How do I manage NFM-P user accounts and groups?
Overview
You can create NFM-P user accounts and user groups to:
-
provide GUI or XML API access to the NFM-P functional areas that match specific operator requirements
-
restrict access to functions or objects based on operator expertise or authority
Users have view access, read-write access, or no access to NFM-P objects and functions based on:
The default NFM-P user account called admin is assigned the Administrator scope of command role and a span of control profile that has Edit Access assigned to each default span.
Note: Access Control is disabled by default. When Access Control is disabled, other NSP tools such as Sessions and User Activity Logs remain enabled and functional.
Note: To restrict user access to top-level functions such as NFM-P and NE security management, the following guidelines are recommended:
-
Assign the administrator scope of command role to a minimal number of NFM-P user accounts.
-
Assign each NFM-P user to a user group that has the minimum privileges for performing the required tasks.
General NFM-P security management rules
The following general rules apply to NFM-P user and group security management:
-
Only database space limits the number of accounts and groups that can be created.
-
Only one session per user account can be open at the same time on a client station.
-
A scope of command profile allows user-group access to one or more NFM-P functional areas.
-
A span of control profile allows user-group access to one or more NFM-P managed objects.
-
A user group is associated with only one scope of command profile that can contain multiple scope of command roles.
-
A user group is associated with only one span of control profile that can contain multiple spans.
-
The assigned user privileges determine the following for a GUI user:
-
By default, a user group is assigned access to all NFM-P objects.
-
A user acquires span of control access rights from the associated user group.
-
When you modify a user group, and a user in the group has an open client session, client actions may fail for the user. To put the new user group permissions into effect, the user must close the current client session and open a new session.
-
You can modify but not delete a span of control profile that is assigned to a group.
Password management
An NFM-P user password must observe the following constraints:
-
It must contain at least three of the following character types:
-
It cannot include more than three consecutive instances of the same character.
-
It must change according to a configurable schedule to prevent account lockout.
-
It cannot be reused as a new password for the same user account.
Scope of command
A scope of command, which defines the actions that a user is allowed to perform, is a collection of configurable roles, which are sets of permissions. A scope of command profile contains one or more roles, and the profile is subsequently applied to a user group. Each user in the group acquires the access rights specified in the scope of command profile.
Scope of command roles
A scope of command role specifies the read, create, update, and delete access permissions for an NFM-P object type or functional area. You can create custom roles by assigning specific access permissions to different functional areas. The functional areas are organized in packages, methods, and classes. See Appendix A, Classic management scope of command roles and permissions for a list of all access permissions that can be assigned to a scope of command role.
Note: When you enable the Create permission, the Update permission is automatically enabled.
Note: When you enable the Update permission, the Create permission is not automatically enabled.
You can create an original scope of command role, or copy an existing role and modify the role permissions to create a role. The NFM-P has several predefined scope of command roles. See Appendix A, Classic management scope of command roles and permissions for a list of the permissions, access levels, and descriptions of all pre-defined scope of command roles and profiles.
Note: When you create a scope of command role, you must enable create, update/execute, and delete access to allow the modification of a class or package.
Scope of command profiles
A scope of command profile contains one or more scope of command roles, and is assigned to a user group. Each user in the group acquires the permissions from the scope of command roles in the profile.
Span of control
The span of control for a user is a list of the objects over which the user has control, for example, a group of NEs or services. You can create an original span, or copy an existing span and modify the list of associated objects to create a new span. The objects that are in a span, or that can be added to a span, are called span objects.
The NFM-P has several predefined spans. Each new object, for example, a discovered NE, is added to the corresponding predefined span. Table 9-1, Pre-defined spans of control lists the pre-defined spans and the type of span objects in each.
Note: You cannot modify or delete a pre-defined span.
Table 9-1: Pre-defined spans of control
Span |
Included objects |
---|---|
Default Topology Group Span |
Topology groups |
Default Router Span |
Managed NEs |
Default Script Span |
CLI and XML API scripts, service templates, tunnel templates, and auto-provision profiles |
Default Test Suite Span |
Test suites |
Default Group Span |
Ring groups and VLAN groups |
Default Bulk Operation Span |
Bulk operations |
Default Service Span |
Services |
Default Customer Span |
Customers |
Spans are specified in span of control profiles that are associated with user groups. A user can create an NFM-P object only when the pre-defined span for the object type is in the span of control profile. For example, if you do not have the Default Group Span in your span of control profile, you cannot create a ring group.
NEs are added automatically to a span when the parent topology group, ring group, or VLAN group is in a span. An object that is automatically added to a span cannot be removed from the span, but an explicitly added object can be removed.
Note: A user can view or configure a point-to-point connection only when each endpoint of the connection is in the user span of control. For example, when the endpoints of an LSP path are in different spans, you need view or configuration privileges in each span in order to view or configure the LSP path.
When you create a span, you can drag and drop NEs and topology groups into the span contents list.
Each user can control which objects the NFM-P displays in maps, lists, and navigation trees, based on the user span of control. The User Preferences form contains a parameter that globally specifies whether the Edit Access span objects of the user appear by default. Objects that are not in a View Access span of the user are not displayed, regardless of the user preference. See “To filter using span of control” in the NSP NFM-P User Guide for information about configuring the user span of control display preference.
In a list form, you can override the global display preference using the Span On parameter. The associated advanced filter form contains a selector for filtering the search results based on the span of control.
Span of control profiles
CAUTION Service Disruption |
It is recommended that you consider the effects of combining customer, service, and NE spans in a span of control profile.
For example, a user can modify a service only when the service, customer, and participating NEs are in one or more Edit Access spans of the user, and none of the objects is in a Blocked Edit or Blocked View span.
A span of control profile is a collection of one or more spans that is assigned to a user group. When you create a profile, each span in the profile is assigned one of the following access types:
-
View Access—The user can view the span objects, unless the scope of command permissions deny read access.
-
Edit Access—The user can modify the span objects, unless the scope of command permissions deny access.
-
Blocked Edit—The user can view but not modify the span objects, regardless of the scope of command permissions.
-
Blocked View—The user cannot view or modify the span objects, regardless of the scope of command permissions.
Blocked Edit and Blocked View spans restrict access to a subset of the objects in another span in the same profile. For example, when multiple span of control profiles each contain the Default Service Span, you can add a customer-specific Blocked View or Blocked Edit span to each profile so that the user group associated with a profile can view or configure only the services of specific customers.
A Blocked Edit or Blocked View span takes precedence over other spans. For example, when a user has an Edit Access span that contains all services and a Blocked View span that contains Customer A and Customer B, the user cannot view or configure the services that belong to Customer A and Customer B.
To ensure that span conflicts do not interfere with network troubleshooting, the NFM-P allows a user to execute tests on NEs and service sites that are not in an Edit Access span of the user. However, activities such as policy distribution, software upgrades, and statistics collection can be performed only by a user with Edit Access spans that contain the target objects.
CPAM span of control
CPAM topology maps support span of control for equipment group objects. There are no default CPAM spans. To allow movement of objects on CPAM maps, you must create a custom span of control for CPAM equipment groups and add it to the span of control profile for the required user group. See “CPAM span of control” in the NSP NFM-P Control Plane Assurance Manager User Guide. CPAM topology maps are accessed under Tools → Route Analysis in the NFM-P main menu.
Span rules
By default, the NFM-P automatically adds a new service to the Default Service span. Using an XML API or GUI client, you can create policies called span rules that add new services to other spans in addition to the Default Service span.
A span rule is associated with a format or range policy, and applies to the users and user groups that are specified in the format or range policy. You can associate multiple range policies with one user and service type, which enables the automatic addition of a new service to a specific span based on the service ID specified when the service is created.
When you create a span rule, you must specify one of the following to indicate which spans receive the services that the user creates:
The span rules associated with a format or range policy take effect for new services only when the format or range policy is administratively enabled and has a valid configuration that includes at least one user or user group.
See How do I configure sample span rule? for a sample span rule configuration and implementation.