Professional Documents
Culture Documents
Contents
Contents
3 DMS User Management ...........................................................................................................3-1
3.1 Basic Concepts ..............................................................................................................................................3-2 3.1.1 User......................................................................................................................................................3-2 3.1.2 User Group...........................................................................................................................................3-2 3.1.3 Operation Set .......................................................................................................................................3-3 3.1.4 ACL......................................................................................................................................................3-3 3.1.5 Managed Domain.................................................................................................................................3-3 3.1.6 Operation Rights ..................................................................................................................................3-3 3.1.7 Authority and Domain Based Management .........................................................................................3-4 3.1.8 User Right Allocation Policy ...............................................................................................................3-4 3.2 Creating User Flow Chart .............................................................................................................................3-5 3.3 Creating an Operation Set .............................................................................................................................3-6 3.4 Creating a User Group...................................................................................................................................3-8 3.5 Creating a User............................................................................................................................................3-13 3.5.1 Adding a User ....................................................................................................................................3-13 3.5.2 Adding Users to a User Group ...........................................................................................................3-16 3.5.3 Setting User ACL Rights....................................................................................................................3-17 3.5.4 Granting the Managed Domain to a User...........................................................................................3-19 3.5.5 Granting Operation Rights to a User..................................................................................................3-20 3.6 Forcing a User to Exit .................................................................................................................................3-21 3.7 Sending a Message to Selected Client.........................................................................................................3-22 3.8 Configuration Example for Authority and Domain Based Management.....................................................3-22 3.8.1 Application Scenario ..........................................................................................................................3-22 3.8.2 Configuration Roadmap.....................................................................................................................3-23 3.8.3 Configuration Guide ..........................................................................................................................3-24 3.8.4 Verifying the Configuration Example ................................................................................................3-29
Issue 02 (2007-10-15)
Figures
Figures
Figure 3-1 Complete flow chart of creating a user .............................................................................................3-6 Figure 3-2 New operation set .............................................................................................................................3-7 Figure 3-3 Adding operations.............................................................................................................................3-8 Figure 3-4 Creating a new user group ................................................................................................................3-9 Figure 3-5 Adding users ................................................................................................................................... 3-11 Figure 3-6 Setting the managed domain of the user group...............................................................................3-12 Figure 3-7 Adding rights ..................................................................................................................................3-13 Figure 3-8 New users .......................................................................................................................................3-14 Figure 3-9 Advanced information of the users .................................................................................................3-16 Figure 3-10 Adding user groups .......................................................................................................................3-17 Figure 3-11 Adding an ACL .............................................................................................................................3-18 Figure 3-12 Granting the managed domain to a user .......................................................................................3-20 Figure 3-13 Granting operation rights to a user................................................................................................3-21 Figure 3-14 Network planning diagram ...........................................................................................................3-23 Figure 3-15 Management range of the state or provincial user ........................................................................3-24 Figure 3-16 Operation flowchart ......................................................................................................................3-24 Figure 3-17 Setting managed domain for the core monitor group....................................................................3-25 Figure 3-18 Setting the managed domain for the user of User-1......................................................................3-26 Figure 3-19 Setting operation authorities for User Group-1.............................................................................3-27 Figure 3-20 Creating a user ..............................................................................................................................3-28 Figure 3-21 Topology view for the User-1 .......................................................................................................3-29
ii
Issue 02 (2007-10-15)
Tables
Tables
Table 3-1 Security attribute of a user..................................................................................................................3-4 Table 3-2 Parameter description in the new operation set dialog box ................................................................3-7 Table 3-3 Parameter description in the create new user group dialog box .......................................................3-10 Table 3-4 Parameter description of adding new users ......................................................................................3-14
Issue 02 (2007-10-15)
iii
3
About This Chapter
Section 3.1 Basic Concepts 3.2 Creating User Flow Chart 3.3 Creating an Operation Set 3.4 Creating a User Group 3.5 Creating a User
The following table shows the contents of this chapter. Description This section describes related concepts of DMS user management. This section describes the operation flow chart of creating a user. This section describes how to create an operation set. This section describes how to create a user group. This section describes how to create a user group, allocate users to the user group, set rights of accessing the user address, and allocate the managed domain and operation rights to the user. This section describes how to force a current user to exit. This section describes how to send a message to the selected client. This section describes how to configure example for authority and domain based management.
3.6 Forcing a User to Exit 3.7 Sending a Message to Selected Client 3.8 Configuration Example for Authority and Domain Based Management
Issue 02 (2007-10-15)
3-1
admin
The admin user has the highest authority to the DMS and can manage the DMS. When you log in to the DMS for the first time as admin, the default password is N2000. After clicking Login, the system forces you to change the password.
corba
The corba user is used to connect the third party software. The corba user can complete the connection between the third party software and the DMS. The default password is corbaagent. Change the password as soon as possible. By default, the user has no managed domains or operation rights. Generally, the administrator does not need to change the rights of the corba user. Modify the Access Control List (ACL) when the third party NMS is connected to the DMS. For details, see 3.5.3 "Setting User ACL Rights."
3-2
Issue 02 (2007-10-15)
Monitor group: Performs the query operation. If a user group has the management access to a sub-map, the user group has the management access to all devices in the sub-map.
3.1.4 ACL
The Access Control List (ACL) is the security mechanism that allows users to log in to the DMS only from a certain IP address or network segment. Security control is achieved at two layers as follows: System ACL You can only select the IP address (IP address network segment), which is used to log in to the DMS server, from some ACL. This ACL is called the system ACL. User ACL Select the IP addresses, which the user can access, to form the user ACL. By the security control at two layers, you can effectively control the IP address, through which the user can log in to the DMS server. Even if the user account and password are embezzled at the same time, the embezzler cannot log in to the DMS server. This ensures the security of the DMS.
Issue 02 (2007-10-15)
3-3
Domain Management
Domain management is to classify device nodes, services, or data into different domains, and assign the management authorities to the domain administrator. Then, the managed objects of the domain administrator can be controlled.
Authority Management
Authority management is to classify authorities into different levels such as maintenance authority, operation authority, and monitoring authority. Through the authentication, a user account is valid only in a certain domains and cannot manage other domains.
Locked status
Bound IP address
3-4
Issue 02 (2007-10-15)
Description Setting the expiring time of an account, you can enable the account to be invalid after the account exceeds the expiring time.
Operation Set the account to be valid forever when you set up a long-term account. Set expiring days of an account when you set up a temporary account. For maintenance, you can set some accounts to be suspended. Set the password to be valid forever. The user can use the current password. Set the password not to valid forever and set the expiring time of the password to enable the user to modify the password in the certain period of time.
Set the account to be suspended. Setting the expiry of the password, you can enable a user to modify the password in a certain period of time.
Issue 02 (2007-10-15)
3-5
Create a user
End
Precaution
The user has the right to create an operation set.
Procedure
Step 1 In the NMS, choose System > Security Management. Then the security management interface is displayed. Step 2 On the Security Object navigation tree on the left, choose the Operation Sets node. Right click and choose New Operation Set. Step 3 The New Operation Set dialog box is displayed, as shown in Figure 3-2. Step 4 Configure the parameters Name, Description, Type and Subtype of the operation set. For the description of parameters, see Table 3-2.
3-6
Issue 02 (2007-10-15)
Table 3-2 Parameter description in the new operation set dialog box Parameter Name Description It refers to the name of an operation set. It is a mandatory item. It cannot be null or be the same with that of an existing operation set. Description Type You can enter other descriptions here. It refers to the security type in the NMS. It must be a string with 0 to 64 characters. It is Fixed Network Device Management by default. It is selected from the drop-down list. Subtype It refers to the subtypes of each security type. It is 3rd-Party Device by default. It is selected from the drop-down list. Setting It must be a string with 1 to 64 characters.
Step 5 Click OK and return to the security management interface. Step 6 On the navigation tree on the left, click the new-created operation set. Select the Operations tab in the working area on the right. Step 7 Click Add. The Add Operation dialog box is displayed, as shown in Figure 3-3. Select the operations contained in the operation set. Click Add to add the operations in the selected box.
Issue 02 (2007-10-15)
3-7
Step 8 Click OK and return to the security management interface. Complete the creation of the operation set. ----End
Precaution
The user has the right to create a user group.
Procedure
Step 1 In the NMS, choose System > Security Management. Then the security management interface is displayed. Step 2 On the Security Object navigation tree on the left, choose the User Groups node. Right click and choose the New User Group menu.
3-8
Issue 02 (2007-10-15)
Step 3 The Create New User Group dialog box is displayed, as shown in Figure 3-4. Configure the Name and Description of the user group. Select the value in Limit maximum number of sessions. If Yes is selected, you need to configure the Maximum number of sessions. . The Set User Group Administrator If it is needed to set the group administrator, click dialog box is displayed. Select the administrator. Click OK and return to the Create New User Group dialog box. For the description of parameters, see Table 3-3. Figure 3-4 Creating a new user group
Issue 02 (2007-10-15)
3-9
Table 3-3 Parameter description in the create new user group dialog box Parameter Name Description It refers to the name of a user group. It is mandatory. It cannot be null or be the same with that of an existing user group. Description Limit maximum number of sessions Maximum number of sessions Group Manager You can enter other descriptions here. It refers to whether the user group is limited by the maximum number of session. It must be a string with 0 to 48 characters. You can select Yes or No. By default, it is No. Setting It must be a string with 1 to 20 characters.
It refers to the maximum number of sessions of the user group. When the Limit maximum number of sessions is Yes, you can configure this parameter. The administrator can add users, allocate the domain and operate the rights.
Step 4 Click OK and return to the security management interface. Step 5 This step is optional. By this step, you can add the created user to the user group. 1. 2. 3. 4. On the navigation tree on the left, click the new-created user group. Select the Members tab in the working area on the right. Click Add. The Add Operation dialog box is displayed, as shown in Figure 3-5. Select the user to be added to the group. Click Add. Click OK and return to the security management interface.
3-10
Issue 02 (2007-10-15)
Step 6 On the navigation tree on the left, click the new-created user group. Select the Managed Domain tab in the working area on the right. Step 7 Expand the Submap and the Resource Group, and then corresponding sub-items. Selecting the check box before the device in the AS domain, you can configure the management domain of the device for the user group, as shown in Figure 3-6. Click Apply.
Issue 02 (2007-10-15)
3-11
Step 8 On the navigation tree on the left, click the new-created user group. Select the Operation Rights tab in the working area on the right. 1. 2. 3. Click Add. The Add Right dialog box is displayed, as shown in Figure 3-7. Choose Type, Subtype, Operation Object and Operation. Click Add. Click OK and return to the security management interface.
3-12
Issue 02 (2007-10-15)
Step 9 In the navigation tree on the left, click the new user group, and then select the Current Session tab. The user information of the user group is displayed. ----End
Precaution
The user has the right to create a new user.
Procedure
Step 1 In the NMS, choose System > Security Management. Then the security management interface is displayed. Step 2 On the Security Object navigation tree on the left, choose the Users node. Right click and choose New User.
Issue 02 (2007-10-15)
3-13
Step 3 The New User dialog box is displayed, as shown in Figure 3-8. For the description of parameters, see Table 3-4. Figure 3-8 New users
Table 3-4 Parameter description of adding new users Parameters Name Description The length of the character string is from 6 to 20. The parameter cannot be null or cannot be the same with that of an existing user group. It is a string with characters less than 80. It shows the full name of the user. This parameter can be null. It is a string with characters less than 245. It is the information that the maintenance personnel needs to describe. This parameter can be null. It is the password of the new-created user and is not null. The length of the character string is from 8 to 16. It must contain a figure and a letter, but not an entire user name or an entire word. It cannot be the incremental, descending, or interval sequence of figures and letters.
Password
3-14
Issue 02 (2007-10-15)
Parameters Confirm password Suspend account Account always valid Account validity(days)
Description Confirm the password. This parameter must be the same with the password. It can be Yes or No. By default, it is No. It can be Yes or No. By default, it is No. If you choose No in the Account validity check box, you can enter the validity days in the box. You can also use the default value 180. It can be Yes or No. By default, it is No. If you select Yes in the Password validity check box, no limit is on the days. If you choose No in the Password validity check box, you can input the validity days in the box. It is 90 days by default. Limit the time when the user logs in to the system. It is any time by default. Click ... on the right to enter the time. Add the time when the Login time dialog box appears. If the user does not log in to the system in the specified period of login, the account of the user is locked. Specifies the maximum days of the interval of user login. When Lock account on no login is Yes, it is 30 days by default. If choosing Must modify password, the user must modify the login password when logging in to the system first time. If you choose Max. online users are restricted, the amount of the online users is limited by the Max. online users. It specifies the amount of the users who is online at the same time. When you choose Yes in the Max. online users are restricted, the amount is valid. The value range is from 1 to 255. It is 30 by default. When the user logs in, the system automatically judges whether the amount of the users reaches the maximum value according to the DMS license. If the amount of users reaches the maximum value, the user fails to log in. It specifies the user groups managed by the user. Choose the user group by clicking .
Login duration
Lock account on no login No login period(days) Must modify password Max. online users are restricted Max. online users
Step 4 Select the Advanced tab. Configure the advanced information of the user, as shown in Figure 3-9. The rights are granted to the user in the advanced information. There are two modes of granting rights, "belong to" and "copy the user rights ". Belong to Select the user group, to which the new user belongs. After the new user is granted to the user group, the user has the management and operation rights of the user group.
Issue 02 (2007-10-15)
3-15
Copy the user rights Copy the user rights to the new user. And then the new user has the management and operation rights of the user whose rights are copied to the new user. Figure 3-9 Advanced information of the users
Precaution
If you do not allocate the user to the user group, you can directly grant the managed domain and operation rights to the user. After a user is added to the user group, the user has the managed domain and operation rights of the user group.
3-16
Issue 02 (2007-10-15)
If you grant the user group, managed domain and operation rights to the user, the user has the rights of the user group, managed domain and operations.
Procedure
Step 1 On the navigation tree on the left, click the new-created user. Select the Groups tab in the working area on the right. Step 2 Click Add. The Add User Group dialog box is displayed, as shown in Figure 3-10. Step 3 Select the user group that the user belongs to. Click Add. Step 4 Click OK. Complete the operations on the user group that the user belongs to. Figure 3-10 Adding user groups
----End
Precaution
If you do not select the Enable user ACL check box, you can log in from any client in the ACL.
Issue 02 (2007-10-15)
3-17
If you select the Enable user ACL check box, you can log in only from the selected client.
Procedure
Step 1 On the navigation tree on the left, click the new-created user group. Select the ACL Setting tab in the working area on the right. Step 2 Click Set ACL. The Set ACL dialog box is displayed. Step 3 Click Add. The Add dialog box is displayed, as shown in Figure 3-11. Step 4 Enter the IP address of the user or the network segment that the user belongs to. Click OK.
The IP address of the network segment is shown in the form of IP network segment address/mask, such as 10.71.60.0/24. That is, the legal user can log in to the server from the client whose IP address ranges from 10.71.60.1 to 10.71.60.254.
Step 5 Return to the Set ACL dialog box. Click Close. Step 6 In the ACL Setting tab, select the Enable user ACL check box. Select the Access Allowed check box. Set that the user can only access from the selected IP address or network segment. Step 7 Click Apply. ----End
3-18
Issue 02 (2007-10-15)
Precaution
During the procedure of granting the managed domain to the user, the granted rights cannot exceed the managed domain of the current user.
Procedure
Step 1 Choose System > Security Management. Step 2 On the Users node of the Security Object navigation tree, click the user to be configured. Step 3 Select the Managed Domain tab in the information area displayed on the right of the window. Step 4 Choose the devices that can be managed by the user, as shown in Figure 3-12.
Issue 02 (2007-10-15)
3-19
Step 5 Click Apply to grant the managed domain to the user. ----End
Procedure
Step 1 Choose System > Security Management. Step 2 On the Users node of the Security Object navigation tree, click the user to whom the operation rights are granted. Step 3 Choose the Operation Rights tab in the information area displayed on the right of the window. Step 4 Click Add. Step 5 In the opened Add Right dialog box, select Type and Subtype. Select the operation name. Click Add. Add the name to the operation domain box, as shown in Figure 3-13.
3-20
Issue 02 (2007-10-15)
Precaution
Only the user, who has the right of forcing other users to exit, can perform the operation. The admin user can force other users to exit and other users cannot force the admin user to exit.
Procedure
Step 1 Choose System > Security Management. Step 2 On the Security Object navigation tree, choose the Users node. Step 3 Right click the page. In the short-cut menu that is displayed, choose Login User Information. The information of the user who logs in is displayed in the window on the right.
Issue 02 (2007-10-15)
3-21
Step 4 Choose the user who is going to exit forcibly. Right click the page. Choose Force to Exit in the short-cut menu that is displayed. Step 5 In the confirmation dialog box, which is displayed, click OK. ----End
Procedure
Step 1 Choose System > Security Management. Step 2 On the Security Object navigation tree, choose the Users node. Step 3 Right click the page. In the short-cut menu that is displayed, choose Login User Information. The information of the user who logs in is displayed in the window on the right. Step 4 Perform the following the two operations: Select the user who receives the message. Right click the page. Choose Send Message to Selected Client, you can send a message to the selected client. In the current user, right click to choose Send Message to All Other Clients. You can send the same message to all other clients. Step 5 In the Send Message to Selected Client or Send Message to All Other Clients dialog box that appears, enter the contents of the message. Click Send. ----End
3-22
Issue 02 (2007-10-15)
User Group-1 and User Group-2 are user groups for a state or province.
Classifying Submap
Classify submaps according to states or provinces, and a state or province corresponds to a submap. A submap contains only AR devices inside the state or province. BR and CR devices locate in the physical view and are not classified, as shown in Figure 3-14.
Issue 02 (2007-10-15)
3-23
End
3-24
Issue 02 (2007-10-15)
Step 2 Set Managed Domain for Core Monitor Group. 1. 2. In navigation tree on the left, click Core Monitor Group, and select the Managed Domain tab in the working area on the right. Expand Submap > Physical Map, select Physical Map, but do not select User Group-1(AR) and User Group-2(AR), as shown in Figure 3-17. The Core Monitor Group can monitor all BR and CR devices. Figure 3-17 Setting managed domain for the core monitor group
3.
Click Apply.
----End
Issue 02 (2007-10-15)
3-25
Step 2 Set Managed Domain for User Group-1. 1. 2. In navigation tree on the left, click User Group-1, and select the Managed Domain tab in the working area on the right. Expand Submap > Physical Map, select User Group-1(AR), as shown in Figure 3-18.
Figure 3-18 Setting the managed domain for the user of User-1
3.
Click Apply.
Step 3 Set Operation Rights for User Group-1. 1. 2. 3. Select the Operation Rights tab in the working area on the right. Click Add. The Add Right dialog box is displayed. Select Network Management Application for Type, select values for Subtype in turn, and add related operator operation sets to the operation authority list. Select Fixed Network Device Management for Type, select values for Subtype in turn, and add related operator operation sets to operation authority list, as shown in Figure 3-19.
3-26
Issue 02 (2007-10-15)
4.
Click OK.
----End
Issue 02 (2007-10-15)
3-27
3.
Click OK.
Step 2 Set the user group that the User-1 belongs to. 1. 2. Click User-1, and select the Groups tab in the working area on the right. Click Add. The Add User Group dialog box is displayed. 3. 4. Select User Group-1 and Core Monitor Group, and click Add. Click OK.
Step 3 Set the ACL authority for the user. Select the ACL Setting tab in the working area on the right, and set ACL for Area-1 User. For details, see 3.5.3 "Setting User ACL Rights." Step 4 Set the managed domain for User-1. 1. 2. Select the Managed Domain tab, and expand Submap > Physical Map. Select all devices in User Group-1 and all directly-associated BR devices, and click Apply.
Step 5 Set operation rights for User-1. 1. Select the Operation Rights tab in the working area on the right. Click Add.
3-28
Issue 02 (2007-10-15)
The Add Right dialog box is displayed. 2. 3. 4. Select Fixed Network Device Management for Type, select NE40E for Subtype, and then select NE40E-1(BR) in the Operation Object area. Select NE40E Monitor Operation Set, and click Add. Click OK.
----End
Step 2 Verify the operation authorities of the User-1 to AR and BR devices. The User-1 has operations authorities to all devices in the state or province, but can only monitor directly-associated BR device NE40E-1. ----End
Issue 02 (2007-10-15)
3-29