How does service management implement user access control?

Action Permissions

Users of the NSP service management function are assigned a role with defined action permissions. These permissions either allow them to, or prevent them from, performing specific operations. When granting permissions, the available scopes are as follows, and are assigned by an NSP administrator within the Users and Security views:

• None

• Read

• Read/write

• Read/execute

• Read/write/execute

The following operations are exclusive to users with write permissions:

• Create a service, tunnel, customer, or steering parameter

• Create a service template or tunnel template

• Associate a service with a template, including bulk association (which requires admin privileges)

• Migrate a service to another template

• Unassociate a service from a template

• Change the state of a service or tunnel

• Align (push and pull), audit, or synchronize a service

• Align (push) or audit a tunnel

• Modify service or tunnel definitions

• Assign steering parameters to brownfield tunnels

The following operations are exclusive to users with execute permissions:

• Delete a service, tunnel, customer, or steering parameter

• Delete a service template or tunnel template

• Import or delete an intent type

• Invoke a workflow against a service (the NSP workflow function will limit the workflows that the user can invoke)

Consult the NSP System Administrator Guide or your NSP administrator for more information.

Note: In addition to the above permissions, non-admin service management users must have Read permission for Network Intents enabled. If any custom RPC actions need to be executed, the non-admin service management users must have Operate Intents permission for Network Intents enabled as well. In general, service management users must have access control enabled - within Network Intents - for any intent type they intend to use.

Note: The Edit service action is disabled for users who only have Read permission. These users can manually navigate to the modifications forms via URL, and make changes on these forms, but the Apply button will be disabled.

Resource Groups Access

Users of the NSP service management function are assigned a role with defined resource group access. Their resource group access either allows them to, or prevents them from, accessing specific resources - such as services or network elements. A user's access to a service or network element will affect inventory listings, service CRUD operations, intent suggest functions, and intent RPC calls. When granting access, the available options are as follows, and are assigned by an NSP administrator within the Users and Security views:

• ‘Access to all Services' is selected — The user has Read/Write/Execute permissions for the full span of services. No further user access control validation is performed.

• ‘Access to all Services' is deselected — The administrator can specify a permission scope for the full span, or a subset, of services.

• ‘Access to all Equipment' is selected — The user has Read/Write/Execute permissions for the full span of network elements. No further user access control validation is performed.

• ‘Access to all Equipment' is deselected — The administrator can specify a permission scope for the full span, or a subset, of network elements.

Note: NSP administrators have Read/Write/Execute permissions for the full span of services and network elements. No further user access control validation is performed.

The following limitations apply when resource group access is defined:

• Due to the additional user access control validations that evaluate network element access, there is a degradation of the service provisioning rate at >2 seconds per service.

• Only site spans are currently supported - not port spans. If a user has access to a given network element, they are assumed to have access to all of its ports.

• There is only user access control for composite services when defining network element group access - not when defining service group access.

• The Inventory Find function on network elements only checks for Read permissions on a group. Therefore, resources are listed if the user has Read access to the network elements group. In this case, service management will validate the group permission scope (Read/Write/Execute) and validate accordingly for the intended action.

• When network elements access is defined, all service management objects are visible, even those that are not associated to network elements. This includes service templates, tunnel templates, steering parameters, etc.

• The user will be able to see a full audit report on a service, regardless of their network element access.

• The user will be able to approve misalignments and remove approvals, regardless of their network element access.

• Network element access is not applied to service tunnels, customer sites inventory, or network policies inventory.

© 2024 Nokia. Nokia Confidential Information

Use subject to agreed restrictions on disclosure and use.