LI functional tasks by user type
User authorization level
LI requires a dedicated user authorization level to setup the LI infrastructure on the NFM-P and corresponding NEs to configure and manage LI functions. The following user types are required to perform LI:
Note: For security, all LI functions in the NFM-P GUI, for example, menus, forms, parameters, policies, filters, and alarms, are hidden from view for all NFM-P user types except an LI user or LI administrator.
NFM-P admin LI tasks
The NFM-P admin user is responsible for the initial setup of the LI user or LI administrator accounts on the NFM-P. The setup includes the following tasks:
-
create a LI user scope of command profile and associate a non-admin user account with the LI profile
-
configure an LI user profile that restricts the LI user to LI activities only and does not allow system administrator activities
The NFM-P admin cannot perform the following LI functions:
-
assign LI privileges to a user who is associated with the admin profile
-
view or modify LI security mediation policies or LI filter policies
NE admin tasks
The NE admin is responsible for the creation of an NE LI user profile and NE LI user account using a CLI on the NE that LI will be performed on. This is usually a one-time configuration.
NE LI user tasks
The NE LI user configures the NE LI user security on the NE using a CLI such as changing the password of the NE LI user account so it’s unknown to NE admin and to configure the SNMP data encryption used for the NE. This is usually a one-time configuration.
LI users or LI administrator tasks
CAUTION Service Disruption |
An LI user password cannot be modified unless it is known. When an LI user password is not known, the LI user account is unavailable.
An LI user or LI administrator can perform the following LI related tasks on the NFM-P:
-
configure other LI-specific policy types that are used to filter or block traffic to non-LI users for LI mirror services including:
-
create, configure, and view LI sources that use IP, MAC, SAP, and subscriber filters
An LI administrator is an LI user who has been designated as the lead LI user who would normally create and maintain other LI user accounts once the NFM-P System admin has created the initial LI user account. This role is dependent/optional based on your NOC security requirements.
Note: Viewing or retrieving LI user activity records requires a user account with an assigned Lawful Interception Management scope of command role. The scope is restricted to the records of users in the same LI user group.
The NFM-P does not support LI user to execute CLI commands with LI user privilege on the node by using CLI scripts or by executing XML API API calls such as executeCLI or executeMultiCLI.
The following user account creation conditions apply to LI users and LI user groups.
-
To configure LI, you must assign the Lawful Interception Management scope of command role for the user type.
-
The Lawful Interception Management role can be assigned to only one scope of command profile.
-
A scope of command profile that has an assigned Lawful Interception Management role can include other roles except for the admin role.
-
You cannot change the scope of command profile assignment for a user group when the profile includes the Lawful Interception Management role.
-
An LI user group must be created as an LI user group; you cannot change a non-LI user group to an LI user group.
-
A user account can have the Lawful Interception Management or the admin role, but not both.
-
A user who belongs to an LI user group cannot be changed to a non-LI user.
-
An LI span of control profile restricts LI user access to specific NEs.