How do I manage NFM-P user accounts and groups?

Overview

You can create NFM-P user accounts and user groups to:

Users have view access, read-write access, or no access to NFM-P objects and functions based on:

The default NFM-P user account called admin is assigned the Administrator scope of command role and a span of control profile that has Edit Access assigned to each default span.

Note: Access Control is disabled by default. When Access Control is disabled, other NSP tools such as Sessions and User Activity Logs remain enabled and functional.

Note: To restrict user access to top-level functions such as NFM-P and NE security management, the following guidelines are recommended:

General NFM-P security management rules

The following general rules apply to NFM-P user and group security management:

Password management

An NFM-P user password must observe the following constraints:

Scope of command

A scope of command, which defines the actions that a user is allowed to perform, is a collection of configurable roles, which are sets of permissions. A scope of command profile contains one or more roles, and the profile is subsequently applied to a user group. Each user in the group acquires the access rights specified in the scope of command profile.

Scope of command roles

A scope of command role specifies the read, create, update, and delete access permissions for an NFM-P object type or functional area. You can create custom roles by assigning specific access permissions to different functional areas. The functional areas are organized in packages, methods, and classes. See Appendix A, Classic management scope of command roles and permissions for a list of all access permissions that can be assigned to a scope of command role.

Note: When you enable the Create permission, the Update permission is automatically enabled.

Note: When you enable the Update permission, the Create permission is not automatically enabled.

You can create an original scope of command role, or copy an existing role and modify the role permissions to create a role. The NFM-P has several predefined scope of command roles. See Appendix A, Classic management scope of command roles and permissions for a list of the permissions, access levels, and descriptions of all pre-defined scope of command roles and profiles.

Note: When you create a scope of command role, you must enable create, update/execute, and delete access to allow the modification of a class or package.

Scope of command profiles

A scope of command profile contains one or more scope of command roles, and is assigned to a user group. Each user in the group acquires the permissions from the scope of command roles in the profile.

Span of control

The span of control for a user is a list of the objects over which the user has control, for example, a group of NEs or services. You can create an original span, or copy an existing span and modify the list of associated objects to create a new span. The objects that are in a span, or that can be added to a span, are called span objects.

The NFM-P has several predefined spans. Each new object, for example, a discovered NE, is added to the corresponding predefined span. Table 9-1, Pre-defined spans of control lists the pre-defined spans and the type of span objects in each.

Note: You cannot modify or delete a pre-defined span.

Table 9-1: Pre-defined spans of control

Span

Included objects

Default Topology Group Span

Topology groups

Default Router Span

Managed NEs

Default Script Span

CLI and XML API scripts, service templates, tunnel templates, and auto-provision profiles

Default Test Suite Span

Test suites

Default Group Span

Ring groups and VLAN groups

Default Bulk Operation Span

Bulk operations

Default Service Span

Services

Default Customer Span

Customers

Spans are specified in span of control profiles that are associated with user groups. A user can create an NFM-P object only when the pre-defined span for the object type is in the span of control profile. For example, if you do not have the Default Group Span in your span of control profile, you cannot create a ring group.

NEs are added automatically to a span when the parent topology group, ring group, or VLAN group is in a span. An object that is automatically added to a span cannot be removed from the span, but an explicitly added object can be removed.

Note: A user can view or configure a point-to-point connection only when each endpoint of the connection is in the user span of control. For example, when the endpoints of an LSP path are in different spans, you need view or configuration privileges in each span in order to view or configure the LSP path.

When you create a span, you can drag and drop NEs and topology groups into the span contents list.

Each user can control which objects the NFM-P displays in maps, lists, and navigation trees, based on the user span of control. The User Preferences form contains a parameter that globally specifies whether the Edit Access span objects of the user appear by default. Objects that are not in a View Access span of the user are not displayed, regardless of the user preference. See “To filter using span of control” in the NSP NFM-P User Guide for information about configuring the user span of control display preference.

In a list form, you can override the global display preference using the Span On parameter. The associated advanced filter form contains a selector for filtering the search results based on the span of control.

Span of control profiles
CAUTION 

CAUTION

Service Disruption

It is recommended that you consider the effects of combining customer, service, and NE spans in a span of control profile.

For example, a user can modify a service only when the service, customer, and participating NEs are in one or more Edit Access spans of the user, and none of the objects is in a Blocked Edit or Blocked View span.

A span of control profile is a collection of one or more spans that is assigned to a user group. When you create a profile, each span in the profile is assigned one of the following access types:

Blocked Edit and Blocked View spans restrict access to a subset of the objects in another span in the same profile. For example, when multiple span of control profiles each contain the Default Service Span, you can add a customer-specific Blocked View or Blocked Edit span to each profile so that the user group associated with a profile can view or configure only the services of specific customers.

A Blocked Edit or Blocked View span takes precedence over other spans. For example, when a user has an Edit Access span that contains all services and a Blocked View span that contains Customer A and Customer B, the user cannot view or configure the services that belong to Customer A and Customer B.

To ensure that span conflicts do not interfere with network troubleshooting, the NFM-P allows a user to execute tests on NEs and service sites that are not in an Edit Access span of the user. However, activities such as policy distribution, software upgrades, and statistics collection can be performed only by a user with Edit Access spans that contain the target objects.

CPAM span of control

CPAM topology maps support span of control for equipment group objects. There are no default CPAM spans. To allow movement of objects on CPAM maps, you must create a custom span of control for CPAM equipment groups and add it to the span of control profile for the required user group. See “CPAM span of control” in the NSP NFM-P Control Plane Assurance Manager User Guide. CPAM topology maps are accessed under Tools → Route Analysis in the NFM-P main menu.

Span rules

By default, the NFM-P automatically adds a new service to the Default Service span. Using an XML API or GUI client, you can create policies called span rules that add new services to other spans in addition to the Default Service span.

A span rule is associated with a format or range policy, and applies to the users and user groups that are specified in the format or range policy. You can associate multiple range policies with one user and service type, which enables the automatic addition of a new service to a specific span based on the service ID specified when the service is created.

When you create a span rule, you must specify one of the following to indicate which spans receive the services that the user creates:

The span rules associated with a format or range policy take effect for new services only when the format or range policy is administratively enabled and has a valid configuration that includes at least one user or user group.

See How do I configure sample span rule? for a sample span rule configuration and implementation.