Security and User Maintenance

Transcription

1 Titlepage Security and User Maintenance Document 2602 SPECTRUM Management

2 Copyright Notice Document Copyright 2002-present by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS (c)(1)(ii) and FAR Liability Disclaimer Aprisma Management Technologies, Inc. ( Aprisma ) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES. Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an to spectrum-docs@aprisma.com; we will do our best to help. Security and User Maintenance Page 2

3 Restricted Rights Notice (Applicable to licenses to the United States government only.) This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR (June 1987) Alternate III(g)(3) (June 1987), FAR (June 1987), or DFARS (c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license. Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virusfree. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100 percent effective, we strongly recommend that you write-protect the licensed software and verify (with an antivirus system in which you have confidence) that the licensed software, prior to installation, is virus-free. Contact Information Aprisma Management Technologies, Inc. 273 Corporate Drive Portsmouth, NH Phone: U.S. toll-free: Web site: Security and User Maintenance Page 3

4 Contents Implementing Security 6 SPECTRUM Security...6 Security Communities...7 Security Strings...9 Security String Syntax...10 Security String Inheritance...13 Simple Security String Inheritance Example...15 Security String Inheritance After Modifying a Hierarchy...20 Customizing Security String Inheritance...22 Community Strings...24 Community String Syntax...24 Planning Security...26 Setting Security Through A View and User Editor...28 Implementing Security Through a Location View...28 Implementing Security Through the User Editor...29 Setting Host Security...30 Establishing a Network Administrator...31 User Security and Administration Options...31 Modeling Your Network Security...33 Restricting Edit Privileges for GIB View...34 Providing Users with Start-Up Windows...34 Updating Security Strings...35 Access Privileges for NT Users...36 User Group and User Maintenance 37 Managing User Group and User Models...37 Starting the UserEditor...38 UserEditor Main Window...39 Shrinking the Main Window...41 UserEditor Tool Bar...42 Menu Bar Items...44 File Menu...44 Edit Menu...45 Security and User Maintenance Page 4

5 View Menu...46 User Group Menu...48 User Menu...49 Tools Menu...50 Options Menu...52 User Preference Behavior on Solaris and Windows NT...54 Help Menu...55 Landscapes, User Groups, and User Lists...56 Landscapes...56 User Groups...57 Users...57 HOME and DUPLICATE Models...58 Setting Up Common Attributes...63 UserEditor Usage 65 Modifying a User Group Model...65 Creating a New User Group Model...68 Deleting a User Group Model...69 Copying a User Group Model...71 Modifying a User Group Domain...71 Creating a New User Model...72 Creating a New User Model for Web Operator...74 Setting a Password for a Web Operator User Model...76 Modifying a User Model...77 Adding Yourself as a User...79 Copying a User Model...81 Moving a User Model...82 Enabling a Read-Only User Model to Save User Preferences...82 Deleting a User Model...83 Preferences 84 Actions Preferences...87 Connection Preferences...87 Display Preferences...89 Index 90 Security and User Maintenance Page 5

6 Implementing Security This section discusses SPECTRUM security and the processes for establishing security. SPECTRUM Security SPECTRUM security is available to prevent unauthorized access and editing of the various SPECTRUM views and models. Its security measures can also prevent unauthorized changes to your network devices through SPECTRUM. SPECTRUM security does not replace your current network security system, but will cooperate with your overall network security program. SPECTRUM provides security mechanisms that extend the security provided by the UNIX or Windows NT platforms. These machines establish: Areas in the network model that users may examine or view. Existing attribute values that users may update. Existing models and views in SPECTRUM that users may edit. The following terms describe concepts that are the foundation of SPECTRUM security. Each one is discussed in greater detail in the following subsections. Security Community In SPECTRUM, Security communities provide a mechanism for grouping views and network models to control access. Access to a security community is determined by comparing a model s Security String to a user s Community String. Security String Defines the requirements for access to a model by SPECTRUM users. Security strings are assigned to models. Each security string consists of one or more Security Community entries. Security and User Maintenance Page 6

7 Community String Defines security communities to which a user is permitted access and establishes edit privileges within them. Community strings are assigned to users. Each entry defines one or more specific security communities and the access privilege level (i.e., view-only, or view and edit) associated with each. Security Communities Security Communities in SPECTRUM define areas of access. The ADMIN community is the overall community that contains all models in SPECTRUM. All other communities are subsets of the ADMIN community and are created through the assignment of security strings in the SPECTRUM models. You determine the structure of the communities as part of your planning for network security. Communities can be established as peers or subsets of other communities. You can model them as a hierarchy of nested communities, set all communities to the same level, or establish a combination of these structures (groups of communities at different hierarchical levels). Figure 1 (Page 8) shows an example of community structure. Hierarchical structures form parent-child relationships. A community containing other communities is referred to as the parent of those communities; similarly, communities contained within a community are considered that community s children. Security and User Maintenance Page 7

8 Figure 1: SPECTRUM Security Communities - An Example AcctPay_#2-1 and AcctRec_#2-2 are children of Acctg_#2. ADMIN Acctg_#2 AcctPay_#2-1 AccPay_#2-2 Mfg_#1 Views and Network Models that are part of these communities. = Network models Note: With the exception of names assigned by SPECTRUM (ADMIN, and in some cases default names inherited from a parent community), the names of Security Communities are determined by you, the network administrator. The name that you assign becomes part of the Security String for the community. When assigning names for the security communities in your network, you should choose names that are meaningful and related to the functions performed by the users in that community. Security and User Maintenance Page 8

9 Security Strings SPECTRUM uses security strings to place locks on models. A security string is established when a model is created. A security string can also be set or modified later by a user who has Write privileges. The security string for a specific model consists of entries (security strings) inherited from its parent and the security string entered when the model is created. If a specific security string is not defined when the model is created, the string is set to the value of the parent security string, if any, in the location where the model is being created. You can enter the security string for a model at its creation or change it later. (Changing a model s security string is discussed in Updating Security Strings on Page 35; in addition, observe the note discussions on Page 12 and Page 19.) When no security string exists, access is unrestricted. Figure 2 (Page 10) shows how the security string (lock) for a community or model compares with a community string (key) entered for user models. When a user s community string contains a match for a security community name listed by the security string for a model, the user is granted access to the community/model. When a user without access privileges to a community attempts to navigate into that community or to access a model within it, however, access is denied, and a dialog box informs the user of the access violation. Security and User Maintenance Page 9

10 Figure 2: SPECTRUM Security and Community String Comparison A user can access only models with a matching security string. = COMPARE = View or Network Model Security String Lists communities that have access to the model UserGroup or User Community String Lists communities that the UserGroup or User belongs to, together with the UserGroup s or User s privileges in each Security String Syntax All security strings must adhere to the following rules: Security community names are case sensitive. The first character of a name must be a letter. Numerals can be used in the name following a leading alphabetic character. Each name in a security string is separated by a vertical bar operator ( ). An operator within a security string indicates a logical OR. A security string for a single model may have many parts, one for each hierarchy where the model is represented. Each part is enclosed within parentheses and separated by an ampersand (&), e.g., (string1)&(string2). An ampersand between strings indicates a logical AND. Security and User Maintenance Page 10

11 The following examples illustrate representative security string syntax: No Security String When no string exists for a model, access is unrestricted. ADMIN A security string with no inheritance. ADMIN is the community that can access this model. ADMIN Region2 A security string with one level of inheritance from ADMIN. The model belongs to the Region2 community. Users with access to the ADMIN or Region2 communities can access this model. Subusers with access to Region2 also can. ADMIN Region2 Local A security string with two levels of inheritance, one from ADMIN, and one from Region2. The model belongs to the Local community. Users with access to the ADMIN or Region2 or Local communities can access this model. (ADMIN Region2 Local Local) & (ADMIN ADMIN Local) A security string with two parts for a model that resides in two hierarchies. Each part is grouped by parentheses and the two are separated by an ampersand (&). The first part of this string has three levels of inheritance: one from ADMIN, one from Region2, and one from Local. The model belongs to the Local community. Users with access to any one or more of the ADMIN or Region2 or Local communities can access the model. The second part has two local levels of inheritance: one from ADMIN and from another ADMIN. The model belongs to the Local community where it resides in the second hierarchy. Users with access to the ADMIN or Local communities can satisfy the access requirement defined for the second half of this string. Security and User Maintenance Page 11

12 The ampersand between the two parts indicates that access is restricted to users who have access both to one of the communities from the first part and to one from the second part defined within their community string. Note: Users with ADMIN privileges can manually change security string settings that normally default to the vertical bar ( ) operator to the ampersand (&) operator to enable more stringent security at a lower level. If a Building, Section and a Room are created with security strings of A, B, and C respectively, for example, the Security String down at the Room level reads: A B C. In the Room Model Information view, you can manually change one of the vertical bar operators, such as between B and C, to an ampersand. The string would then read: A B&C and would require a user at Room level C to have either A or B security. Note: When changes are made to the User Model security string by an ADMIN user, those changes take effect immediately during runtime. Changes are implemented with every subsequent user security check performed when new views and options are selected. Security and User Maintenance Page 12

13 Security String Inheritance When a model is created within a (parent) model, the (child) model within it is assigned the parent s security string. This is called security string inheritance. Figure 3 shows an example of this. The Room model has a security string of Building Room. The security string for the Room model is made up of a portion provided by the Building model (in this case, Building) followed by a portion provided by the Room model (in this case, Room). Figure 3: Security String Inheritance for a Room Building Aprisma Room Building Room The Room model security string consists of a portion supplied by the Building model, together with a portion supplied by the Room model. Security and User Maintenance Page 13

14 Figure 4 illustrates how a model inherits part of its security string from ancestor models via a parent. Figure 4: Security String Inheritance World World USA World France Paris USA Topek Kansas City Portsmouth Site #1 Site #1 entered as the Security String when the model was created. World USA Portsmouth Site #2 Inherited Security World USA Portsmouth Site #1 In this example, the model for Site #1 inherits a portion of its security string from the Region model (Portsmouth), Country model (USA), and World model (World). This example presents a simple security string for a model represented in the Location hierarchy. Security strings are also used to control access to communities within the Topology and Organization hierarchies. When a model appears in more than one hierarchy, each hierarchy contributes to the definition of access privileges for the model. Security and User Maintenance Page 14

15 Simple Security String Inheritance Example Begin by deciding on the levels of expertise in your organization...which group of users should have which type of privileges. For the purposes of this example, let us assume your organization has two types of users: an ADMIN with all uppercase letters denoting a user with total edit, update, and view privileges over any and all networks; and LocalAdmins, who will have edit and view privileges, but will be limited to certain networks. In the Topology View, you want to create a LAN container to set up security based on the levels of job responsibilities of the ADMIN and LocalAdmins, Accounting group personnel, and Phone Support users. The following scenario can only be set up either by an ADMIN administrator or by the person who installed and started SPECTRUM. Creating the LAN Container Model For ADMIN and LocalAdmins 1 In the Universe Topology View, create the LAN container model and give it a security string of ADMIN, meaning that only an ADMIN administrator can navigate into this LAN. Name this model, Entire Network. 2 Navigate into the Entire Network LAN container and then create a LAN802_3 model, naming it 57_Subnet (the Accounting subnet) and giving it a security string of LocalAdmin. 3 Navigate back to the Topology view, Cut from that view all of the models that the Accounting users will need to use; then return to the new 57_Subnet area and Paste the models into that area. 4 Navigate back to the same Entire Network LAN container; then create a new LAN802_3 model, naming it 67_Subnet (the Phone Support subnet) and assigning to it a LocalAdmin security string. 5 Navigate back to the Topology view, Cut from that view all of the models that the Phone Support users will need to use; then return to the new 67_Subnet area and Paste the models into that area. 6 In the UserEditor, create a user named Taylor and assign the community string of LocalAdmin,0. Security and User Maintenance Page 15

16 7 When Taylor starts SpectroGRAPH (which was previously set up to go directly to the view containing the 57_Subnet), Taylor can see the whole 57_Subnet, but he cannot view Security Strings in any Model View. Taylor cannot navigate up to the view showing the two LAN802_3 models. The resulting configuration is represented in Figure 5 below. Figure 5: LAN Containing 57_Subnet and 67_Subnet LAN Entire Network Model Container (ADMINs) Phone Support 67_Subnet Accounting 57_Subnet LocalAdmins LocalAdmins Network models. Security and User Maintenance Page 16

17 Creating a Building and a Room to Contain both the Accounting and Phone Support Users Creating the Building Model 1 Bring up a Location View from anywhere. 2 Create a Building named, Pease and give it a security string of PeaseAdmin. Creating the Accounting Users Room (within the LAN802_3, on the 57_Subnet) 1 Navigate into the Pease Building, create a Room named Accounting, and give it a security string of AcctAdmin. 2 Navigate back to the 57_Subnet and cut to the clipboard all of the models that the Accounting users will use; then navigate into the just-created Accounting room and paste those models into that location. Note: These models inherit the security strings set in both the Room and Building topology views with no trailing commas and number. Thus, any model contained within the Room will automatically be given the following model security string: (PeaseAdmin) (AcctAdmin). If a RTR_Cisco143 model was contained within the LAN802_3 on the 57_Subnet, its inherited security string would be: ((PeaseAdmin) (AcctAdmin)) & (LocalAdmin) You can have PeaseAdmin and/or AcctAdmin privileges, but you must have LocalAdmin privileges to access models within the Accounting room. Security and User Maintenance Page 17

18 Note: SPECTRUM automatically builds the security string, ((PeaseAdmin) (AcctAdmin)) & (LocalAdmin) after you have created locations and security strings for models within those locations. Creating the Phone Support Users Room (in the LAN802_3, on the 67_Subnet) 1 Navigate back up to the Pease building view (which is the same Location View in which you have Accounting room) and create a Phone Support room, giving it a security string of PhoneSupportAdmin. 2 Navigate back to the 67_Subnet and cut to the clipboard all of the models that the Phone Support users will use; then navigate into the just-created Phone Support room and paste those models into that location. The inherited security string in the Model View contained within the LAN802_3 on the 67_Subnet is: ((PeaseAdmin) (PhoneSupportAdmin)) & (LocalAdmin) You can have PeaseAdmin and/or PhoneSupportAdmin privileges, but you must also have LocalAdmin privileges as well in order to access models within the Phone Support Room. Assigning Community String In the User Editor Suppose you have a user named Taylor, who is to have view-only access in the Accounting 57_Subnet. You accomplish this by assigning the following community string to Taylor: LocalAdmin,5 Security and User Maintenance Page 18

19 Suppose you have a user named Rodrigues, who is to have edit/view access to all models in both the 57_Subnet and 67_Subnets. You accomplish this by assigning the following community string to Rodrigues: PeaseAdmin,0 Suppose you have a user named Marshall, who is to have read/write access to only the Phone Support 67_Subnet but not to the Accounting 57_Subnet. You accomplish this by assigning the following community string to Marshall: PhoneSupport,5:LocalAdmin,5 While not shown, ADMIN is still the overall community (a user model with ADMIN as part of its community string has access to all communities). Only SPECTRUM users with ADMIN edit privileges can view security string values. For users without ADMIN access, the security string value is shown as a string of asterisks ( ****** ) in views that display the security string for example, in the Model Information view. Note: You can change the security string entries provided by inheritance. You may want to change inherited values if you plan to restrict access for a particular model within a hierarchy. However, if you make changes to the hierarchy, later, you could be breaking the path for security string inheritance of some models. If you have removed the inheritance, these changes may not appear in the changed security strings. Be sure to check your security strings after making changes to the hierarchy. Security and User Maintenance Page 19

20 Security String Inheritance After Modifying a Hierarchy Inheritance is automatically taken care of by SPECTRUM intelligence. If you Cut and Paste, or Erase or Destroy a model from a hierarchy, SPECTRUM reassigns security strings, as needed. If you change the security string for a model, any model below it in the hierarchy inherits the change. If you destroy a location model that has models below it in the Location hierarchy, the models below it are placed in the Lost and Found View. Once in the Lost and Found View, models only display their personal security string entry (no inheritance parts). An example of this is shown in Figure 6 (Page 20). Here, the Floor model was destroyed, causing the Section model to be placed in the Lost and Found View. The Room model still remains within the Section model, but the security string for the Section model has no inheritance. The security string for the Room model includes only the part inherited from the Section model. Figure 6: Effects of Destroying Upper Level in Location Hierarchy Destroying Floor places Section and Room in the Lost and Found View. Section Building Floor Room Security Strings Model Before After Section Building Floor Section Section To Lost & Found Room Building Floor Section Room Section Room Security and User Maintenance Page 20

21 Note: The inheritance schema in SPECTRUM security ensures that child models automatically inherit the parent s security string, which rolls down to all child models. Security and User Maintenance Page 21

22 Customizing Security String Inheritance This section provides guidelines on how to create new view types that do not use Aprisma-defined relations. The following procedure is recommended for Aprisma partners and advanced users who want to customize security string inheritance. See the Model Type Editor User s Guide (0659), for detailed instructions on how to find model types, create model types, and create attributes. Adding Relations that Security Strings will Roll Down SPECTRUM will roll down (from the left model to the right model) security strings from the following relations: Application, Can_Assign, CollectsChassis, Collects, Contains, HASPART, Manages, Organizes, Owns, and Provides. To add new relations that security strings will roll down: 1 Open Model Type Editor. 2 In the Model Type View, find the Security_Model model type. 3 Create a new model type, whose base model type is Security_Model. 4 In the newly created model type, add new attributes of type Relation Handle. 5 Set the default value of each new attribute to the Relation Handle of the relation that you want security strings to roll down. Security and User Maintenance Page 22

23 Defining Overloads for Model Types When conjuncting the security strings of two models for a security string roll down, the AND operator is used by default, unless the model type on the RIGHT hand side of the association has an overload. SPECTRUM provides a single overload of the Container model type, which has an overload of OR. When rolling down a security string to a model on the right hand side of a security relation whose model type is derived from Container, the OR operator is used. To define an overload: 1 Open Model Type Editor. 2 In the Model Type View, find the Security_Model model type. 3 Create a new model type, whose base model type is Security_Model. 4 In the newly created model type, do the following: a b c Modify the default value of the Security_String_Mtypes (0x12967) attribute, adding the model types for which you want to define an overload. Modify the default value of the Security_String_Operators (0x12968) attribute, defining the overload operators (0 maps to AND, 1 maps to OR) for the model types that were added to the Security_String_Mtypes attribute. The value in the x th instance (or position) in the Security_String_Operators attribute is the overload operator for the model type identified by the value in the x'th instance (or position) of the Security_String_Mtypes attribute. 5 Overloads defined more derived Security_Model model types take precedence over the overloads defined less derived Security_Model model types. Security and User Maintenance Page 23

24 Community Strings Community strings are the keys given to a user to gain access to SPECTRUM communities. The community string for a new user model is inherited from the community string of the UserGroup that contains the user, provided that the community string is designated as common attribute. If the Community string is not listed as an attribute, a community string is assigned to all user models at their creation. When no entry is made at creation, SPECTRUM assigns the default, ADMIN,0 string, giving the user unrestricted access and update and edit privileges to all communities. A community string can be modified at any time by the network administrator. A user s community string is read when the user starts SpectroGRAPH. If the community string is not set for the user, the default community string is what the UserGroup s community string is. Changes to a community string take effect immediately. If you have applied security strings to your network and you then delete the entire community string from a user model and do not assign a new community string, SPECTRUM restricts that user from viewing any windows. A community string consists of two components. The first component defines specific communities of models where a user has access, i.e., PeaseAdmin,0. The second component sets a level of access permitted for each community i.e, view only, view and update, or view and edit. For example, PhoneSupport,5:LocalAdmin,5. Community String Syntax All community string entries must adhere to the following rules: Each entry has two parts separated by a comma: a Community and a numeric Access Privilege Level, e.g., PhoneSupport,5. Table 1 (Page 25) shows access levels and descriptions. The first character of a community must be a letter. Either Numerals or letters can be used in the name following a leading alphabetic character. Security and User Maintenance Page 24

25 Spaces and periods cannot be used anywhere in the community string, but you can use an underscore ( _ ) to separate word groups, if desired for clarity. Community names are case sensitive. Multiple entries in the community string must be separated by a colon (:). Access Level Table 1: Access Privilege Levels Access Privileges In Views With Security Applied 0-4 View, Update, and Edit privileges. Levels 0-4 are identical in access privileges. Normally, all you need to use is access level 0, as 1 through 4 provide the same privileges as level 0. Levels 1 through 4 exist for future community string development in SPECTRUM and thus may change in the future. 5-9 View-only (no edit or update privileges except under conditions described below under ADMIN,6:Local,0). Levels 5-9 are identical in access privileges. Normally, all you need to use is access level 5, as 6 through 9 provide the same privileges as level 5. Level 6 through 9 exist for future community string development and thus may change in the future. Note: Users with view-only access to a model can clear an alarm in the Alarm Manager if the Alarm_Clear_By_Read_Only field is toggled to Yes. To access this attribute, right-click on the VNM icon and select Configuration; then double-click AlarmMgmt to display the Alarm Management Model Information view. Security and User Maintenance Page 25

26 Here are some examples of community strings: ADMIN,0 Full administrative privileges. This user can navigate into all views and has full edit privileges in all views. This entry supersedes all other entries in a community string. ADMIN users are allowed to find models that have no security associated with them directly. ADMIN,5 Full view-only privileges. This user can navigate into all views. However, in views that have security applied, this user cannot place the view into Edit mode, cannot create models, and cannot update attribute values for any models. This user can add icons to any view that does not have security applied. ADMIN,6:Local,0 Full view and update privileges with edit privileges limited to Local. This user can navigate into all views, and can edit models in the community named Local or models derived from Local. Local,7:TW,0 Limited view privileges and limited update/edit privileges. This user can only navigate in views for models of the Local and TW community. If the model has a security string of: (LocalAdmin) (TW), a user with a community string of Local,7:TW,0 can edit all the models. If the model has a security string of: (LocalAdmin)&(TW), a user with a community string of Local,7:TW,0 could not edit these models. Planning Security This section provides an overview of the steps involved to effectively implement security on your network. Security and User Maintenance Page 26

27 By default, all models are created with read and write privileges. You can enable security by setting it at the model type level using the Model Type Editor or on a model-by-model basis using a Location View. You set the community string for UserGroups and Users in the UserEditor. You should review the following items in preparation for establishing or making changes to your SPECTRUM security configuration. Determine how many SPECTRUM users there are, and whether they should have full view and edit access, or just limited access to all SPECTRUM models or even only to a subset of models. There are many variations in how you can establish the security for your network. The following examples illustrate how you can divide your SPECTRUM users, according to their access needs, and how you can restrict access into sensitive areas to specific users. Example #1 Establish view-only access for all SPECTRUM users to all SPECTRUM models. Limit edit privileges to the SPECTRUM Network Administrator. Example #2 Establish view-only access to all SPECTRUM models for some SPEC- TRUM users and enable edit privileges (including Preferences settings) for some SPECTRUM users, but limit these to specific groups of models, i.e., particular buildings, their network groups, and devices. Example #3 Establish view-only access for some SPECTRUM users to a restricted group of SPECTRUM models, with other SPECTRUM models not being accessible to these users. SPECTRUM users may or may not have edit privileges in their group of SPECTRUM models. Determine if there are any models in SPECTRUM that must be visible to all users, such as servers or models that require restricted access, such as devices: - in personnel and finance departments. - connected to the Internet. Security and User Maintenance Page 27

28 - that control security systems. - within higher security areas. A user can access only those models with a matching security string. The User Editor, SPECTRUM s user management application, allows you to assign common attributes to UserGroups and then propagate those attributes to all users contained in a particular UserGroup. Setting Security Through A View and User Editor Setting security at the model type level may not be ideal because all models derived from the model type inherit that security string. A better way to implement a security string is to set it through a Container or view and then set community strings for User Groups and Users through the User Editor. Security strings on a view or container model propagate down to the models in the view or container. This method is described in the following example. Implementing Security Through a Location View 1 Navigate into a Location view and create a Building model. Give the Building model a Security String of PeaseAdmin. 2 Navigate into the Building model and create a Room model. Give the Room model a Security String of AccAdmin. 3 Navigate into the Landscape view and determine those device models you want a group of users to have access to models with a security string called, AccAdmin. When you have determined what those models are, copy and paste those models into the Room Location view (provided they are not already contained within some other entity). Note: These models inherit the security strings set in both the Room and Building topology views with no trailing commas and number. Thus, any model contained within the Room will automatically be given the following model security string: (PeaseAdmin) (AccAdmin). Security and User Maintenance Page 28

29 Users with either PeaseAdmin or AccAdmin entries in their community string can access this model. Implementing Security Through the User Editor You can then set up users in the User Editor with the following community strings: 1 Create a user, for example, Jane Admin, with a community string of: PeaseAdmin,0. Jane Admin would then have both read and write privileges to the models contained within that building. 2 Create a user, for example, named Joe Accountant, with a community string of: AccAdmin,5. Joe Accountant has read-only access privileges to the models contained within that room. If you want a user to have both read and write access to the models contained with PeaseAdmin and AccAdmin, that user must have PeaseAdmin,0 as part of that user s community string. If a user within PeaseAdmin or AccAdmin locations does not have PeaseAdmin and/or AccAdmin as part of their community string, that user will be denied access to the model entirely and will not even be able to view it, in face. Use the UserEditor to assign community strings to UserGroups and Users. If the Community string matches the access privileges of the models derived from the base model type or models contained within a Location view, then that string will have read and edit privileges set in the model type. Refer to the section, User Group and User Maintenance (Page 37) for more information on how to perform maintenance on User Groups and Users, and the section, UserEditor Usage (Page 65) for actual examples using the UserEditor. Security and User Maintenance Page 29

30 Setting Host Security Host Security is configurable in both the.hostrc file and in the Control Panel under Configure-> Host Configuration. This security is available for all SPECTRUM servers such as SpectroSERVER, Archive Manager, Location Server, Processd, and View Server. In the.hostrc file, you can list the host machines and even specify users from which the servers on the local host will accept a connection. A + sign means applications from all hosts can connect. A - sign means applications from the local host can connect. The configuration may be any one illustrated in the following three.hostrc examples. Example 1: <server>: more.hostrc - Example 2: <server>: more.hostrc + gonzalez Example 3: <server>: more.hostrc A B harris hue newhouse C In Example 1, only applications from the local host can connect. In Example 2, applications can connect from any host, but only as user Gonzalez. In Example 3, applications can connect from the local host and hosts A, B, and C. However, applications from host B can only connect as user harris, hue, or newhouse. Security and User Maintenance Page 30

31 Establishing a Network Administrator When SPECTRUM was installed, it performed several housekeeping functions including creating a user model for the user who ran the installation and authorizing full update, edit and view privileges for that user model. The first time you started SpectroGRAPH following installation, you logged in as root or Administrator (or whoever was set as the administrator when SPECTRUM was installed), assumed the role of Network Administrator and established a basis for SPECTRUM security. During that session, you should have established yourself as network administrator by creating a User model for your user ID and giving yourself unrestricted access to all models in SPECTRUM. As network administrator with full access privileges, you must have ADMIN,0 entered as the community string in your SPECTRUM user model. Then, to prevent others from logging in under the root /Administrator login, you should have deleted the root user model. (An alternative is to create and ADMIN UserGroup.) User Security and Administration Options The following user security and administration options should be set by the network administrator to determine the security privileges for other users. These options can be accessed via the User Security and Administration Options button in the VNM s Configuration or Control views. To access these views, select the VNM icon and choose View > Icon Subviews > Control or View > Icon Subviews > Configuration. Security and User Maintenance Page 31

32 Figure 7: User Security and Administration Options Allow Non ADMIN SNMP Community Edits If set to True, non-admin users can write to the community name string for models. If set to False, the user will not have access to the community name field for a model. It is disabled (set to False ) by default. Edit Notes by Read Only User This option allows SPECTRUM administrators to provide read-only users with the ability to edit Device or Model Notes. It is disabled (set to False ) by default. Set Is Managed by Read Only User This option allows SPECTRUM administrators to provide read-only users with the ability to set the maintenance mode attribute Is Managed. The Is Managed attribute is set via the Enable SPECTRUM Management option in the device s Fault Management view and allows users to Security and User Maintenance Page 32

33 suspend SPECTRUM s management of a device. Set Is Managed by Read Only User is disabled (set to False ) by default. Consolidate Users in Group If the Consolidate Users in Group option is set to True, individual users within a User Group are automatically consolidated when the User Group is consolidated. If it is set to False, you must consolidate the User Group and then consolidate the individual users within that group. This option is disabled (set to False ) by default. See HOME and DUPLICATE Models on Page 58 for more information on the consolidate function. Copy Users When Copying Group If this option is set to True, when a group or a user in a group is copied from one landscape to another, the group appears on the new landscape with all the users in it. If this option is set to False and a user is copied, that user and only that user is copied into the new group. If a group is copied, an empty group is created. (Set this option in the landscape being copied to.) Modeling Your Network Security The process of modeling your SPECTRUM security scheme is as follows: Determine and define your communities. Assign security strings to SPECTRUM models based on your defined communities through Location view models. Assign community strings to each SPECTRUM user in the UserEditor. Assign update and edit privileges when appropriate. Assemble users in UserGroups according to their access needs. (Optional) Provide each SPECTRUM user with a start-up window. This is done in each user s.xdefaults file or in the <SPECTRUM Install Area>/app-defaults/spectrum file. For further information on providing start-up windows, refer to the Defining SPECTRUM Resources (2559) Guide. When you are modeling the organization, topology, and location Security and User Maintenance Page 33

34 hierarchies, each model is assigned a security string value. When you create a user model, the user model is assigned a community string value. SPECTRUM compares the community string value to security string values to determine whether a user model has view or edit privileges in the view or network model. Restricting Edit Privileges for GIB View You can restrict the editing of the various Generic Information Block (GIB) Views by more than one means. You can control user access by restricting SPECTRUM access privileges, and/or you can restrict system-level writeaccess to the GIB View files. Using both of these options can be a convenient means of restricting the editing of GIB Views themselves, to a select group of SPECTRUM users. GIB View files reside in a directory named CsGib. The path for this directory is defined by the gibpath resource provided in your.xdefaults file, or in your <SPECTRUM install area>/app-defaults/spectrum file. When you locate the directory, you can use standard UNIX permissions to restrict write access to some or all of the files in the directory. Edit mode in a GIB View is used to add, subtract, or move the fields of the view. The Update feature is used to change the contents of the individual fields in the view. Refer to the SPECTRUM GIB Editor User s Guide for more information about how to use the GIB Editor to modify the GIB views. Providing Users with Start-Up Windows When you restrict the access of a user to SPECTRUM views, you must verify that the user has a start-up window. A start-up window is a view that the user can access when SpectroGRAPH is initially started. Without a start-up window, the user cannot use SpectroGRAPH. One start-up window must be provided for each of the hierarchies where a user s access has been restricted. For example, if a user has restricted Security and User Maintenance Page 34

35 access to the Topology hierarchy and Location hierarchy, but has full access to the Organization hierarchy, you must provide appropriate Topology View and Location View start-up windows, but not an Organization View start-up window. Refer to the Defining SPECTRUM Resources (2559) Guide for detailed instructions for defining start-up windows. Updating Security Strings This section describes updating the Security String for models in the SPECTRUM database. Use this updating process to apply a security string to a model for the first time, or to change a security string when the security requirements for a specific model change. You must have Administrative privileges to update or add a security string. To update a security string: 1 Navigate into the view containing the icon for the model to be updated and select the icon using the middle mouse button. A pop-up Icon Subviews menu appears. (The Icon Subviews menu is also available by selecting the icon and pulling down the view menu.) 2 Using the right mouse button, select Model Information or Configuration from the pop-up menu. 3 Click in the Security String field and type the desired security string directly into the field. 4 When the security string is correctly entered, select Save All Changes from the File menu. A confirmation dialog box appears. 5 Select OK to confirm your entries. Select Cancel to quit the operation. Security and User Maintenance Page 35

36 Access Privileges for NT Users All SPECTRUM users must have User models in the SPECTRUM database. Additionally, NT users who are going to run SPECTRUM locally (including domain and trusted domain users) must be members of the local SPECTRUM Users group, which is created automatically by the installation process. Members of this group have Full Control permissions to the SPECTRUM directory tree. While remote users of SPECTRUM need to be added to SPECTRUM s user database, they do not need to be added to the SPECTRUM Users group. Security and User Maintenance Page 36

37 User Group and User Maintenance This section discusses the maintenance of User Group and User models. Managing User Group and User Models The UserEditor allows you to manage network security and simplify management of your network by providing you with the option of managing users as individuals or as groups of related users (User Groups). The UserEditor lets you create, modify, delete, copy, find, move, and perform domain maintenance for User Groups and Users. The UserEditor makes setting up Users or User Groups easy because you specify common attributes for User Groups which then can be propagated to Users. Additionally, by using the UserEditor, you can manage Users and User Groups across multiple landscapes in a distributed SpectroSERVER environment. The SPECTRUM database maintains a record for each SPECTRUM user allowed to operate SPECTRUM. This is in the form of a user model. When a user logs in, SPECTRUM checks the community string in the user model to read the community string access levels. The user may access only those devices or views that belong to communities that the user has access to. You must have appropriate administrative privileges (ADMIN,0) to manage User Groups and Users. Security and User Maintenance Page 37

38 Note: Account names on the NT platform are not case sensitive. In order for an NT user account name to be recognized by SpectroSERVER running on NT, the NT user account name must identically match the spelling and case of the SPECTRUM user name in the SPECTRUM user account database. A renamed NT account does not take effect until the user logs into the renamed account. After renaming a user, logout then log back in as the renamed user. Starting the UserEditor To start the UserEditor: 1 Open any Topology or Location view containing a VNM or Landscape icon. 2 Invoke the UserEditor Main Window (Figure 8 (Page 40)) by using one of the following methods: Double-click on the VNM icon, or, Select the VNM/Landscape icon, click the right mouse button to bring up the Icon Subviews menu, and choose UserEditor, or, Select UserEditor from the View -> Icon Subviews menu, or, Select UserEditor from either the Task Bar on Windows NT or from the CDE bar on Solaris. Security and User Maintenance Page 38

39 UserEditor Main Window The UserEditor main window in Figure 8 (Page 40) contains the following controls and indicators: The Menu Bar lists the names of the available menus. Select a menu to display a list of management resources. The Tool Bar displays graphical command buttons. These buttons provide a convenient access to management selections found in the menus. The Tree Area list displays all Landscapes, User Groups within each Landscape, and Users within each User Group. The Model Description area which provides a larger view of the selected model s icon and lists the Landscape, User, and User Group names if appropriate. The User Group Attributes area which is used to create and modify User Group attributes. The User Attributes area which is used to create and modify User attributes. The Filter selector lets you choose the Filter setting for the Landscape. To filter the landscape list, click the drop-down arrow and choose either Disabled or Label. Label makes the text space editable; you can then enter a name or letter pattern to be used as a criteria. Disabled turns filtering off. Search: To search for a Landscape, User Group, or User model, enter the name in the text box and click one of the following: - Plus button: Click this button to find the next match for the entered Search string. - Minus button: Click this button to find the previous match for the entered Search string. Security and User Maintenance Page 39

40 Figure 8: UserEditor Main Window Security and User Maintenance Page 40

41 Sort button: To sort the landscape list, click the drop-down arrow and choose Ascending to display the list from A-Z or Descending to display the list from Z-A. The default setting is Ascending. Erase User Preferences button: Clicking on this button clears the User Preferences setting for the currently selected User. Set Web Password button: Clicking on this button opens the Set Web Password dialog box for the currently selected User. The layout and use of this dialog box is exactly the same as for the Create New User dialog box (see Figure 32), as described in Creating a New User Group Model (Page 68), except that the system fill in the applicable User Model identification. Set Roles button: Clicking on this button opens the Set Roles dialog box for the currently selected User. The layout and use of this dialog box is exactly the same as for the Set Roles dialog box (see Figure 33), as described in Creating a New User Model for Web Operator (Page 74), except that the system fill in the applicable User Model identification. Connection Status button: Clicking on this button opens the Connection Status dialog box. This button gives you an overall status color indication for the connection to the server for each landscape service; the different condition states and their associated colors are explained in Table 2 (Page 48), under the View Menu discussion. Shrinking the Main Window When the main window is shrunk or compressed to provide more viewing space on the screen, menu items still appear. However, tool bar icons become accessible through a new more button, which appears in their place and is designated by right-pointing arrows. Figure 9 (Page 42) shows a representative compressed view setup. Security and User Maintenance Page 41

42 Figure 9: Example of Compressed Window SPECTRUM User File Edit View User Group User Tools Options Help Save Cut Copy Paste New Group Delete Group Clicking the More button shows all hidden options. New User Delete User Domain What s This? UserEditor Tool Bar The following paragraphs list the Tool Bar icon/buttons, with a short description of their use. Save button: Saves any changes made to the User Group or User model attributes. Cut button: Moves the selected User Group or User model(s) into the cut buffer in preparation for a paste. Copy button: Copies the selected User Group or User model(s) and moves it into the cut buffer in preparation for a paste. Paste button: Inserts the cut or copied User Group or User model(s) into the selected landscape or group. Security and User Maintenance Page 42

43 New Group button: Displays the Create User Group dialog box. Enter the name of the new group in the dialog box and click OK to create a new User Group model in the selected Landscape. Delete Group button: Displays the Delete User Group dialog box. Press OK to delete the User Group model(s) or Cancel to abort the operation. New User button: Displays the Create User dialog box. Enter the name of the new user in the dialog box and click OK to create a new User model in the selected Landscape or User Group model. Delete User button: Displays the Delete User dialog box. Press OK to delete the User model(s) or Cancel to abort the operation. Consolidate button: Allows you to shift-select multiple users for consolidation. Click this button to complete the multiple user consolidation. What s This? button: Enables context-sensitive help. When this icon is clicked, the cursor changes to an arrow/with a?. When you move the cursor over an area on the view you need help on and click once, a context-sensitive message box appears. You need to do this each time you want to see context-sensitive help on a screen element. Security and User Maintenance Page 43

44 Menu Bar Items The UserEditor menu bar, located across the top of the main window, contains seven pull-down menus, each containing a list of management options. The additional menu, Help, is common to all SPECTRUM applications. File Menu Use the File menu(figure 10) to save User Group and User attributes and to close the UserEditor Application. Figure 10: File Menu Save Attributes Close Ctrl+s Alt+F4 Save Attributes: Saves changes made to the User Group or User model attributes. Close: Closes the UserEditor application. Security and User Maintenance Page 44

45 Edit Menu The Edit menu (Figure 11), lets you perform Cut, Copy, and Paste functions among landscapes, User Groups, and Users. You can also use the previously described Cut, Copy, and Paste tool bar icons. Figure 11: Edit Menu Cut Copy Paste Cut: Moves the selected User Group or User model into the cut buffer in preparation for a paste. Copy: Copies the selected User Group or User model and move it into the cut buffer in preparation for a paste. Paste: Inserts the cut or copied User Group or User model(s) into the selected landscape or group. Security and User Maintenance Page 45

46 View Menu The View menu, illustrated below, controls several screen environments of the view by toggling on/off the tool bar, tool tips, status help, and Connection Status Information. Figure 12: View Menu Show Toolbar Show Toolbar Labels Show Tool Tips Show Status Help Connection Status... Show Toolbar: Toggles to display the toolbar icons on or off. Show Tool Tips: Enables or disables the popup tool tip message as the cursor passes over the icon. Show Status Help: Shows or hides the status help bar at the bottom of the view. Connection Status: Displays the Connection Status dialog box shown in Figure 13 (Page 47). This dialog box informs you if the connection to each landscape is active or Up (a green icon) and tells you the date and time each instance the server was terminated and reestablished. Landscapes are the only service shown in the Connection Status dialog. Security and User Maintenance Page 46

47 Figure 13: Connection Status Dialog box User Editor: Connection Status State Machine Service Down corporate B Landscape Down corporate C Landscape Up corporate A Landscape Connection status for each landscape is displayed in this area. Connection Log for corporate C Landscape Date/Time Message Aug 04 14:13:14 Connection lost History of each time the server was terminated and reestablished. Close You can also display this same dialog box by single-clicking the Connection Status area shown in Figure 14, located in the lower right corner of the UserEditor: Main view. Figure 14: Connection Status Area Connection status area. Security and User Maintenance Page 47

48 Table 2: Connection Status Icon Definition Colors Green Yellow Red Connection Icon Color Definition A good connection(s) A degraded condition Critical condition Note: Under fault tolerant conditions, when the primary server fails, the connection switches over to the secondary server. The State condition momentarily displays Down then displays Switched. The icon color remains green while the overall connection color displays in yellow since there has been a degradation in service. Connection to the server is shown in three colors that indicate three possible conditions: Green (Good), Yellow (Degraded), and Red (Critical). User Group Menu Create or delete User Groups through this menu or through the Add new User Group and Delete User Group icon/buttons. Icons and buttons are defined earlier in the Section under UserEditor Tool Bar Icons. Figure 15 shows the User Group menu, which provides two options. Figure 15: User Group Menu New User Group Delete User Group Ctrl+G Ctrl+R Security and User Maintenance Page 48

49 New User Group: Opens the UserEditor: Create New User Group dialog box. This dialog lets you create a new User Group. See Creating a New User Group Model (Page 68) for instructions. Delete User: Opens the UserEditor: Delete dialog box, which requires a confirmation that you do in fact want to delete the selected group. Figure 16 shows that dialog box. Figure 16: Delete User Group Dialog Box User Menu You can create or delete Users through this menu or through the Add new user and Delete User icon. These icons are defined earlier in the Section under UserEditor Tool Bar Icons. Figure 17 shows the User menu. Figure 17: User Menu New User Ctrl+U Delete User Ctrl+D Security and User Maintenance Page 49

50 New User: Opens the UserEditor: Create New User dialog box, which allows you to create a new user. See Creating a New User Model (Page 72) for instructions. Delete User: Opens the UserEditor: Delete dialog box, as shown in Figure 18. Simply click on the OK button to confirm that you do intend to remove the selected User Model. Figure 18: Delete User Dialog Box Tools Menu The Tools (Figure 19) menu provides two options. One, Domain Maintenance, lets you manage HOME and DUPLICATE User models. The other, Consolidate (which also is available as a subfunction in the Domain Maintenance dialog box), makes the given User model a Home model in the selected landscape. Figure 19: Tools Menu Domain Maintenance Consolidate Ctrl+O Security and User Maintenance Page 50

51 Domain Maintenance: Domain Maintenance: Use Domain Maintenance to manage HOME DUPLICATE User models over a distributed network environment. For more information about HOME and DUPLICATE models, refer to HOME and DUPLICATE Models (Page 58). Consolidate: Takes the User and makes that user a Home model in the selected landscape provided if that user exists in other landscapes. Depending on whether the consolidation operation succeeds or fails, one or the other of the following two message dialog boxes appears: Figure 20: UserEditor: Consolidate UserEditor: Consolidate Consolidation completed successfully. OK UserEditor: Consolidate Error while trying to consolidate the following: <landscape>: Request not implemented OK For further details concerning the Consolidation function, refer to Example 1 (Page 60) and Example 2 (Page 61) in the HOME and DUPLICATE Models discussion. Security and User Maintenance Page 51

52 Options Menu The Options menu displays three options, as shown in Figure 21. Preferences... : This option displays the tabbed Preferences dialog box, which allows you to customize and save UserEditor features pertaining to how the UserEditor is displayed and interacts with the rest of SPECTRUM. These preferences are defined in Preferences (Page 84). Figure 21: Options Menu Security and User Maintenance Page 52

53 Clear User Preferences: This option clears the preferences set for the currently selected User Model. When this option is chosen, the program displays the Clear User Preferences dialog box (Figure 22), asking if you are sure you want to clear User Editor preferences currently set for the selected User Model. If you click OK, the program shuts down the User Editor application in order to properly clear preferences. To return to the Main view without effecting any changes, click Cancel. Figure 22: Clear User Preferences Security and User Maintenance Page 53

54 User Preference Behavior on Solaris and Windows NT A user s set of SpectroGRAPH preferences are stored in the.xdefaults file. On Solaris, the preferences are user-specific. SpectroGRAPH checks the.xdefaults file in the user s $HOME directory for these preferences which are unique for each Solaris user. On Windows NT/2000, preferences are not user-specific. SpectroGRAPH locates the.xdefaults file by checking the path specified by HKEY_CURRENT_USER\Software\Hummingbird\Exceed\UserDir. This registry entry is set when Exceed is installed. Since Exceed is installed only once on each individual machine, the value is set to a single value for all users of the NT workstation. Because of a limitation of the Windows NT/2000 operating system, all SpectroGRAPH users must use the same.xdefaults file and get the same preference values. Security and User Maintenance Page 54

55 Help Menu This menu offers three levels of help as described below. Figure 23: Help Menu What s This?: Enables context-sensitive help. When menu pick is chosen, the cursor changes to a pointing arrow accompanied by a question mark (?). You can then move that new cursor over an area in the view on which you want help and click once to cause the program to display a context-sensitive message box describing the use of the area you have designated. You need to enable What s This? help each time you want to get context-sensitive help. About User Editor...: Displays the copyright screen for the User Editor application. Online Manuals: Accesses the Aprisma Documentation CD, which contains all SPECTRUM documentation. The Documentation CD, which must be mounted in your CD drive, provides this information as a collection of individual PDF files; you must have the Adobe Acrobat Reader program or an equivalent utility installed in order to use these files. The file that first gets called up when you make this selection constitutes a roadmap, listing all available publications in different ways. For maximum benefit of this system, you should have the Adobe Acrobat Reader with Search program installed; this version will let you take advantage of the catalogued index database that is also provided on the CD, which lets you quickly find any desired topic anywhere in the entire library. Security and User Maintenance Page 55

56 Landscapes, User Groups, and User Lists The tree area of the UserEditor view, Figure 24, contains an alphabetized list of landscapes in the SpectroSERVER s landscape map. This area displays all Landscapes, User Groups within each Landscape, and Users within each User Group. With appropriate privileges, you can add, modify, or delete User Groups and Users from this list. However, you cannot delete a landscape from the tree area. Figure 24: Tree Area Showing Landscapes, User Groups, and Users Corporate (0x ) Development Group alvarez belanger henderson hernandez huber jones miller poston smith Marketing (0x6f00000) Sales (0x ) Landscapes This map contains information about all landscapes discerned by SpectroSERVER. Security and User Maintenance Page 56

57 The SpectroSERVER s local landscape is selected by default in the Landscape list if the UserEditor was started from the local SpectroSERVER. If you started the UserEditor from a remote SpectroSERVER, however, that landscape is selected. User Groups User models are listed alphabetically, either separately within the landscape model or else contained within a subordinate group listed under that landscape model. A landscape s default User Group is selected by default in the User Group list. Each entry in the User Group list consists of the User Group name and its HOME/DUPLICATE status. Refer to HOME and DUPLICATE Models (Page 58) for more information about this process. Users User models are listed alphabetically and are contained within a subordinate group in the landscape model. Note: When setting up Users and User Groups, set up common attributes first, create User Groups, then create Users within User Groups. By following this procedure, a new User automatically inherits all common attributes from the User Group it is contained in. For more information about setting up common attributes and creating Users and User Groups, refer to Setting Up Common Attributes, Creating a New User Model, and Creating a New User Group Model in the section, and UserEditor Usage (Page 65). Security and User Maintenance Page 57

58 HOME and DUPLICATE Models Each User Group and User entry can be a HOME or DUPLICATE model. HOME models are those associated with the first instance of a User Group or User and are normally created in the local landscape. DUPLICATE models are those created subsequent to the HOME User Group, or User and are normally created in a remote landscape. Managing HOME and DUPLICATE models over a distributed environment is performed through the Domain Maintenance view, which is accessible from the Tools menu in the tool bar or from the tool icon/button. Every four hours, SpectroSERVERs verify the following conditions: 1 For any given HOME User/UserGroup model, no other HOME User/UserGroup model of the same name exists on another landscape. If a SpectroSERVER finds such a model, it raises an alarm (alarm probable cause 0x1011b). 2 For any given DUPLICATE User/UserGroup model, the SpectroSERVER can still locate the HOME model of that User/UserGroup model on a remote landscape. If a SpectroSERVER cannot locate that HOME model, it raises an alarm (alarm probable cause 0x1011c). The Domain Maintenance dialog, Figure 25 (Page 59), provides you with an easy way of administering the HOME and DUPLICATE status of the User Groups and Users on your distributed network. The Consolidate button sets a selected model to HOME status. The SpectroSERVER then performs an extensive search of the network, finding and setting all other instances of the selected model to DUPLICATE status. You should select the Consolidate function to initiate this search whenever you must change a User model while a SpectroSERVER is down. Security and User Maintenance Page 58

59 Note: By default, the consolidate function on a User Group model does not cause the User models in that User Group model to also be consolidated. However, this functionality can be turned on in the User Security and Administration Options view. See User Security and Administration Options (Page 31) for further information and instructions. Note: On the Windows NT platform, avoid performing Domain Maintenance while AutoDiscovery is running because SpectroSERVER may be too busy to respond in a timely manner to requests from applications such as the User Editor. This situation produces a time-out error, causing Domain Maintenance to freeze, failing to consolidate users. Figure 25: Domain Maintenance Dialog Box UserEditor: Domain Maintenance Model Name Current Landscape Home Duplicate Administrator Corporate - Europe (0x ) Security and User Maintenance Page 59

60 The following examples will help to illustrate the importance of HOME and DUPLICATE model status. Refer to Figure 26 (Page 60) for both examples. Example 1 In the first example, User A moves from Rochester to Merrimack. In this case, the status of User A should be changed to HOME in Merrimack and DUPLICATE in Rochester. If the status is left unchanged the ability to manage Users and their attributes on the network will be affected. Figure 26: Domain Maintenance Example Rochester User A HOME (First example) Router 1 (Both examples) Pease User A DUPLICATE Router 2 Merrimack User A DUPLICATE Since all edits are performed at the HOME model, effectiveness would be degraded. An edit originating from the Merrimack DUPLICATE model is actually performed by the Rochester HOME model, then distributed to the Merrimack and Pease duplicate models. Security and User Maintenance Page 60

61 In the event of a router failure, no edits could be made, because User A s HOME model could not be accessed from Merrimack. To change User A s status to HOME in Merrimack and DUPLICATE in Rochester: Select User A s Merrimack DUPLICATE model and click the Consolidate tool bar icon to make that the HOME model. Select User A s Merrimack DUPLICATE model, then click the Consolidate tool bar icon. Consolidate will change the Merrimack model to HOME status and all other existing models to DUPLICATE status. Example 2 In our second example, User A remains in Rochester and Router 1 fails. In this case, User A could continue to make edits in Rochester since User A has HOME status in Rochester. Since User A has DUPLICATE status in Pease and Merrimack, however, User A could no longer make edits in those locations. Remember, all edits are made at the User s HOME model. By visiting Merrimack or Pease (for this example, let s say Pease) and changing the status of User A from DUPLICATE to HOME, User A could make edits in Merrimack and Pease, since the link between those two sites remains up. When the router problem has been resolved, the HOME status of User A must also be resolved to Rochester because User A has HOME status in Rochester and Pease. To resolve the status of User A: Select User A s Pease HOME model and click the Consolidate tool bar icon to make Pease DUPLICATE User A model. -or- -or- Select User A s Rochester HOME model, then click the Consolidate tool bar icon. Consolidate will change the Pease HOME model to DUPLICATE. Security and User Maintenance Page 61

62 Note: HOME and DUPLICATE models are still valid local models, and in the event of a router failure, you can still connect using DUPLICATE model without connection to HOME. You only need to change HOME if edits are necessary when the router is down. Security and User Maintenance Page 62

63 Setting Up Common Attributes For User Groups To set or edit the selected User Group s attributes, fill in or change the text box entries to the right of each attribute. See Figure 27. To make a User Group attribute common to all Users in that group, click the check box to the left of the attribute. Note: The Community String determines a User Group s access to SPECTRUM views and administrative privileges to those views. Figure 27: User Group Attribute Information Area Check boxes. Security and User Maintenance Page 63

64 For Users To set or edit the selected User s attributes, fill in or change the text box entries to the right of each attribute. See Figure 28. To change a User attribute back to the value it inherited from the User Group, click the arrow button to the left of the attribute. Note: The community string determines a User s access to SPECTRUM views and administrative privileges to those views. The format is as follows: <string>,<digit>[:<security-string>]. Figure 28: User Attributes Information Area User Attributes Arrow buttons ID: Full Name: Community String: Street: City: State: Country: Organization: Department: Site: Location: Picture File: Erase User Preference Administrator ADMIN,0 Security and User Maintenance Page 64

65 UserEditor Usage This section describes User Group and User modification in the UserEditor. Modifying a User Group Model You may modify a User Group s organization or department number to reflect a new organization or department number or modify a SPECTRUM User Group s community string to reflect a change in access rights for that User Group. To modify the values of the attributes in a selected User Group: 1 Highlight the User Group to be modified and the User Group Attributes information area becomes editable. 2 Make the desired changes in any of the User Group s Attributes and save the changes by selecting File -> Save Attributes. The User Group s Attributes information area is shown in Figure 29 (Page 66). 3 Change the values of the attributes you want to modify. Table 3 (Page 66) provides definitions of the User Group attributes. The common attribute, community string, is propagated to all Users in a group, existing or new, overwriting data contained in fields designated as common attributes. Changes made to the common attribute list (refer to Setting Up Common Attributes on Page 63) take effect as soon as they are confirmed. In Figure 29, the User Community String (Rochester, 5) is the only common attribute. The User Community String for all new Users will be set to Rochester, 5 and the User Community String for all existing Users will be overwritten with Rochester, 5. Security and User Maintenance Page 65

66 Figure 29: User Group Attributes Information Area User Group Attributes Check this box in order for users to inherit the setting. Name: Community String: Street: City: State: Country: Organization: Department: Site: Location: Read Access - Rochester Rochester, 5 Clear Group Preference Name Table 3: Attribute Community String Street City State Country Organization User Group Attribute Definitions Definition The name of the User Group model. (Required) Defines security communities to which a user is permitted access and establishes edit privileges within them. If this attribute is checked, users inherit the setting. The User Group s street address. An optional entry. The User Group s city. An optional entry. The User Group s state. An optional entry. The User Group s country. An optional entry. The User Group s organization. An optional entry. Security and User Maintenance Page 66

67 Attribute Department Site Location Definition The User Group s department. An optional entry. The User Group s site. An optional entry. The User Group s location. An optional entry. 4 After you make changes to the User Group Attributes and then click a check box, all Users within that Group inherits the changes. Click a User and the Save User Attributes? dialog appears (Figure 36 on Page 79). Click OK to save the changes. Click Cancel to return to the main window without saving changes. Note: Whenever a HOME or DUPLICATE model is modified, that modification is applied to all associated models. This process is known as routed-writes. Security and User Maintenance Page 67

68 Creating a New User Group Model User Group management sometimes requires that you add a new User Group model to contain a group of users who have similar access needs. Note: When a new User Group is created, the SpectroSERVER automatically searches all other known landscapes for other User Group models with the same User Group name. If one is found, the new User Group is made a DUPLICATE of the found (HOME) model. If one is not found, a new User Group model is created as a HOME model. To create a new User Group: 1 Select New from the User Group menu or click the New Group icon to open the Create new User Group dialog box (Figure 30). 2 Enter the name of the new User Group. It is recommended that you choose names that are meaningful and related to the functions performed by the group. 3 Select one or more Landscapes in which you would like to create this new User Group. The Select All button selects all the Landscapes on the list. You can use the Filter/Search button to find specific Landscapes using a text string. 4 Click OK to create the new User Group. Click Clear to re-enter the name of the User Group, or click Cancel to return to the main window without creating a User Group. Security and User Maintenance Page 68

69 Figure 30: Create New User Group Dialog Box Deleting a User Group Model To delete a User Group: 1 Select the User Group you wish to destroy. 2 Select Delete User Group from the User Group menu or click the Delete User Group(s) icon to open the UserEditor: Delete dialog box (Figure 31). Confirm the deletion request, by clicking OK. Security and User Maintenance Page 69

70 Note: All users in a User Group that is deleted are automatically moved alphabetically to the Landscape. Figure 31: Delete User Group Dialog Box Security and User Maintenance Page 70

71 Copying a User Group Model There are times when you must copy a User Group model. For instance, you may want a certain User Group to have access to another landscape. By default, when you copy a User Group to another landscape, the users within the group are also copied. (You can change this default setting in User Security and Administration Options (Page 32).) To copy a User Group: 1 Select a User Group to copy. 2 Select Copy from the Edit menu or click the Copy icon. 3 Select the landscape you want to contain the selected User Group. 4 Select Paste from the Edit menu or click the Paste icon. Modifying a User Group Domain To modify a User Group domain: 1 Select a User Group from the Landscape list. 2 Select Domain Maintenance from the Tools menu or click the Domain Maintenance icon to open the Domain Maintenance dialog box. Refer to Home and Duplicate Models in the User Group and User Maintenance (Page 37) section to learn more about Domain Maintenance. Security and User Maintenance Page 71

72 Creating a New User Model To create a new User model: 1 Select New from the User menu or click the New User icon to open the Create New User dialog box shown in Figure In the User Name field, type the name of the new User. Note: The default User Community String for a new user is ADMIN,0 depending on where the user is created and what common attributes are set. If the new user is to have full administrative privileges, accept that default; if the user is to have restricted access privileges, however, refer to Community Strings (Page 24) or to Planning Security (Page 26), as applicable. 3 If you want the new user to have access to SPECTRUM Web Operator, type a password in the Enter Password for the User field. Note: The Web Operator password is required only for Web Operator users. If you do not want the User to have access to Web Operator, leave the Enter Password for the User field blank. 4 In the Confirm Password for the User field, type that same password again for confirmation. 5 Select one or more landscapes in which you would like to create this new User. The Select All button selects all the landscapes on the list. You can use the Filter/Search button to find specific Landscapes using a specific text string. 6 Click OK to create the new User, or click Cancel to return to the main window without creating a User. Security and User Maintenance Page 72

73 Figure 32: Create New User Dialog Box Security and User Maintenance Page 73

74 Creating a New User Model for Web Operator When creating a new user model for Web Operator, make sure the user s HOME model is on the SPECTRUM host specified for Web Operator. For more information on HOME models, see HOME and DUPLICATE Models (Page 58). To create a new User model for Web Operator: 1 Select a Landscape or User Group that will contain the new User. 2 Select New from the User menu or click the New User icon to open the Create New User dialog box shown in Figure 32 (Page 73). 3 In the User Name field, type the name of the new User. Note: The default User Community String for a new user is ADMIN,0 depending on where the user is created and what common attributes are set. If the new user is to have full administrative privileges, accept that default; if the user is to have restricted access privileges, however, refer to Community Strings (Page 24) or to Planning Security (Page 26), as applicable. 4 In the Enter Password for the User field, type a password SPECTRUM Web Operator, type a password i. 5 In the Confirm Password for the User field, type that same password again for confirmation. 6 Click OK to create the new User, or click Cancel to return to the main window without creating a User. 7 In the User Attributes area, click Set Roles to open the Set Roles dialog box shown in Figure 33 (Page 75). Security and User Maintenance Page 74

75 Figure 33: Set Roles Dialog Box 8 Do one or the other of the following, as applicable: Click Operator to set the Operator role for the user. Click Administrator to set the Administrator role for the user. Note: After selecting one of the two listed roles, you could hold down the Control key and select the other role, thereby assigning both roles to the same user. This feature is irrelevant at this time, as users assigned Administrator roles have access to all Web Operator applications, but future versions of Web Operator will provide more than two roles. Users assigned Operator roles do not have access to Alarm Presentation Editor and Event Presentation Editor. (The user specified as the Administrator during installation of the program will have both options selected by the Install program; this means that the Set Roles dialog box will show both roles highlighted for that user.) 9 Click OK to set the User s role, or click Cancel to return to the main window without setting a role. Security and User Maintenance Page 75

76 Setting a Password for a Web Operator User Model This procedure explains how to set a password for a Web Operator User if no password was assigned when the User model was created (see Creating a New User Model on Page 72). You can also use this procedure to change a User s existing password. If a user already has a password, asterisks appear in the Enter Password for the User and Confirm Password for the User boxes. To set a password for a Web Operator User: 1 In the User Attributes area, click Set Web Password to open the Set Web Password dialog box shown in Figure 34 (Page 76). 2 In the Enter Password for the User box, type a password for the user. 3 In the Confirm Password for the User box, type the same password again to confirm the entry. 4 Click OK to set the password, or click Cancel to return to the main window without setting a password. Figure 34: Set Web Password Dialog Box Security and User Maintenance Page 76

77 Modifying a User Model There are times when you must change the information for a User model, for example, when a user s organization or department number changes. To modify the values of the attributes for a selected User: 1 Select the User from the tree and the User Attributes information area (Figure 35) becomes modifiable. 2 Modify the values of the attributes you want to change. Table 4 provides definitions of each User Attribute. Figure 35: Modifying User Attributes Security and User Maintenance Page 77

78 Entry Field Table 4: User Attribute Definitions Definition Name ID Full Name Phone Community String Street City State Country Organization Department Site Location The user s login ID. A secondary user identifier (optional entry). The entire name of the user (optional entry). The telephone number of the user (optional entry). The address of the user (optional entry). A default field. As the administrator, you may override this default and assign different view/edit privileges to the new user. The user s street address (optional entry). The user s city (optional entry). The user s state (optional entry). The user s country (optional entry). The user s organization (optional entry). The user s department (optional entry). The user s site (optional entry) The user s location (optional entry) 3 Click Save Attributes in the File menu or click the Save Attributes icon to save the changes. If you do not save, you receive the Save User Attributes message box, shown in(figure 36 (Page 79), when you try to select another model. If that occurs, simply click OK to preserve the changes you made, or click Cancel to discard those changes. Security and User Maintenance Page 78

79 Figure 36: Save User Attributes dialog box Adding Yourself as a User If you have just started your first SpectroGRAPH session following installation, the root (UNIX) /Administrator (NT/2000) user model is the only user model in the SpectroSERVER database. This section explains how to add yourself as a user and restrict SPECTRUM administrative privileges to a single user, other than root. A network administrator must have the least restricted access. ADMIN,0 (as a community string) allowing you to create, delete, or modify user models. SpectroSERVER and SpectroGRAPH should be running, and you should have started SpectroGRAPH as a root/administrator user. To add yourself as a user: 1 Follow the instructions in Creating a New User Model on Page 72 for creating a new User model. 2 Select your User model from the Landscape list. Select Modify from the User menu, then change the community string to ADMIN,0. The remaining fields are optional. They can be entered now or later. Security and User Maintenance Page 79

80 Your new user model will be used when you begin your next SpectroGRAPH session. Exit the current SpectroGRAPH session now, then begin a new one, using your user ID to verify your new User model as follows: 1 Select Exit from the File menu, then select OK from the confirmation dialog box (Figure 37). Figure 37: Confirmation Dialog Box SpectroGRAPH: Confirm Are you sure you want to exit SpectroGRAPH? OK Cancel Help 2 Exit from your workstation (if needed); then log back in as the user identification that you wish to have administrative privileges. 3 Start SpectroGRAPH. 4 If you no longer want to have access to SpectroGRAPH as root/administrator, you can remove the root user model as follows: a b c Navigate to the Universe Topology View as before. To display the User Editor, either double-click the User Button on the VNM icon, or use the right mouse button to select UserEditor from the VNM Icon s Subviews menu. Select the root User. Security and User Maintenance Page 80

81 d Select Delete User from the User menu or click the Delete User icon to open the UserEditor: Delete dialog box. The dialog box asks you to confirm the delete request. In this case, the User model root will be deleted if you click OK. Note: If all SpectroSERVERS in your enterprise are run as root, do not delete the root user model. If your SpectroSERVERS are run by individual ADMIN,0 administrators, you should delete the root user model once you have created an individual ADMIN,0 administrator. This prohibits having two user models with full ADMIN,0 privileges and thus eliminates any security issues when more than one user model has full ADMIN,0 privileges. You are ready to begin using SPECTRUM to model your network. Copying a User Model To copy a User model: 1 Select the User you want to copy. 2 Select Copy from the Edit menu or click the Copy icon. Click and drag the User into another landscape or User Group. You may also Copy and Paste the User through the Edit menu or use the Copy and Paste icons on the tool bar to achieve the same result. By default, when you copy a User to another landscape, the Group and the users within the Group are also copied. (You can change this default setting in User Security and Administration Options (Page 32).) Security and User Maintenance Page 81

82 Moving a User Model When you click and drag, the cursor turns into a white outlined black dot. When you move over a User Group that is a valid group for the User to be copied into, the cursor changes to a square, as follows:. Drag and Drop You can click and drag a User to another User Group within your landscape. A User will be copied into the same User Group as it is a member of in the Landscape it is being copied from. Enabling a Read-Only User Model to Save User Preferences While most User Models are apt to have Read-Only privileges, there are occasions when you may want to allow a Read-Only User Model to be able to save specific preference settings desired by or for that specific user. One common situation for this is that you may want certain operators to be able to set and save their own Preferences settings when using Alarm Manager, for example. To establish this arrangement, proceed as follows: 1 Set a security string for all models in a community by setting the community string (for example, MODELS) in the top-level containers in the Topology/Location/Organization views. This security string will roll down to all devices in the hierarchy, which inherit whatever strings are applied to higher-level models. 2 Set another security string for the User Model to which you wish to provide Preferences editing privileges (for example, USER1). 3 In the User Attributes area of the UserEditor: Main view, set the Community String entry for the given user(s) to allow read-write access for models associated with the USER1 security string but just read-only access to other models in the hierarchy (for example, USER1,0:MODELS,5). Security and User Maintenance Page 82

83 Deleting a User Model To delete a User model: 1 Select the User Group from which you want to delete a User model. 2 Select the User model that you want to delete. 3 Select Delete User from the User menu or click the tool bar s Delete User icon to open the UserEditor: Delete dialog box. The dialog box asks you to confirm the delete request. Click OK to confirm that you do intend to delete the User Model that you selected. Note: You cannot delete the User model you are logged in as if you are logged in as yourself, for example, Delete User will be grayed out when your User model is selected. Security and User Maintenance Page 83

84 Preferences This section lists the preferences for the UserEditor application. The Preferences option from the Options menu displays the User Editor: Preferences dialog box, which allows you to customize and save UserEditor features to control how UserEditor is displayed and interacts with the rest of SPECTRUM. These preferences and their defaults are described below. The dialog box provides three tabbed panes (Actions, Connection, and Display). The following subsections describe the different functions available on these three panes. Figure 38: User Editor: Preferences Dialog Box Security and User Maintenance Page 84