|
|
This appendix describes how a system administrator can access the Cisco Security Policy Engine (SPE) Services Administration web-based user interface using the Cisco Broadband Access Center (BAC) application. The Cisco SPE security service provides an authentication and authorization framework based upon the Role Based Access Control (RBAC) model, in which user access permissions are associated with roles and users are made occupants of a role.
Table A-1 Cisco Security Policy Engine Administration Server User Interface Topics
| If you want to... | Go to the... |
|---|---|
Together these determine what objects a user can see and what actions a user can perform on the objects.
For network efficiency and performance, BAC does not handle security for individual network devices or administrative networks. Thus, if you grant a user group access to an administrative network, that user group has access to all objects under the administrative network, including administrative subnetworks, devices, cards and ports. All objects inherit settings from their immediate parent. You give a user group permission to perform actions on objects by category, not by individual object. For example, if you give a user group permission to create a device, members of this group can create any device under any accessible administrative network.
Underlying BAC security is the logical grouping of service providers. Therefore, you can create geographical, functional, technological, or any other grouping that enables you to logicaly partition administrative networks, devices, network resources and subscribers. In this way, network operators at one service provider can see only the networks, devices, network resources and subscribers that belong to it. In the BAC security model, you must assign an owner of each object you create. You select the owner from a list of ISPs. After you assign an owner to an object, only operators associated with that owner, or BACAdmin, can access the object.
Figure A-1 illustrates the BAC security partition concept.
Each service provider can have a number of predefined user groups with different permissions. The user BACAdmin can create operators and assign them to user groups, and, based on the permissions from the associated group, an operator can perform actions such as create, delete, view, and modify networks, devices or subscribers, and also can add, delete, and modift services for devices and subscribers.
When you initialize BACservers, the bacStartUp script loads security object model into the security server, this security object model defines BAC specific permissions, associates roles that contains sets of permissions and provides a mechanism to create user groups associated with the roles. When you initialize the server, the system creates the BACAdministrators group and BACAdmin, which is the default BAC administrative user, and a default password.
 |
Caution Cisco Systems recommends against changing these permissions, roles, and groups to avoid unwanted behaviors. You can change the default password using SPE. |
When BACAdmin creates an ISP, the system automatically creates a number of user groups associated with the service provider in the SPE server. The permissions of the associated groups and the name of the user groups are pre-defined in the xml file, the default groups and their brief descriptions of their associated permissions are:
If a user logs in as a member of the ser group [ISPname]AdvanceOperators, for example ISP3AdvanceOPerators, the user's access is illustrated in Figure A-2.
The SPE application functions are accessed using a web browser from the BAC application. You can perform the following functions:
Set up policy rules. Policy rules are the primary component used to define a policy. They allow you to assign a scope for users and user groups to work with.
This section describes how to log onto the Cisco Security Policy Engine (SPE) server. You can launch the SPE in two ways:
Authentication is the first operation required after starting the application. You do this from the Log On page.
To access SPE, follow these steps:
Step 2 Read the notice.
Step 3 Click Exit to return to the login page, or click OK to access the Broadband Access Center application.
Step 4 Click the Tools tab and then User Administration. The User Administration page appears.
Step 5 From the Tools > User Administration page, click SPE User Admin UI. Wait until the SPE Administration loads and the logon page appears.
 |
Note SPE Administration is referred to as SPE throughout this appendix. |
Step 6 Enter your user identification and password, then click Logon. The SPE page appears.
The SPE page displays version, product, and copyright information, and menu options that allow you to navigate through different user-interfaces.
You can launch the Cisco Security Policy Engine Administration user interface from your web browser. Authentication is the first operation required after launching the application. This is accomplished from the Log On page.
Follow these steps to log on to the system.
http://<server_name>/bac/user_admin.do
Step 2 Log on to BAC. Type in your name and password, then press Login. An encryption notice page appears.
Step 3 Read the notice and click Exit to return to the login page, or click OK to access the Broadband Access page.
Step 4 Click the Tools tab and then User Administration. The User Administration page appears.
Step 5 Enter the User Identification (case sensitive for databases), and Password (case sensitive in directories and databases) in the corresponding fields.
Step 6 Click Logon. The Cisco SPE Administration page appears.
This section describes the options that are available under SPE Administration User Management menu:
|
Note Only users with administrator privileges on the resource are allowed to perform administrative tasks on the resources. |
After you log in to SPE, select User Management and then User Configuration from the menu. The User Configuration page appears.
You can perform the following tasks when using the Cisco SPE user interface:
To browse the list of users, follow these steps:
Step 2 Click Next >> or <<Prev to browse the users list. You can also search for a specific user by specifying the user's name in the Filter text field and then clicking Go.
Step 3 Click Browse to search for users in any context other than the default context. (This is possible only if context selection is enabled.) A context popup menu appears.
|
Note The choose the context tag allows you to browse the context for either roles, policy rules, or groups. You select an entry for the intended context, for instance policy rules, and if you know what to filter, you enter the text that the operator wants and then click Go. If the operator does not know the text, just leave it blank and click Go. BAC provides all the data under that category. The operator can look at the desired entry and put in the text in the filter and then click Go again. BAC filters out all the entries except the ones that contain the text that you entered. |
Step 4 Select the required context. You can specify certain filters to refine your search in the Filter text field.
Step 5 Click Go to list the users with the new search criteria.
To add a new user to the SPE database, follow these steps:
Step 2 Click New. The new user page appears with the following fields:
Step 3 Enter values in each field. Use the Tab key to move through the fields.
Step 4 Click Insert to save the user information.
To modify the profile of a user, follow these steps:
Step 2 Select the user you that want to update.
Step 3 Make the necessary changes. If you make a mistake click Reset to reset all fields to their original values and continue.
Step 4 Click Update to save the changes.
To delete a user from the system, follow these steps:
Step 2 Choose the user that you want to delete.
Step 3 Click Delete to delete the selected user.
Step 4 You are prompted to confirm the delete operation. Click:
You might want to copy the same information from one user to another user and then use this information to create a new user.
To clone or copy a user, follow these steps:
Step 2 Select an existing user having a profile similar to the new user you want to configure.
Step 3 Click Clone to make a copy of that user to configure the new one.
Step 4 Make appropriate changes to the required fields.
Step 5 Click Insert to save the user information.
To add the user to different user groups, follow these steps:
Step 2 Choose the user you want to add to the user groups.
Step 3 Click Add to Group at the bottom of the page. The Select User Group page appears.
Step 4 Select the desired group or groups, from the Available User Groups List, to which you want to add the user. Use the arrows to move the user groups to and from the Selected User Groups List (on the right side of the page).
Step 5 After you include the desired groups that you want the user added to, then click Insert and Close to save the changes and close the dialog box. You return to the previous page where the user groups that the user belongs to are listed at the bottom of the page.
Step 6 If the context selection is enabled, you can click Browse to select the user groups in any other context. A context popup menu appears.
Step 7 Select the required context and click Go. A list of user groups with the new search criteria appears. Filters can be specified in the Filter text field to refine your search.
Step 8 Click Insert and Close to save the changes you have made.
To remove a user from user groups, follow these steps:
Step 2 Choose the user that you want to remove from a group. Click the check box to the left of the user name.
Step 3 Select the user group from which you want to remove the specified user.
Step 4 Click Remove from Group to remove the user from the selected user group. The selected user is removed from the specified group.
To logout of the system, click Logout in the upper right corner of your CNS page. You are prompted with a message. Click OK to log out or Cancel to continue operations.
Posted: Wed Jun 4 12:38:04 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
