS Image Download feature lists.

Example

This section provides an example of how to create a new user, who can create and configure PTA-MD services, and then connect subscribers to the service instance. Figure 11-1 describes a typical work flow that shows how to first create an Access Specification; then create a User Group; and finally, create the User.


Figure 11-1: Example Workflow


This example describes how to:


Note   Access specifications ensure that users are restricted to only carry out the tasks that they are permitted to do (by the selected feature lists). This example does not allow the user to create a PTA-MD service profile, this task is restricted to users with a higher security level.

Creating an Example Access Specification

To create the example SSG/PTA-MD access specification, follow these steps:


Step 1   Launch the Access Manager application from the Cisco EMF launchpad. See the "Launching the Access Manager Application" section for further details. The Access Manager window (see Figure 11-2) appears:


Figure 11-2: Access Manager Window


Step 2   Select Create, then Access Spec from the Edit drop down menu. The Create Access Specification wizard launches. A window similar to Figure 11-3 appears.


Figure 11-3: Create Access Specification Wizard


Step 3   Enter a name for the new access specification to be created.


Note   A valid name must have at least five characters with no spaces. You can use the Tab key to move between fields.

Step 4   Click Forward. The Copy from Existing Access Spec window appears:


Figure 11-4:
Copy from Existing Access Specification Window



Note   You are now required to select settings for the new access specification. You can copy settings from a previously created specification and edit the specification (refer to the Cisco Element Management Framework User Guide) or create a new specification without copying settings from an existing access specifications. In this example we will create a new specification without copying settings from an existing access specifications.

Step 5   Click No.

Step 6   Click Forward. The Select Permission window appears:


Figure 11-5: Select Permission Window


Step 7   Select a permission level from Read Only, Read Write, or Read Write Admin.

Step 8   Click Forward. The Select User Groups window appears.


Figure 11-6: Select User Groups Window


Step 9   Select the user group that you wish to include in the new access specification, then click the right arrow to move the selected user group into the list of selected user groups in the right panel. An alternative method is to double click on a selected object. The left arrow moves the selected item back into the left panel.

Step 10   Click Forward when the list of selected user groups is complete. The Select Feature Lists window appears:


Figure 11-7: Select Feature Lists Window


Step 11   Select the feature list that you wish to apply to the new specification, then click the right arrow. Table 11-11 displays a list of the feature lists selected from the Available Feature Lists in this example and describes what each feature list allows the user to do.


Note   See "Cisco 6400 SCM Feature Lists" section for details of the feature lists available in the Cisco 6400 SCM application.


Table 11-11: Selecting Feature Lists
Selected Feature List Allows The User To

SCM_Deploy_Subscriber

Deploy new subscribers

SCM_Deploy_IP_Uplink_Service

Deploy IP Uplink service instances

Viewer-View

Allows the user to access the Map Viewer window but does not allow the user to edit the Map Viewer window.

SCM_Subscriber_Disconnect

Connect subscribers

SCM_Subscriber_Connect

Disconnect subscribers

SCM_Subscriber_Config

Configure subscribers information

SCM_SSG_Config

Configure SSG configuration

SCM_IP_Uplink_Service_Config

Configure IP Uplink services

Launchpad

Access the Cisco EMF Launchpad

Help

Access On-Help

Events_View

View events

Events-Clear_Acknowledge

Acknowledge and clear events


Note   Feature lists that allow access to the standard Cisco EMF applications (that is, Launchpad, Viewer, and Event Browser) are included and can be selected. The Launchpad, Viewer, and Event Browser applications provide entry points to the PTA-MD and SSG windows and the commonly used Cisco EMF fault management capability windows.


Note   The User in this example is not allowed to create service profiles. Creating service profiles would be the responsibility of another user (for example, a super user).

Step 12   Click Forward when the Selected Feature Lists is complete. The Select Object Groups window appears.


Figure 11-8: Select Object Groups Window


You may wish to restrict access for SCM_PTA_Provisioning to a specific geographical area. For example, to create a user who is restricted to SCM_PTA_Provisioning in the Chicago area only, with no access to other regions. To do this you would:

    1. Create an object group to define the geographical area (refer to the "Object Group Manager" section in the Cisco Element Management Framework User Guide) for further information.

    2. Associate this object group with the access specification. Step 13 describes how to associate an object group with the access specification.

Step 13   Select the object group you want to associate with the SCM_PTA_Provisioning access specification, then click the right arrow. When the group is complete, click Forward.


Note   You can create an access specification without associating it with an Object Group. This allows unlimited geographical access.

The Summary Details window, similar to Figure 11-4 appears. If any details are incorrect, you can click Cancel to exit the wizard or click Back to return to the appropriate window and correct the details.

Figure 11-9: Summary Details for Access Specification Window


Step 14   Click Finish to create the access specification. The Access Manager window appears with the name of the new access specification displayed at the bottom of the list of access specifications.

Creating the Example New User Group

Now we use this access specification as a basis for defining a new group of users.

Step 15   Select Create, then User Group from the Edit drop down menu. The Create User Group wizard launches (see Figure 11-10).


Figure 11-10: Create User Group Window



Note   A valid name must have at least five characters with no spaces. You can use the Tab key to move between fields.

Step 16   Click Forward. The Copy from Existing User Group window appears:


Figure 11-11: Copy from Existing User Group Window



Note   You can copy settings from a previously created User Group and edit the specification (refer to the Cisco Element Management Framework User Guide) or create a new User Group without copying settings from an existing access specifications. In this example we will create a new User Group without copying settings from an existing User Group.

Step 17   Click No.

Step 18   Click Forward. The Select User Group window appears:


Figure 11-12: Select User Groups Window


Step 19   Select the User Groups that you wish to include in the new User Group, then click the right arrow. This moves the selected User Group into the list of selected users in the right panel. An alternative method is to double click on an item in Available User Groups. The left arrow moves the selected item (in the right list) back into the left panel.

Step 20   Click Forward when the list of selected User Groups is complete. The Select Access Specification window appears:


Figure 11-13:
Select Access Specification Window


Step 21   Select the access specification you wish to apply to the new User Group, then click the right arrow. In this example, the SCM_PTAProvisioning access specification that was created earlier is selected.

Step 22   Click Forward. A Summary Details for User Groups window, similar to Figure 11-13 appears. When any details are incorrect, you can click Cancel to exit the wizard or click Back to return to the appropriate window and correct the details.


Figure 11-14: Summary Details for User Group Window


Step 23   Click Finish to create the User Group. The Access Manager window appears with the name of the new User Group displayed at the bottom of the User Groups list.

Creating the Example User


Step 1   Select Create, then User from the Edit drop down menu in the Cisco EMF Access Manager application window. The Create User wizard launches (see Figure 11-15).


Figure 11-15: Create User Window


Step 2   Enter details for the new user into the Enter details panel.

Step 3   Click Forward. The Copy from Existing User window appears:


Figure 11-16: Copy from Existing User Group Window



Note   You can copy settings from a previously created User Group and edit the specification (refer to the Cisco Element Management Framework User Guide) or create a new User without copying settings from an existing access specifications. In this example we will create a new User without copying settings from an existing User.

Step 4   Click No.

Step 5   Click Forward. The Select User Groups window appears, showing SCM_PTA_MD as one of the Available User Groups:


Figure 11-17: Select User Groups Window


Step 6   Select the User Groups you wish your new user to belong to, then click the right arrow. This moves the selected User Group into the list of selected User Groups in the right panel. An alternative method is to double click on an Available User Group. The left arrow moves the selected item (in the right list) back into the left panel.

Step 7   Click Forward when the list of selected user groups is complete. The User Password Entry window appears:


Figure 11-18: User Password Entry Window


Step 8   Enter a Password for the new user following the conditions specified in the panel (below the Back, Forward, Cancel and Finish buttons). You will be alerted when you enter an invalid password.

Step 9   Retype the password to confirm that you have entered the password correctly.

Step 10   Click Forward. A Summary Details for User window, similar to Figure 11-19 appears. When any details are incorrect, you can click Cancel to exit the wizard or click Back to return to the appropriate window and correct the details.


Figure 11-19: Summary Details for User Group Window


Step 11   Click Finish to create the User. The Access Manager window appears with the name of the new User displayed at the bottom of the User's list.

This example has described how to:

Using the principles described in the above example you should now be able to create users with different access security levels.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Aug 4 02:08:41 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.