Workflow: Configure User Access Control

Purpose

This workflow describes the recommended order of tasks to configure UAC across NSP. The sequence of tasks outlined here is especially recommended if you are setting up UAC in NSP for the first time. Once you have UAC deployed in NSP, you can configure your user groups, roles, and resource groups in any order.

Steps
Prerequisite: create group directories and resource groups
 

You create group directories and resource groups in Map Layouts and Groups. Resource groups (of NEs, ports, LAGs, or services) are applied to role objects to grant user access rights to network resources. See How do I create a group directory? and How do I configure a resource group?


Optional: configure Analytics reporting
 

If you are using Analytics reporting in NSP, you must fully configure Analytic and the Analytics server prior to configuring Analytics resource access in your roles. You cannot configure resource access on a role if Analytics is not running in NSP.


Create roles
 

Create roles according to the type of tasks your user groups will be performing, and the types of resources they will need to access. A role object specifies access rights to specific NSP functions and resources; ee How do I configure a role?


Import or create users and user groups
 

Choose one of the following options:

  • If you have been working with a user access control configuration from NFM-P, it is strongly recommended that you import your users and user groups from NFM-P. This ensures that all of your existing users are included in the new access control setup, and helps ensure a seamless transition from the NFM-P setup; see How do I import users and groups from NFM-P?.

    If the NSP is deployed in OAUTH2 mode, the import operation imports user groups and user accounts from NFM-P.

  • If you are configuring user access control to work against an external authentication sources (NFM-P, LDAP, RADIUS, TACACS), create new user groups; see How do I configure a user group?.

You can also create local NSP users; see How do I create an NSP local user?


Enable UAC
 

Note: When you enable UAC in NSP, individual users will see their specified access rights enforced when they login to NSP. The user access configuration you create are enforced in place of any previous access-control setup, except in the NFM-P and WS-NOC, which each employ local user management. Local NSP user access to NSP resources is always controlled through NSP, regardless of whether UAC is enabled or not.

Once you have configured and reviewed your user groups and their associated roles, you can enable UAC; see How do I enable User Access Control?


Update LDAP TLS certificate
 

If the TLS certificate of the LDAPS remote authentication source is updated, you must also update the LDAPS certificate on the NSP deployer host, as described in How do I update the NSP TLS certificate for LDAPS remote authentication?

End of steps