Cisco Security Policy Engine Administration Server User Interface Topics

Similar documents
Provisioning Flows Topics

User Group Configuration

Password Reset Utility. Configuration

Status Web Evaluator s Guide Software Pursuits, Inc.

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

User Management in Resource Manager

Lab 11-1 Lab User Profiles and Tracking

Developing a Gadget for the Home Page

SharePoint AD Administration Tutorial for SharePoint 2007

Nortel Quality Monitoring Search and Replay Guide

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Data Privilege Adding or Removing Members

Configuring Role-Based Access Control

Cisco Unified Serviceability

This chapter describes the tasks that you perform after installing Prime Cable Provisioning.

Overview. ACE Appliance Device Manager Overview CHAPTER

Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007

TOP Server Version 6 Security Settings

Configuring Cisco TelePresence Manager

Introduction to Provisioning

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

Manage Administrators and Admin Access Policies

SharePoint 2010 Tutorial

ES CONTENT MANAGEMENT - EVER TEAM

Cisco TEO Adapter Guide for Microsoft Windows

WMI log collection using a non-admin domain user

Configuring RBAC Using Admin UI

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

HR-Lite Database & Web Service Setup Guide

Real Application Security Administration

Figure 5-25: Setup Wizard s Safe Surfing Screen

CTC Accounts Active Directory Synchronizer User Guide

NTP Software File Auditor for Windows Edition

WCM 6.0 Pro MS/SP Software Recovery Installation Guide

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

Kentico CMS 6.0 Intranet Administrator's Guide

Corporate Administrator Tool (CAT) User Guide V8.0

Message Networking 5.2 Administration print guide

Using ANM With Virtual Data Centers

Managing Users and Configuring Role-Based Access Control

Recovering Cisco MXE 3500

WebSphere Application Server V7: Administration Consoles and Commands

Tyler Dashboard. User Guide Version 6.3. For more information, visit

Studywiz-Gmail Teachers' and Students' Guide

Getting Started with IBM Cognos 10 Reports

Role-Based Access Configuration

Xton Access Manager GETTING STARTED GUIDE

R9.7 erwin License Server:

My Publications Quick Start Guide

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Introduction to Broadband Access Center Topics

Using the Subscriber Manager GUI Tool

Lab - Configure Users and Groups in Windows

Start Creating SSL Policies

Metastorm BPM Release 7.6

Manage Administrators and Admin Access Policies

Equitrac Embedded Connector for EFI SendMe. Setup Guide Equitrac Corporation Equitrac Corporation

Microsoft SQL Installation and Setup

CRA Wiz and Fair Lending Wiz. Installation Guide V6.9

One Identity Active Roles 7.2. Web Interface User Guide

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

Embedded Connector for IKON DocSend Setup Guide

Securing LDAP Directory Integration with Cisco Unified CallManager 4.x

Application User Configuration

Oracle Financial Services Governance, Risk, and Compliance Workflow Manager User Guide. Release February 2016 E

NetExtender for SSL-VPN

HOWTO Make an Initial Connection to the Office Anywhere Desktop using a Windows 7 based PC v1

Logging In and Setting Up

Lab - Connect to a Router for the First Time

Manage Administrators and Admin Access Policies

Managing Subscribers Topics

PaperClip32. Revision 2.0

PRISM-FHF The Fred Hollows Foundation

RenWeb Training. Creating Your Classroom Website

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

Chancellor s Office Information Technology Services Corporate Information Management FIRMS Budget Review Hyperion Process

Liferay Portal 4 - Portal Administration Guide. Joseph Shum Alexander Chow Redmond Mar Jorge Ferrer

VMware AirWatch Certificate Authentication for EAS with ADCS

Installing and Configuring vcloud Connector

Managing WCS User Accounts

Managing NCS User Accounts

Telax Administrator Portal

Using the Subscriber Manager GUI Tool

Remote Access MPLS-VPNs

Managing GSS Devices from the GUI

Cisco TEO Adapter Guide for

Remote Support 19.1 Web Rep Console

ProSafe Plus Switch Utility

CHEMICAL SAFETY EMS SOFTWARE. Accumulation Inventory

Realms and Identity Policies

Drobo How-To Guide. Drobo Apps - Configuring ElephantDrive. Topics. What You Will Need. Prerequisites

User Guide. Kronodoc Kronodoc Oy. Intelligent methods for process improvement and project execution

OXE Free desktop Guide

Caliber 11.0 for Visual Studio Team Systems

Administration Tools User Guide. Release April 2015

Important notice regarding accounts used for installation and configuration

Atlona Manuals Software AMS

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

SARS ANYWHERE ADMINISTRATION MANUAL APPENDICES

Transcription:

APPENDIX A Cisco Security Policy Engine Administration Server User Interface This appendix describes how a system administrator can access the Cisco Security Policy Engine (SPE) Services Administration web-based user interface using the Cisco Broadband Access Center (BAC) application. The Cisco SPE security service provides an authentication and authorization framework based upon the Role Based Access Control (RBAC) model, in which user access permissions are associated with roles and users are made occupants of a role. Table A-1 Topics If you want to... Learn more about how BAC implements security Access the Security Policy Engine user interface Edit your personal profile or change your password Go to the... Overview of BAC Security section on page A-1. Accessing the Application section on page A-3. Logging Out section on page A-8. Overview of BAC Security BAC security has two focuses: ISP partitioning Operator permissions Together these determine what objects a user can see and what actions a user can perform on the objects. For network efficiency and performance, BAC does not handle security for individual network devices or administrative networks. Thus, if you grant a user group access to an administrative network, that user group has access to all objects under the administrative network, including administrative subnetworks, devices, cards and ports. All objects inherit settings from their immediate parent. You give a user group permission to perform actions on objects by category, not by individual object. For example, if you give a user group permission to create a device, members of this group can create any device under any accessible administrative network. Underlying BAC security is the logical grouping of service providers. Therefore, you can create geographical, functional, technological, or any other grouping that enables you to logicaly partition administrative networks, devices, network resources and subscribers. In this way, network operators at one service provider can see only the networks, devices, network resources and subscribers that belong A-1

Overview of BAC Security Appendix A to it. In the BAC security model, you must assign an owner of each object you create. You select the owner from a list of ISPs. After you assign an owner to an object, only operators associated with that owner, or BACAdmin, can access the object. Figure A-1 illustrates the BAC security partition concept. Figure A-1 BAC Security Partitioning NIMRoot NY (assigned to ISP1) CA (assigned to ISP2, ISP3) San Francisco (assigned to ISP2) San Jose (assigned to ISP3) Bldg20 cpe1 cpe2 C10K_1 Associate NetworkResourceRoot AAA A1 (assigned to ISP1, ISP2) A2 (assigned to ISP3) AAA dhcp1 (assigned to ISP1) dhcp1 (assigned to ISP3) 93259 Each service provider can have a number of predefined user groups with different permissions. The user BACAdmin can create operators and assign them to user groups, and, based on the permissions from the associated group, an operator can perform actions such as create, delete, view, and modify networks, devices or subscribers, and also can add, delete, and modift services for devices and subscribers. When you initialize BACservers, the bacstartup script loads security object model into the security server, this security object model defines BAC specific permissions, associates roles that contains sets of permissions and provides a mechanism to create user groups associated with the roles. When you initialize the server, the system creates the BACAdministrators group and BACAdmin, which is the default BAC administrative user, and a default password. Caution Cisco Systems recommends against changing these permissions, roles, and groups to avoid unwanted behaviors. You can change the default password using SPE. When BACAdmin creates an ISP, the system automatically creates a number of user groups associated with the service provider in the SPE server. The permissions of the associated groups and the name of the user groups are pre-defined in the xml file, the default groups and their brief descriptions of their associated permissions are: [ISPname]AdvanceOperators contains the permissions to create, delete, get, set of AdminNetwork, Device, NetworkResource, Subscriber, SubscriberGroup as well as add, delete services of Device and Subscriber. The only thing it cannot do is anything related to ISP. A-2

Appendix A Accessing the Application [ISPname]IntermediateOperators contains the permissions to create, delete, get, set of AdminNetwork, Device, NetworkResource, and add, delete services of Device with partial list of service features. [ISPname]Operators contains the permissions to create, delete, get, set of Subscriber, Subscriber groups and add, delete services of Subscriber as well as partial list of service features, SinglePVC, PVCRange, SingleVLAN and VLANRange. This group is meant to complement the access list and permissions of IntermediateOperators group. [ISPname]CustomerOperators contains read-only permissions in all categories. If a user logs in as a member of the ser group [ISPname]AdvanceOperators, for example ISP3AdvanceOPerators, the user s access is illustrated in Figure A-2. Figure A-2 Access for a Member of the User Group AdvanceOperators NIMRoot CA (assigned to ISP2, ISP3) San Jose (assigned to ISP3) Bldg20 cpe1 cpe2 C10K_1 Associate NetworkResourceRoot AAA A2 (assigned to ISP3) DHCP dhcp2 (assigned to ISP3) 93272 The SPE application functions are accessed using a web browser from the BAC application. You can perform the following functions: Create, modify, and delete users in the user configuration view. Create, modify, and delete user groups in the group configuration view. Set up user roles. User roles allow you to assign a set of privileges to a user or user group. Set up policy rules. Policy rules are the primary component used to define a policy. They allow you to assign a scope for users and user groups to work with. Accessing the Application This section describes how to log onto the Cisco Security Policy Engine (SPE) server. You can launch the SPE in two ways: From the Broadband Access Center application By entering a specific URL in your web browser Authentication is the first operation required after starting the application. You do this from the Log On page. A-3

Accessing the Application Appendix A Logging On from BAC To access SPE, follow these steps: Log in to BAC. Enter your name and password, then press Login. An encryption notice page appears. Read the notice. Click Exit to return to the login page, or click OK to access the Broadband Access Center application. Click the Tools tab and then User Administration. The User Administration page appears. From the Tools > User Administration page, click SPE User Admin UI. Wait until the SPE Administration loads and the logon page appears. Note Step 6 SPE Administration is referred to as SPE throughout this appendix. Enter your user identification and password, then click Logon. The SPE page appears. The SPE page displays version, product, and copyright information, and menu options that allow you to navigate through different user-interfaces. Logging On from a Browser You can launch the Cisco Security Policy Engine Administration user interface from your web browser. Authentication is the first operation required after launching the application. This is accomplished from the Log On page. Follow these steps to log on to the system. Step 6 Open your browser. Enter the specified URL: http://<server_name>/bac/user_admin.do The BAC Login page appears. Log on to BAC. Type in your name and password, then press Login. An encryption notice page appears. Read the notice and click Exit to return to the login page, or click OK to access the Broadband Access page. Click the Tools tab and then User Administration. The User Administration page appears. Enter the User Identification (case sensitive for databases), and Password (case sensitive in directories and databases) in the corresponding fields. Click Logon. The Cisco SPE Administration page appears. A-4

Appendix A Managing Users Managing Users This section describes the options that are available under SPE Administration User Management menu: User Configuration, page A-5 Note Only users with administrator privileges on the resource are allowed to perform administrative tasks on the resources. User Configuration Browsing Users After you log in to SPE, select User Management and then User Configuration from the menu. The User Configuration page appears. You can perform the following tasks when using the Cisco SPE user interface: Browsing Users, page A-5 Adding a New User, page A-6 Updating a User Profile, page A-6 Deleting a User, page A-6 Cloning a User, page A-7 Adding a User to User Groups, page A-7 Removing a User from a User Group, page A-8 To browse the list of users, follow these steps: Click Next >> or <<Prev to browse the users list. You can also search for a specific user by specifying the user s name in the Filter text field and then clicking Go. Click Browse to search for users in any context other than the default context. (This is possible only if context selection is enabled.) A context popup menu appears. Note The choose the context tag allows you to browse the context for either roles, policy rules, or groups. You select an entry for the intended context, for instance policy rules, and if you know what to filter, you enter the text that the operator wants and then click Go. If the operator does not know the text, just leave it blank and click Go. BAC provides all the data under that category. The operator can look at the desired entry and put in the text in the filter and then click Go again. BAC filters out all the entries except the ones that contain the text that you entered. Select the required context. You can specify certain filters to refine your search in the Filter text field. Click Go to list the users with the new search criteria. A-5

Managing Users Appendix A Adding a New User To add a new user to the SPE database, follow these steps: Click New. The new user page appears with the following fields: Name Name of the user. Last Name Last name of the user. Password User s password. Confirm Password Re-enter your user password to confirm it. Enter values in each field. Use the Tab key to move through the fields. Click Insert to save the user information. Updating a User Profile To modify the profile of a user, follow these steps: Select the user you that want to update. Make the necessary changes. If you make a mistake click Reset to reset all fields to their original values and continue. Click Update to save the changes. Deleting a User To delete a user from the system, follow these steps: Choose the user that you want to delete. Click Delete to delete the selected user. You are prompted to confirm the delete operation. Click: OK to confirm deletion Cancel to cancel the delete operation A-6

Appendix A Managing Users Cloning a User You might want to copy the same information from one user to another user and then use this information to create a new user. To clone or copy a user, follow these steps: Select an existing user having a profile similar to the new user you want to configure. Click Clone to make a copy of that user to configure the new one. Make appropriate changes to the required fields. Click Insert to save the user information. Adding a User to User Groups To add the user to different user groups, follow these steps: Step 6 Step 7 Step 8 Choose the user you want to add to the user groups. Click Add to Group at the bottom of the page. The Select User Group page appears. Select the desired group or groups, from the Available User Groups List, to which you want to add the user. Use the arrows to move the user groups to and from the Selected User Groups List (on the right side of the page). After you include the desired groups that you want the user added to, then click Insert and Close to save the changes and close the dialog box. You return to the previous page where the user groups that the user belongs to are listed at the bottom of the page. If the context selection is enabled, you can click Browse to select the user groups in any other context. A context popup menu appears. Select the required context and click Go. A list of user groups with the new search criteria appears. Filters can be specified in the Filter text field to refine your search. Click Insert and Close to save the changes you have made. Note Alternatively, you can click Cancel to discard the changes and close the dialog page. A-7

Managing Users Appendix A Removing a User from a User Group To remove a user from user groups, follow these steps: Choose the user that you want to remove from a group. Click the check box to the left of the user name. Select the user group from which you want to remove the specified user. Click Remove from Group to remove the user from the selected user group. The selected user is removed from the specified group. Logging Out To logout of the system, click Logout in the upper right corner of your CNS page. You are prompted with a message. Click OK to log out or Cancel to continue operations. A-8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback