209956207-netnumen-u31-r18-unified-element-management-system-security-management-operation-guide.pdf

  • Uploaded by: Vittola
  • 0
  • 0
  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View 209956207-netnumen-u31-r18-unified-element-management-system-security-management-operation-guide.pdf as PDF for free.

More details

  • Words: 12,880
  • Pages: 71
NetNumen™ U31 R18 Unified Element Management System

Security Management Operation Guide Version: 12.10.040

ZTE CORPORATION NO. 55, Hi-tech Road South, ShenZhen, P.R.China Postcode: 518057 Tel: +86-755-26771900 Fax: +86-755-26770801 URL: http://ensupport.zte.com.cn E-mail: [email protected]

LEGAL INFORMATION Copyright © 2011 ZTE CORPORATION. The contents of this document are protected by copyright laws and international treaties. Any reproduction or distribution of this document or any portion of this document, in any form by any means, without the prior written consent of ZTE CORPORATION is prohibited.

Additionally, the contents of this document are protected by

contractual confidentiality obligations. All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE CORPORATION or of their respective owners. This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose, title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein. ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject matter of this document. Except as expressly provided in any written license between ZTE CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter herein. ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice. Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information. The ultimate right to interpret this product resides in ZTE CORPORATION.

Revision History Revision No.

Revision Date

Revision Reason

R1.0

2011-09–23

First Edition

Serial Number: SJ-20110823134613-005 Publishing Date: 2011-09-23(R1.0)

Contents About This Manual ......................................................................................... I Chapter 1 Overview .................................................................................... 1-1 1.1 Introduction to Security Management Functions ................................................... 1-1 1.2 Basic Concepts of Security Management ............................................................. 1-1 1.3 Relation Model ................................................................................................... 1-2 1.4 Security Management Solution............................................................................ 1-4 1.5 Authentication and Access Control ...................................................................... 1-5 1.6 Authentication Modes ......................................................................................... 1-6 1.7 Auditing ............................................................................................................. 1-6 1.8 Centralized Security Management ....................................................................... 1-6 1.9 Implicit Prerequisites .......................................................................................... 1-7

Chapter 2 Security Policy Management ................................................... 2-1 2.1 Introduction to Security Policy Management ......................................................... 2-1 2.2 Customising the User Account Rule..................................................................... 2-1

Chapter 3 Operation Set Management ..................................................... 3-1 3.1 Introduction to Operation Set Management .......................................................... 3-1 3.2 Creating an Operation Set .................................................................................. 3-2 3.3 Viewing the Information of an Operation Set......................................................... 3-3 3.4 Modifying a Customised Operation Set ................................................................ 3-4 3.5 Duplicating an Operation Set............................................................................... 3-5 3.6 Deleting a Customised Operation Set .................................................................. 3-5 3.7 Viewing All Permitted Operations ........................................................................ 3-6 3.8 Exporting All Customised Operation Sets............................................................. 3-7 3.9 Importing an Operation Set ................................................................................. 3-8

Chapter 4 Role Management ..................................................................... 4-1 4.1 Introduction to Role Management ........................................................................ 4-1 4.2 Creating a Role .................................................................................................. 4-2 4.3 Modifying a Customised Role.............................................................................. 4-5 4.4 Duplicating a Role .............................................................................................. 4-6 4.5 Deleting a Customized Role................................................................................ 4-6 4.6 Viewing the Users Assigned with a Selected Role ................................................ 4-7 4.7 Locking a Customised Role................................................................................. 4-7

Chapter 5 Role Set Management............................................................... 5-1 I

5.1 Introduction to Role Set Management .................................................................. 5-1 5.2 Creating a Role Set ............................................................................................ 5-1 5.3 Modifying a Customised Role Set ........................................................................ 5-3 5.4 Duplicating a Role Set ........................................................................................ 5-4 5.5 Deleting a Role Set ............................................................................................ 5-5 5.6 Viewing the Users Assigned with a Selected Role Set .......................................... 5-6 5.7 Locking a Role Set ............................................................................................. 5-6

Chapter 6 Department Management ......................................................... 6-1 6.1 Introduction to Department Management ............................................................. 6-1 6.2 Creating a Department ....................................................................................... 6-1 6.3 Modifying a Department...................................................................................... 6-3 6.4 Deleting a Department........................................................................................ 6-3

Chapter 7 User Management ..................................................................... 7-1 7.1 Introduction to User Management........................................................................ 7-1 7.2 Creating a User.................................................................................................. 7-1 7.3 Modifying a User ................................................................................................ 7-6 7.4 Duplicating a User .............................................................................................. 7-8 7.5 Deleting a User ................................................................................................ 7-10

Chapter 8 Other Functions ........................................................................ 8-1 8.1 Viewing User Lockup Records............................................................................. 8-1 8.2 Modifying the Passwords of All Common Users.................................................... 8-2 8.3 Managing Current Login Users............................................................................ 8-2 8.4 Set User Blacklist ............................................................................................... 8-3 8.5 Viewing the Network Element Login Users ........................................................... 8-4 8.6 Modifying the User Login Password..................................................................... 8-5 8.7 User Login ......................................................................................................... 8-5

Figures............................................................................................................. I Tables ............................................................................................................ III Glossary .........................................................................................................V

II

About This Manual The NetNumenTM U31 R18 Unified Element Management System (NetNumen U31 or EMS) is a special network element management system that manages network elements in radio access systems. By using NetNumen U31, users can configure and maintain individual network elements, and manage radio access networks in a unified manner. NetNumen U31 provides the following management functions: l l l l l

Configuration management Fault management Performance management Topology management Security management

As an object-oriented system designed on the JAVA 2 platform Enterprise Edition (J2EE), NetNumen U31 provides unified standard interfaces to external devices.

Purpose This guide describes the security management operations in the NetNumen U31 system.

Intended Audience l l

Maintenance engineers Debugging engineers

What Is in This Manual Chapter

Summary

Chapter 1, Overview

Introduces concept of security management, related terms, relation model, management example, and implicit prerequisites.

Chapter 2, Security Policy Management

Describes customisation of user account rules and rules of security events.

Chapter 3, Operation Set Management

Describes steps of viewing, modifying, exporting operation sets.

Chapter 4, Role Management

Describes operations of adding, modifying, copying and deleting roles.

Chapter 5, Role Set Management

Describes operations of adding, modifying, copying and deleting role sets.

Chapter 6, Department Management

Describes operations of adding, modifying, and deleting departments.

I

Chapter

Summary

Chapter 7, User Management

Describes management of user accounts, such as adding, modifying, copying, deleting accounts.

Chapter 8, Other Functions

Describes other management functions.

II

Chapter 1

Overview Table of Contents Introduction to Security Management Functions .........................................................1-1 Basic Concepts of Security Management ...................................................................1-1 Relation Model ...........................................................................................................1-2 Security Management Solution...................................................................................1-4 Authentication and Access Control .............................................................................1-5 Authentication Modes.................................................................................................1-6 Auditing ......................................................................................................................1-6 Centralized Security Management..............................................................................1-6 Implicit Prerequisites ..................................................................................................1-7

1.1 Introduction to Security Management Functions The security management functions provided by NetNumen U31 are used to ensure proper and reliable running of the network element management system (EMS). By using the security management functions, the system administrator can create security policies, maintain user accounts and manage roles, role sets and departments. In addition, the administrator can assign different authorities to individual users for them to access and manage limited network resources. The security management functions can be classified into two parts: l l

Security policy customisation: Security policies are applicable to all users of the system. Integrated management of roles, role sets, operation sets, departments and users: The integrated management functions can control the authorities of individual users.

Among all functions, security policy and the management of users, roles and departments are the most important in the security management.

1.2 Basic Concepts of Security Management Security management concerns several basic concepts, including role, role set, operation set, department, and user, which are explained as follows: l

Role A role specifies the management permission for a user group, including the operation permission and managed resources.

1-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide à

The operation permission allows the user group to use specific functional modules of the EMS. For example, if a role has the operation permission of the log management module, the users assigned with the role can perform log management operations, such as querying logs and maintaining logs.

à

The managed resources refer to the subnetworks and/or the network elements that can be managed by the role.

In application, the operation permission and managed resources combine to decide the actual authorities of a role. For example, if a role is assigned a base station as one managed resource, and topology management as the operation permission, the actual permission of the role is to perform topology management on the base station. l

Role Set A role set is a collection of roles. The permissions of a role set involves those of all roles in the role set.

l

Operation Set An operation set is a collection of operations. If an operation set is assigned to a role, this role has the permission of all operations specified in the operation set on the resource.

l

Department Departments are specified in the EMS to simulate the actual administrative departments. In this way, the system administrator can easily manage users in the EMS. A newly-created user must belong to a department.

Note: By default, a newly created user belongs to the root department of the system unless otherwise specified.

l

User A user is an operator authorised to log in to the system and perform certain operations in the system. When creating a user, the system administrator assigns the management permission to the user by specifying one or more roles or role sets (The actual permission of a user is the combination of the authorities of all roles or role sets assigned to the user). The administrator can also allocate the user to a department based on actual requirements.

1.3 Relation Model The relation model in security management is based on the role. The permission of a role depends on the managed resources and corresponding operation rights assigned to it. Assigning users with different roles can differentiate user permissions. 1-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 1 Overview

In the NetNumen U31 system, the roles include default roles and custom roles. Default roles include: l l l l

Administrator Role Maintenance Role Operator Role Supervisor Role

Custom roles have user-defined permissions, which depend on the managed resources and related operation rights. The NetNumen U31 system supports adding, deleting, and modifying custom roles. By customizing roles and assigning role(s) to users, you can allocate users different permissions. The users can perform authorized actions in the system according to their permissions. The relations among user, role, role set, department, operation permission, and managed resources are illustrated in Figure 1-1. Figure 1-1 Relation Model of Security Management

Following are some supplementary explanations: l l l l

A user must belong to a department. A department can include one or more users. A user must be assigned with at least one role. A role can be assigned to any number of users. A user can be assigned with one or more role sets. A role set can be assigned to any number of users. The permissions of the role(s) or role set(s) assigned to the user decide the user’s actual permission.

1-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

l l

A role set must include at least one role. A role can be assigned to any number of role sets. The permissions assigned to the managed resources of a role decide the actual operation permission of the role.

1.4 Security Management Solution After fully understanding the relation model of security management, you can work out a security management solution according to the network scale, administrative division, and allocated permission. Suppose a telecom operator in a province plans to use the NetNumen U31 system to manage all Base Station Controllers (BSCs) and Base Transceiver Stations (BTSs) in the province. Several branch offices are distributed in the province. Each office only manages the devices in the area administrated by it. Table 1-1 provides a security management solution for the telecom operator in a province, which specifies the departments, role sets, roles, operation sets, users, and their relations. Table 1-1 Security Management Example Department

Role

Operation Set

Role Description

User

The system provides a default None

System administrator

administrator role, who has the Administrator

highest administration authority.

admin

This user is independent of any department.

BSC administrator

The BSC administrator has the

System

authority to manage all BSC

administrator

BSCAdmin

devices in the province. This role specifies the authority

On-duty personnel of BSC

of ordinary operators, who Monitor

can perform routine monitoring

BSCWatch

operations on all BSC devices in the province.

Provincial Office BTS administrator

The BTS administrator has the

System

authority to manage all BTS

administrator

BTSAdmin

devices in the province. This role specifies the authority

On-duty personnel of BTS

of ordinary operators, who Monitor

can perform routine monitoring

BTSWatch

operations on all BTS devices in the province.

1-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 1 Overview

Department

Role

Operation Set

Role Description

User

This role specifies the authority BTS administrator

of BTS administrator, who can

System

manage all BTS devices in the

administrator

BTSAdmin1

area administrated by branch office 1.

Branch Office This role specifies the authority

1

of ordinary operators, who On-duty personnel

can perform routine monitoring

Monitor

operations on all BTS devices in

BTSWatch1

the area administrated by branch office 1. This role specifies the authority BTS administrator

of BTS administrator, who can

System

manage all BTS devices in the

administrator

BTSAdmin2

area administrated by branch office 2.

Branch Office This role specifies the authority

2

of ordinary operators, who On-duty personnel

can perform routine monitoring

Monitor

operations on all BTS devices in

BTSWatch2

the area administrated by branch office 2. This role specifies the authority BTS administrator

of BTS administrator, who can

System

manage all BTS devices in the

administrator

BTSAdminN

area administrated by branch office N.

Branch Office This role specifies the authority

N

of ordinary operators, who On-duty personnel

can perform routine monitoring

Monitor

operations on all BTS devices in

BTSWatchN

the area administrated by branch office N.

1.5 Authentication and Access Control When a user performs an operation in NetNumen U31, the system calls the authentication interface according to the authorized rights set to check whether the user has the rights to perform the operation. The user without the operation rights cannot perform the operation.

1-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

The authentication mechanism in the NetNumen U31 system ensures that the user can perform authorized operations and forbids unauthorized operations. In this way, the authentication mechanism protects the key system functions and ensures the security of sensitive data.

1.6 Authentication Modes Each user has a unique ID . When a user logs in to the system, the system authenticate the user through the ID. After the system determines that the user ID is valid, the user can log in to the system and can use the system with authorized rights. NetNumen U31 supports three authentication modes: 1. Password authentication 2. RADIUS authentication 3. Digital certificate authentication

1.7 Auditing NetNumen U31 supports log management. The logs include system logs, security logs, and operation logs. Operation log is the records of operations and events generated by the user interface. Security log is the records of security events such as a user's accessing of the system. System Log is the records of events generated by the system, such as time task, data processing. Log management includes tracing all operations performed by each user. Log management provides a convenient and friendly user interface for log query. Custom query of log data (fuzzy match or exact match) can be performed according to user name, event and operation information.

1.8 Centralized Security Management Centralized security management is an optional security management policy provided by NetNumen U31. The policy performs integrated user and authorization management in the Network Element Management System (EMS). In this way, the user information can be better managed. The security data, such as user information and authentication, is transmitted via the EMB interface between the EMS and OMM. The EMB interface uses the SSH protocol to ensure the integrity and secrecy of data. Figure 1-2 illustrates the process of centralized security management.

1-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 1 Overview

Figure 1-2 Centralized Security Management

The EMS in the figure refers to NetNumen U31.

1.9 Implicit Prerequisites For all security management operations, the following prerequisites may be presumed to have been met. l l

Log in to the NetNumen U31 GUI client as an administrator. The connection between the NetNumen U31 client and the server is normal.

Note: For the client/server architecture, refer to NetNumen U31 Mobile Network Element Management System System Description.

1-7 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

This page intentionally left blank.

1-8 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 2

Security Policy Management Table of Contents Introduction to Security Policy Management ...............................................................2-1 Customising the User Account Rule ...........................................................................2-1

2.1 Introduction to Security Policy Management By using the security policy management function, you can customise the user account rule. The user account rule specifies the attributes related to account security, such as password length requirement and weak password check.

2.2 Customising the User Account Rule Abstract After installation, the NetNumen U31 system has no user account rules. It is recommended to set the account rules following the rules below: l l l l l l

A user account is locked when the wrong passwords are entered for at least three times. A locked user account is unlocked at least 24 hours after the locking. The weak password check should be enabled. The account valid period can be within 6 months. Refer to “Creating a User”. The new password cannot repeat the last used five ones. The GUI is automatically locked if no operations are performed on the client for over 30 minutes.

Steps 1. On the menu bar of the client window, click Security > customise User Account Rule to open the customise User Account Rule dialogue box, as shown in Figure 2-1.

2-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Figure 2-1 Customising User Account Rule

2. Set parameters to customize user account rule according to the actual requirements, based on description in Table 2-1. Table 2-1 Parameters for Customising User Account Rule Policy/Rule Type

Parameter

Description

Enable Weak Pass-

Select to check weak

word Check

password

Suggested Value Selected

automati-

cally. Password Policy Minimum Length

Minimum

password

6

length (value range: 0–20).

2-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 2 Security Policy Management

Policy/Rule Type

Parameter Maximum Length

Description Maximum

Suggested Value

password

20

length (value range: 0–20). Can not be last used

Select to check if the

password within

password has been used

within

100

speci-

fied past days (value range: 1–100). Can not be last used

Select

to

check

if

5

the password repeats any of the ones used in previous specified time(s) (value range: 1–100). Notify password ex-

Select and the sys-

piry in an advance of

tem will notify pass-

5

word expiry specified days in advance. Password modifica-

Select and the user

tion in a day cannot

cannot

exceed

password

modify over

3

the the

specified times. User must modify

Select and the user

expired

must modify overdue

password

when login

Selected

password before logging into the system. If the check box is not selected, the user can login without modifying overdue password.

The

invalid

pass-

Select and the user

word must be modi-

must modify the

fied when login

password upon login

Selected

when the password is invalid. Passwords

should

Select and the users

be different if users

with the same full

have the same full

name must be set with

name

different passwords.

Not selected

2-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Policy/Rule Type

Parameter

Description

Emails will be sent to

Select and the users

users whose pass-

will receive an Email if

words are modified

their passwords have

Suggested Value Not selected

been modified. Never Lock

Select this option,

Lock Temporarily

and users will not be locked in case of multiple failures for login. Lock Permanently

Select this option, and users will be locked when specified login attempts fail.

Lock Temporarily

Select this option, and the locked user will be unlocked after specified time (Unit: hour).

Lock at password er-

Lock the account

ror

at specified times

3

of entering wrong password (value

Account Lock Rule

range: 2–20). Unlock after

Unlock after specified

24

hours (value range: 1–72). Lock account with IP

Specifies whether to

Selected

lock the account by its IP address, that is, the client with the address cannot log in to the EMS server. Do not lock the user

Select the check box,

admin

and Admin account

Selected

is not locked. It is not suggested to lock the Admin account, because the account has advanced authorities.

2-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 2 Security Policy Management

Policy/Rule Type

Parameter

Description

Can not be user ac-

Select the check box

counts deleted in the

and the user account

last

must not repeat any

Suggested Value 5

account deleted in specified past days (value range: 1–100).

Account Checking Policy

Notify account ex-

Select the check box

piry in an advance of

and the system will

5

notify account expiry specified days in advance (value range: 1–90).

Note: A locked (permanently or temporarily) user can only be unlocked by the administrator user (Admin). For a temporarily locked user, the account can be unlocked after the specified duration.

3. Click OK to confirm the setting of the user account rule. You can also click Default to restore default user account policies. – End of Steps –

2-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

This page intentionally left blank.

2-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 3

Operation Set Management Table of Contents Introduction to Operation Set Management ................................................................3-1 Creating an Operation Set..........................................................................................3-2 Viewing the Information of an Operation Set...............................................................3-3 Modifying a Customised Operation Set.......................................................................3-4 Duplicating an Operation Set......................................................................................3-5 Deleting a Customised Operation Set.........................................................................3-5 Viewing All Permitted Operations ...............................................................................3-6 Exporting All Customised Operation Sets ...................................................................3-7 Importing an Operation Set ........................................................................................3-8

3.1 Introduction to Operation Set Management An operation set is a collection of operation permissions. By assigning required operation sets to different management resources of a role, you can define the operations the role can perform on each resource. NetNumen U31 supports the following operation set management functions: l l l l l l l l

Create an Operation Set: set the name, description and permitted operations to create an operation set. View an Operation Set: view the information of an operation set, including its name, description, and operation assignment. Modify an Operation Set: modify the description and operation assignment of an operation set created by the user. Duplicate an Operation Set: create a similar new operation set by duplicating an existing operation set. Delete an Operation Set: delete a useless operation set created by the user. View All Permitted Operations: view all permitted operations of an operation set. Export an Operation Set: export the information of all operation sets and save it as an XLS file. Import an Operation Set: import an operation set from an XLS file.

3-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Note: The following five default operation sets cannot be modified or deleted. l l l l l l

Administrator Right System Maintenance Right Operation Right View Right No Right Operator View Right

The Operator View Right is only available when the Radio Access Network (RAN) network sharing function is enabled.

3.2 Creating an Operation Set Context When the default operation sets does not meet the actual requirements, you can create a new operation set with customised operation permissions.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. On the Role Management pane, click any node under Role to display the information of the selected role in the right pane. 3. Under

Access

Rights

in

the right pane, click , and select Create Operation Set from the drop-down menu, or right-click any operation set from the operation set list, and click Create an Operation Set on the shortcut menu to open the Create an Operation Set dialogue box. The operation set list is shown in Figure 3-1.

3-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 3 Operation Set Management

Figure 3-1 Operation Set List

4. Under General Information, type the name and description of the new operation set in the Operation Set Name and Operation Set Description boxes. 5. On the Operation Tree, select the operations you want to add to the operation set.

Note: The name of the new operation set cannot be the same as any existing one.

6. Click OK. – End of Steps –

Result The created operation set appears in the operation set list under Access Rights.

3.3 Viewing the Information of an Operation Set Context After an operation set is created, you can view the operation permissions specified in an operation set as follows:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 3-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

2. In the Role Management pane, click any node under Role to display the information of the selected role in the right pane. 3. Under Access Rights in the right pane, right-click the operation set to be viewed in the operation set list, and then click Browse Operation Set on the shortcut menu. 4. View the information of the operation set in the pop-up Browse Operation Set dialogue box, such as its name, description, and assigned operations. 5. Click OK to finish. – End of Steps –

3.4 Modifying a Customised Operation Set Context The operation sets created by the user can be modified later on, while the system default ones cannot be modified. To modify a customised operation set, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. In the Role Management pane, click any node under Role to display the information of the selected role on the right pane. 3. Under Access Rights in the right pane, right-click the operation set to be modified in the operation set list, and then click Modify Operation Set. 4. In the pop-up Modify Operation Set dialogue box, modify parameters as needed. a. Under General Information, modify the description of the operation set. b. On the Operation Tree, select the operations you want to add to the operation set and/or clear the operations you want to remove from the operation set. 5. Click OK to save the modification and close the Modify Operation Set dialogue box. – End of Steps –

Result After successful modification of the operation set, all roles assigned with this operation set change accordingly. If a login user has been assigned with such role, the system will force the user to log out.

3-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 3 Operation Set Management

3.5 Duplicating an Operation Set Context By duplicating an existing operation set, you can quickly create a new operation set similar to the existing one by modifying some information on the basis of the existing operation set. To create a new operation set by duplicating an existing operation set, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. In the Role Management pane, click any node under Role. The information of the selected role appears in the right pane. 3. In the Access Rights area in the right pane, right-click the operation set to be duplicated in the Operation Set list, and then click Duplicate Operation Set. 4. In the pop-up Duplicate Operation Set dialogue box, type the name and description of the duplicated operation set, and modify the selection of operations as needed.

Note: You can leave the description and operation selection unchanged when it is necessary.

5. Click OK. – End of Steps –

Result A new operation set appears in the operation set list. If you has not modified the description and permitted operations while duplicating the existing operation set, the newly-created operation set with a different name has the same description and permitted operations as those of the duplicated one.

3.6 Deleting a Customised Operation Set Context This section describes how to delete a customised operation set. Note that the default operation sets cannot be deleted.

3-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. In the Role Management pane, click any node under Role to display the information of the selected role in the right pane. 3. Under Access Rights in the right pane, right-click the operation set to be deleted in the operation set list, and then click Delete Operation Set. 4. In the pop-up Confirm dialogue box, click Yes to delete the selected operation set. – End of Steps –

Result The deleted operation set disappears from the operation set list. If a role has been assigned with this operation set, “NO Right” is assigned to the role by default after the deletion of the original operation set. And the login users assigned with this role are forced to log out and log in for another time.

3.7 Viewing All Permitted Operations Context This function allows you to view the description of all operation permissions. Select the node by its name, and the details of the operation permission are listed.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. On the tree of the Role Management pane, click any node under Role to display the information of the selected role on the right pane. 3. Under

Access

Rights

in

the right pane, click and click View All Operations from the drop-down menu, or right-click any operation set in the operation set list, and then click View All Operations to open the View All Operations dialogue box.

4. Expand the Operation Tree and click the operation you want to view on the tree. The description of the selected operation is displayed on the right pane, as shown in Figure 3-2.

3-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 3 Operation Set Management

Figure 3-2 Viewing Permitted Operations

5. Click Close to finish. – End of Steps –

3.8 Exporting All Customised Operation Sets Context The information of all customised operation sets can be exported to an XLS file. The exported operation sets can be imported to another client later on. Only XLS file format is supported.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. On the tree of the Role Management pane, click any node under Role to display the information of the selected role in the right pane. 3. Under

Access

Rights

in

the right pane, click , and select Export All Customized Operation Sets from the drop-down menu, or right-click any operation set in the operation set list, and then click Export All Customized Operation Sets to open the Save dialogue box.

4. Set the file name and path in the pop-up Save dialogue box, and click Save. 3-7 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

5. Click OK in the pop-up Confirm dialogue box. – End of Steps –

Result The XLS file containing the information of all operation sets appears under the selected directory.

3.9 Importing an Operation Set Prerequisites The XLS file for importing operation sets is available.

Context You can edit the information of one or more customised operation set(s) saved in an XLS file exported earlier from another client, and then import the file into the current client to add one or more operation sets.

Caution! Be sure that the content format of the file to be imported is the same as the that of the exported XLS file that is generated by the function “Export all customised operation sets”. Refer to the section Exporting All Customised Operations Sets”. And the operation set name in the file must be different from any existing operation set in the system.

To add a new operation set by importing an XLS file, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. In the Role Management pane, click any node under Role to display the information of the selected role in the right pane. 3. Under

Access

Rights

in

the right pane, click , and select Import Operation Set from the drop-down menu, or right-click any operation set in the operation set list, and then click Import Operation Set to open the Open dialogue box.

4. Select the file to be imported in the list box and click Open. 5. Click OK when prompted with the message of successful import. – End of Steps – 3-8 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 3 Operation Set Management

Result The imported operation set appears in the operation set list.

3-9 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

This page intentionally left blank.

3-10 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 4

Role Management Table of Contents Introduction to Role Management...............................................................................4-1 Creating a Role ..........................................................................................................4-2 Modifying a Customised Role .....................................................................................4-5 Duplicating a Role ......................................................................................................4-6 Deleting a Customized Role .......................................................................................4-6 Viewing the Users Assigned with a Selected Role ......................................................4-7 Locking a Customised Role ........................................................................................4-7

4.1 Introduction to Role Management By using the role management functions, you can specify the operation permission and manageable resources for a role, and determine whether to lock a role. Users assigned with a locked role are no longer permitted to perform the operations assigned to the role. The role management is the basis of role set management and user management. Roles are members of a role set. A user must be assigned with a role or a role set for performing related operations in the system. A user without a role or role set can log in to the system, but has no operation permissions. NetNumen U31 supports the following role management functions: l l l l l

Creating a Role: set the name, description, locking status, operation permission and operation set to create a new role. Modifying a Role: modify the description, locking status, operation permission and operation set of an existing role. Duplicating a Role: duplicate an existing role and create a new role based on the information of the duplicated role. Deleting a Role: delete a useless role. Locking a Role: lock a role to disable the operation permission assigned to the role.

Note: AdministratorRole, MaintenanceRole, OperatorRole, and SupervisorRole are default roles, and cannot be modified or deleted. Of the default roles, the AdministratorRole cannot be duplicated.

4-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

4.2 Creating a Role Context If the security management plan includes any role not provided by default, you need to create the role. It is allowed to assign different authorities to the resources managed by the role. The color of each node on the resource tree indicates the specific permissions the role has for the node. If you create a role with the right to creating users, be aware that a user who can create other users is able to assign any possible role (except administrator) to the created users, even though the user (who can create other users) does not have that role.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Right-click any node under Role on the tree of the Role Management pane, and click Create Role to display role-creating parameters in the right pane, as shown in Figure 4-1.

Figure 4-1 Setting Parameters for a New Role

3. Under Basic Information in the right pane, set role name and description. Table 4-1 explains the basic parameters of a role.

4-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 4 Role Management

Table 4-1 Basic Parameters of a Role Parameter

Role Name

Role Description

Description Type the role name in this box. This parameter is mandatory. Type the description of the role. This parameter is optional.

Value Range

Default Value new role1 (“1”

1–50 character(s)

is a sequence number)

1–100 character(s)

-

-

Not selected

Select this check box if you want to lock the role. Once the role is locked, the user assigned with the role is deprived Lock the Role

of corresponding operation permission. If a user is only assigned with the locked role, the system does not permit the login of this user.

4. Under Access Rights in the right pane, click a resource node on the Resource Tree and then select an operation set from the option buttons on the right of the Resource Tree.

Tip: To select multiple resource nodes at a time, press and hold CTRL and then click the resource nodes one by one. Or, to select continuous nodes on the tree, you can press and hold SHIFT, while click the first and the last nodes.

Table 4-2 describes the parameters under Access Rights. Table 4-2 Access Rights Parameters Parameter

Description The resource tree lists the resources in the network. You can select the resources to be managed by the role. To set a resource node (sub-node) with the same permission with its

Resource Tree

parent node, right-click the sub-node, and click Follow Parent Node’s Right. To set the sub-nodes permission with the same permission of a parent node, right-click the parent node, and click Synchronize Rights of Sub-nodes.

4-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Parameter

Description The system provides the following five operation sets by default. You can also customise other operation sets as needed.

Operation Set

l

Administrator Right (Unavailable)

l

System Maintenance Right

l

Operation Right

l

View Right

l

No Right

l

Operator View Right (available when the network sharing function is enabled)

To view the details of an operation set, double-click the operation set to open the Operation Set Configuration dialogue box, where you can view specific authorities assigned.

5. To know the meaning of different resource icons, click Legend at the bottom right. The Role Right Icon Description dialog box appears, as shown in Figure 4-2. The resource icons of different permissions are described in the dialog box. Figure 4-2 Role Right Icon Description

6. Click OK. – End of Steps –

Result The newly-created role appears under Role in the Role Management pane.

4-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 4 Role Management

4.3 Modifying a Customised Role Context An existing customised role can be modified as needed, including its description, locking status, and role rights. Note that the role name is unmodifiable. To modify a customised role, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Do one of the following to display the modifiable parameters of the role on the right pane. l Right-click a customised role under Role in the Role Management pane, and click Modify Role on the shortcut menu. l Click a role node under Role in the Role Management pane, and then click Modify on the right pane. 3. Under Basic Information, modify the role description and change the locking status of the role as needed. 4. Under Access Rights, modify the operation set of a resource. a. Click the resource node on the Resource Tree. b. Select another operation set from the operation set list.

Note: For description of the role parameters, refer to the section “Creating a Role”.

5. Click OK to finish. – End of Steps –

Result If a user assigned with the role to be modified has already logged in to the system, the system will force the user to log out after the operation permission of the role is successfully modified. The operation permission of this user changes correspondingly after another login.

4-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

4.4 Duplicating a Role Context By duplicating an existing role, either default or customised, you can quickly create a new role similar to the existing role without repeatedly setting the properties for the new role. To create a new role by duplicating an existing role, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Under Role in the Role Management pane, right-click the role to be duplicated under Role, and then click Duplicate Role. 3. Modify parameters on the right pane as needed.

l l

Note: For the description of the role parameters, refer to the section “Creating a Role”. The default AdministratorRole cannot be duplicated.

4. Click OK. – End of Steps –

Result A new role appears under Role on the Role Management navigation tree. If you has not modified the other properties while duplicating the existing role, the newly-created role with a different name has the same operation permission as that of the duplicated one.

4.5 Deleting a Customized Role Context This function allows you to delete an unused role. Note that the default roles cannot be deleted.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Under Role in the Role Management pane, right-click the role to be deleted under Role, and then click Delete Role. 4-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 4 Role Management

3. In the pop-up Delete Role dialogue box, click Yes to delete the role.

Note: Users assigned with the role to be deleted are listed in the Delete Role dialogue box. l l

If the deleted role has been assigned to a user and this user has only been assigned with this role, the user is also deleted. If the deleted role has been assigned to a user and this user has been assigned with other roles besides this role, the operation permissions of this user change correspondingly after the deletion of this role. And if the user has logged in to the system, the user will be forced to log out after this role is deleted.

– End of Steps –

Result The deleted role disappears from the Role Management pane.

4.6 Viewing the Users Assigned with a Selected Role Context This function allows you to view the users to whom a selected role is assigned. When you want to modify or delete a role, you might want to use this function to decide whether to carry out the modification or deletion.

Steps 1. On the main menu, select Security > Role Management to open the Role Management view. 2. Under Role on the tree of the Role Management pane, right-click the role you want to view, and click View Assigned Users, 3. An Assigned Users dialogue box pops up, where you can view the users assigned with that role. 4. Click OK to finish. – End of Steps –

4.7 Locking a Customised Role Prerequisites l

The role to be locked is available and unlocked. 4-7

SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Context The role-locking function only supports customised roles. If you need to lock a customised role, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Do one of the following to display the role-modifying parameters in the right pane. l Right-click a customised role under Role on the tree of the Role Management pane, and click Modify Role from the shortcut menu. l Click a role node under Role in the Role Management pane, and then click Modify on the right pane. 3. Under Basic Information in the right pane, select the Lock the Role check box. 4. Click OK. – End of Steps –

Result If a user has been assigned with the locked role and the user has logged in to the system, the user will be prompted to re-log in. After the user logs in to the system again, the operation set changes correspondingly to No Right.

4-8 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 5

Role Set Management Table of Contents Introduction to Role Set Management.........................................................................5-1 Creating a Role Set ....................................................................................................5-1 Modifying a Customised Role Set...............................................................................5-3 Duplicating a Role Set ................................................................................................5-4 Deleting a Role Set ....................................................................................................5-5 Viewing the Users Assigned with a Selected Role Set ................................................5-6 Locking a Role Set .....................................................................................................5-6

5.1 Introduction to Role Set Management A role set is the collection of several roles. A user assigned with a role set owns the operation permissions specified by all the roles in the role set. By using a role set, you can assign required operation permissions of several roles to a user, without having to assign multiple roles. NetNumen U31 supports the following role set management functions: l l l l l

Creating a Role Set: set the name, description, locking status and role members to create a new role set. Modifying a Role Set: modify the description, locking status, and role members of an existing role. Duplicating a Role Set: duplicate an existing role set and create a new role set based on the information of the duplicated role set. Deleting a Role Set: delete a useless role set. Locking a Role Set: lock a role set to disable the operation permission assigned to the role set.

5.2 Creating a Role Set Context This function allows you to create a role set made up of the roles you select.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view.

5-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

2. In the Role Management pane, right-click Role Set or any node under Role Set, and then click Create Role Set. 3. Set parameters of the new role set in the right pane, as shown in Figure 5-1.

Figure 5-1 Parameters for Creating a Role Set



The button is used to add all roles in the Available Roles list bo

x to the Assigned Rol es list box.

Table 5-1 explains the basic parameters of a role set. Table 5-1 Basic Parameters of a Role Set Parameter

Description

Value Range

Default Value

Enter the role set name in Role Set Name

this box. This parameter is

1–50 character(s)

new roleset1

1–100 character(s)

-

mandatory. Role Set

Enter the description of the role

Description

set. This parameter is optional.

5-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 5 Role Set Management

Parameter

Description

Value Range

Default Value

Select this check box if you want to lock the role set. Once the role set is locked, the user assigned with the role set Lock the Role Set

is deprived of corresponding operation permission. If a user

check box

Not selected

is only assigned with the locked role set, the system does not permit the login of this user any longer. Select the necessary roles, and Available Roles

click

to assign them to the

role set.

Assigned Roles

The first four roles are default, while

Read from the

the others are

existing roles

customised.

This box lists the roles already assigned to the role set.

Available roles in the Available

-

Roles box

4. Click OK. – End of Steps –

Result The newly-created role set appears under Role Set on the Role Management navigation tree.

5.3 Modifying a Customised Role Set Context The role sets created by the user can later be modified, including its description, locking status, and roles assigned. Note that the name of the role set is unmodifiable. To modify a role set after its creation, do the following:

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. On the Role Management navigation tree, right-click the role set to be modified under Role Set, and then click Modify Role Set. 3. Do one of the following to display modifiable parameters of the role set in the right pane. 5-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

l l

Right-click the role set node under Role Set in the Role Management pane, and click Modify Role Set on the shortcut menu. Click the role set node under Role Set in the Role Management pane, and click Modify in the right pane.

Note: For description of the role set parameters, refer to the section “Creating a Role Set”.

4. Under Basic Information, modify the role set description and change the locking status of the role set as needed. 5. Under Role Set Assignment, add new roles to the Assigned Roles list box or remove existing roles from it. 6. Click OK to finish. – End of Steps –

Result If a user assigned with the role set to be modified has already logged in to the system, the system will force the user to log out after the operation permission of the role set is successfully modified. The operation permission of this user changes accordingly upon next login.

5.4 Duplicating a Role Set Context This function copies all attributes of the selected role set to a new one, which you can modify to quickly create a new role set similar to the existing one.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Under Role Set in the Role Management pane, right-click the role set to be duplicated, and then click Duplicate Role Set. 3. Modify parameters in the right pane as needed.

5-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 5 Role Set Management

Note: For description of the role set parameters, refer to the section “Creating a Role Set”.

4. Click OK. – End of Steps –

Result A new role set appears under Role Set in the Role Management pane. If you has not modified the other properties while duplicating the existing role set, the newly-created role set with a different name has the same locking status, description and role members as those of the duplicated one.

5.5 Deleting a Role Set Context This function allows you to delete a useless role set.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. Under Role Set in the Role Management pane, right-click the role set to be deleted, and then click Delete Role Set. 3. In the pop-up Confirm dialogue box, click Yes to delete the role set. – End of Steps –

Result The deleted role set disappears from the Role Management pane.

l l

Note: If the deleted role set has been assigned to a user and this user has only been assigned with this role set, the user is also deleted. If the deleted role set has been assigned to a user and this user has been assigned with other role sets besides this role set, the operation permission of this user changes accordingly after the deletion of this role set. And if the user has logged in to the system, it will be forced to log out after deletion of this role set.

5-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

5.6 Viewing the Users Assigned with a Selected Role Set Context This function allows you to view the users to whom the role set is assigned.

Steps 1. On the main menu, select Security > Role Management to open the Role Management view. 2. Right-click a role set on the navigation tree, and click View Assigned Users, 3. The Assigned Users dialogue box pops up, listing all the users assigned with the role set selected in step 2. 4. Click OK to finish. – End of Steps –

5.7 Locking a Role Set Abstract After a role set is locked, the user(s) assigned with the role set cannot perform the operations in the role set.

Prerequisites The role set to be locked is available and unlocked.

Steps 1. On the menu bar of the client window, click Security > Role Management to open the Role Management view. 2. On the Role Management pane, right-click the role set to be locked under Role Set, and then click Modify Role Set. 3. Under Basic Information in the right pane, select the Lock the Role Set check box. 4. Click OK.

5-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 5 Role Set Management

Note: If a user is assigned with the role set and the user has logged in to the system, the user will be prompted to re-log in. After the user logs in to the system again, the user will be assigned with the No Right operation set.

– End of Steps –

5-7 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

This page intentionally left blank.

5-8 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 6

Department Management Table of Contents Introduction to Department Management....................................................................6-1 Creating a Department ...............................................................................................6-1 Modifying a Department .............................................................................................6-3 Deleting a Department ...............................................................................................6-3

6.1 Introduction to Department Management The concept of department is used in the NetNumen U31 system for managing users according to their actual administrative divisions. In practical applications, you can create departments where users belong according to the functions of actual network management departments. NetNumen U31 supports the following department management operations: l l l

Creating a Department Modifying a Department Deleting a Department

6.2 Creating a Department Context The system provides a root department by default. All newly-created departments are subordinates of the root department. To create a new department, do the following:

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management view. 2. On the tree in the User Management pane, right-click Root Department, and click Create Sub-department to activate the Basic Information tab in the right pane, as shown in Figure 6-1.

6-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Figure 6-1 Department Basic Information

3. Set parameters for the new department. a. On the Basic Information tab, type the department name and description in the Department Name and Department Description boxes. b. On the Root Department tree, select the superior department for the department to be created. Table 6-1 describes the parameters on the Basic Information tab. Table 6-1 Description of Department Parameters Parameter

Department Name

Department Description

Root Department Tree

Description

The department name. This parameter is mandatory.

Value Range

Default Value “New Depart-

1–50 character(s)

ment”+Number (A sequence number)

The description of the department to be created.

1–100 character(s)

-

This parameter is optional. Set the superior department to which the new department belong.

Departments from the navigation tree

Root Department

4. Click OK to create the new department. – End of Steps –

6-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 6 Department Management

Result The newly-created department appears on the User Management navigation tree.

6.3 Modifying a Department Context An existing department can be modified as needed, including its description and superior department.

Note: You can also modify the name of the default root department provided by the system according to the actual situation.

To modify a department, do the following:

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management view. 2. Do one of the following to activate the Basic Information tab in the right pane: l On the tree in the User Management pane, right-click the department to be modified, and then click Modify from the shortcut menu. l On the bottom of the Basic Information tab, click the Modify button. 3. On the Basic Information tab, modify the description of the department, and/or change its superior department as needed. 4. Click OK to save the modification. – End of Steps –

6.4 Deleting a Department Context When a department is no longer in use, you can delete it. Note that a department that has sub-departments cannot be deleted. Therefore, if the department has subordinate departments and users, remove the subordinate departments and users first before deleting it.

6-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management view. 2. On the tree in the User Management pane, right-click the department to be deleted, and then click Delete on the shortcut menu. 3. In the pop-up Confirm dialogue box, click Yes to delete the department. – End of Steps –

Result The deleted department disappears from the User Management pane.

6-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 7

User Management Table of Contents Introduction to User Management...............................................................................7-1 Creating a User ..........................................................................................................7-1 Modifying a User ........................................................................................................7-6 Duplicating a User ......................................................................................................7-8 Deleting a User ........................................................................................................7-10

7.1 Introduction to User Management User management is the most important part of the security management. By using user management functions, the system administrator can create users, query the information of users, modify users, assign rights to users, set the working period for users, query the login logs of users, delete users, and lock users. After creating new users, the administrator must ensure that only trustworthy people have the created user accounts and each person has a proper account. You can use the name and password of a created user to log in to the NetNumen U31 system and perform management operations according to the operation permission assigned to the user.

7.2 Creating a User Context As an administrator, you can create a user by setting its user name and password. Besides, you can set the following parameters: l l l l l l l

account valid duration role (role set) department concurrent logins working time range login IP address login MAC address

The maximum number of sessions supported by the system depends on the installation mode: 1. Installation mode 1: 20 sessions 2. Installation mode 2: 50 sessions 7-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

3. Installation mode 3: 100 sessions 4. Installation mode 4: 200 sessions

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management window. 2. In the left User Management pane, right-click a department node on the Root Department tree, and then click Create User to activate the tabs in the right pane, as shown in Figure 7-1.

Figure 7-1 Creating a User (Basic Information Tab)

3. On the Basic Information tab, set the basic information by referring to parameters explained in Table 7-1 Table 7-1 Parameters on the Basic Information Tab Parameter User Name Full Name

Description

Value Range

The user name, which will be used for login. This parameter is mandatory. Detailed information related to the new user.

1 to 30 character(s) 1 to 100 character(s)

7-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 7 User Management

Parameter

Description

Value Range

The login password, whose length must meet User Password

the requirements specified by the user account rule. For how to view and customise the user

1 to 100 character(s)

account rule, please refer to Chapter 2.

Confirm Password

Type the same password again in this box to confirm the password.

User Must Modify

To require the user to modify the password

Password Before Next

before logging in to the system again, select

Login

this check box.

User Can not Change

To forbid the user to change the password,

Password

select this check box.

Set User Maximum

Select this check box to set the maximum

Password Age (days)

password validity duration.

Set User Minimum

Select this check box to set the minimum

Password Age (days)

password validity duration.

Disable

Auto Disable in Case of Idle Account for the Following Period(days)

Set Account Validity

Select this check box, and the created user is disabled and can not be used for login.

1 to 100 character(s)

-

-

1 to 500

1 to 499

-

Select this check box to set the restriction on idle days of the account, and the system will automatically disable the user when the

1 to 500

account is not used for the preset period (days).

Set the validity period of the user account.

1 to 500

Set Account Stop

Set the duration in which the account is

1 to 500 (default value:

(days)

disabled.

90)

(days)

7-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Note: The User Status area on the lower part of the Basic Information tab shows the information of the user after successful creation of the user, including the creator, creation time, and password activation time of the user.

4. Click the Right tab, and then select one or more role(s) and/or role set(s) that you want to assign to the user.

Note: Click creating new roles or role sets.

, to open the Role Management view for

5. Click the Log View Range tab, and set the log viewing rights bye selecting one or more roles from the Role Tree.

Note: A user assigned with the administrator role can view the all logs. Other users can only see the logs of itself and of the users with roles specified in this step.

6. Click the User Department tab, and then select the department that the user belongs to.

Note: A user can only belong to one department. The default department of a new user is the Root Department.

7. Click the Advanced Information tab to set the advanced information of the new user by referring to Table 7-2. The tab is shown in Figure 7-2.

7-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 7 User Management

Figure 7-2 Creating a User (Advanced Information Tab)

On the Advanced Information tab, you can add more user information, and restrict the work time duration and allowed IP range. Table 7-2 Description of Advanced User Parameters Parameter User Descriptions

Phone Number

Email

Description

Value Range

The detailed information of the user to be created. This parameter is optional. The phone number of the user. This

1 to 50 number(s) and

parameter is optional.

hyphen(s)

A valid Email address. This parameter is optional. The maximum number of concurrent login

Concurrent Logins

users that use the same user account. (The system supports ten concurrent users by default)

Login Type

1 to 100 character(s)

Login type of the user.

1 to 100 characters

1 to 255 default value: 10 Suggested value: 1 l

Password(Default)

l

USBKey

Click Set Or View the Working Time to set User Working Time

or view the working hours and holidays of

All hours

the user.

7-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Parameter

Description

Value Range

Click Add to set the allowed IP range IP Range

for login. The login from out-of-range IP addresses will be refused.

GUI MAC Bind Setting

Click Add to set the allowed MAC address.

0.0.0.0 to 255.255.255.255 Valid MAC address

Note: If the value of Concurrent Logins is set to a number larger than 1, multiple users can use the same account. In this case, it is difficult to decide which user performs a certain operation. Therefore, it is recommend to set this parameter to 1.

8. Click the Operator Information tab, and set the information of the telecommunications operator (the operation can be performed when the RAN network sharing function is enabled). Condition

Operation

The operator has been added.

i.

Select the Set PLMN Information of the User check box.

ii.

Select the PLMN information from the drop-down box.

The operator has not been added.

i.

Click the View or Set Operators button.

ii.

In the Operator Maintenance dialog box, add the operator information.

9. Click OK to finish – End of Steps –

Result The newly-created user appears on the tree in the User Management pane.

7.3 Modifying a User Context All properties of an existing user can be modified except the user name. modification, you can also view the attributes of a user.

Before

7-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 7 User Management

Note: You can also modify the default system administrator (admin) provided by the system as an administrator. However, some of the admin user’s properties can not be modified. For example, it is not allowed to change the user working time or disable the admin account.

To modify the attributes of a user, do the following:

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management view. 2. Do one of the following to activate the tabs in the right pane, as shown in Figure 7-3. l In the User Management pane, right-click the user to be modified and then click Modify on the shortcut menu. l In the User Management pane, click the user to be modified, and then click Modify in the right pane.

Figure 7-3 Modifying a User

7-7 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Note: For the description of parameters on these tabs, refer to the previous section “Creating a User”.

3. On the Basic Information tab, modify the basic parameters of the user except the user name. 4. If you want to reassign role(s) or role set(s) to the user, click the Right tab and then modify the selection of role(s) or role set(s) as needed. 5. If you want to change the log viewing rights of the user, click the Log View Range tab, and select necessary role(s) whose logs the user can view. 6. If you want to change the department of the user, click the User Department tab and then select the department you want. 7. If you want to modify the advanced information of the user, including detailed information, phone number, Email address, and IP range, click the Advanced Information to modify parameters as needed. 8. Click OK to save the modifications. – End of Steps –

Result The attributes of the user changes accordingly after modification.

Note: If the operation permissions of a login user are modified, the system will force the user to log out. After another login, the user permissions will be updated. If the password of a login user is modified, the system will force the user to log out. After another login, the user permissions will be updated.

7.4 Duplicating a User Context By duplicating an existing user, you can quickly create a new user similar to the existing one by modifying required parameters already set for the existing user.

7-8 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 7 User Management

Note: The system does not support the duplication of the default system administrator (admin).

To create a new user by duplicating an existing user, do the following:

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management view. 2. In the User Management pane, right-click the user to be duplicated, and then click Duplicate to activate the tabs in the right pane, as shown in Figure 7-4.

Figure 7-4 Duplicating a User

3. On the Basic Information tab, enter a new user name in the User Name text box.

Note: The name of a user must be unique in the system.

7-9 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

4. If you want to create a new user with the same properties as the duplicated user, proceed to the next step. If you want to modify some attributes to create a user with different properties, modify parameters on the corresponding tabs. 5. Click OK. – End of Steps –

Result A new user appears on the tree in the User Management pane.

7.5 Deleting a User Context When a user is no longer in use, you can delete it. administrator (admin) cannot be deleted.

Note that the default system

Steps 1. On the menu bar of the client window, click Security > User Management to open the User Management view. 2. On the User Management pane, right-click the user to be deleted, and then click Delete. 3. In the pop-up Confirm dialogue box, click Yes to delete the user. – End of Steps –

Result The user disappears from the User Management pane. If the user has logged in to the system, it will be forced to log out. The deleted user cannot be used any longer.

7-10 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 8

Other Functions Table of Contents Viewing User Lockup Records....................................................................................8-1 Modifying the Passwords of All Common Users..........................................................8-2 Managing Current Login Users...................................................................................8-2 Set User Blacklist .......................................................................................................8-3 Viewing the Network Element Login Users .................................................................8-4 Modifying the User Login Password ...........................................................................8-5 User Login..................................................................................................................8-5

8.1 Viewing User Lockup Records Context If the number of times that a user types the wrong passwords exceeds the preset number in the user account rule, the system will lock the user account. You can view the locked user accounts and unlock them after logging in to the system as an administrator.

Note: For the description of the user account rule, refer to the section “Customising User Account Rule” in Chapter 2 in this operation guide.

To view the user lockup records, do the following:

Steps 1. On the menu bar of the client window, click Security > User Lock Details. 2. View the user lockup records in the pop-up User Lock Details dialogue box, which lists the user name, IP address, and the locking time.

Tip: To get the latest information of locked user accounts, you can click Refresh.

8-1 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

3. If you do not wish to unlock any locked user, go to step 4. If you need to unlock a locked user, select the corresponding row, and click Unlock. Then click Yes in the pop-up Confirm dialogue box. 4. Click Close to finish. – End of Steps –

8.2 Modifying the Passwords of All Common Users Context A common user refers to a non-administrator user. This function allows you to set the passwords of all common users as the same one. The new unified password is not restricted by any password rule. However, any common user can change their own password after this modification, except that the specific user’s password used before this modification cannot be used during the next 100 days.

Steps 1. On the menu bar of the client window, click Security > Modify All Common Users' Password to open the Modify All Common Users' Password dialogue box. 2. Type the same password in the New Password and Confirm Password boxes. 3. Click OK. – End of Steps –

Result The passwords of all common users are set as the same one.

8.3 Managing Current Login Users Context This function allows you to view the information of all current login users of the EMS system, including the following details: l l l l l

User name Login IP Login time Connection Type Idle duration

Steps 1. On the menu bar of the client window, click Security > Login User Management to open the Login User Management dialogue box, as shown in Figure 8-1. 8-2 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 8 Other Functions

Figure 8-1 Login User Management

2. Click a user in the Login User Management dialogue box, and choose one or more of the following operations to manage login users if necessary. l Click Send Message to send a message to another client that connects to the same NetNumen U31 server (same IP address) that the current client connects to. l Click Force to Log out to force the user to log out. l Click Refresh to get the latest information of login users. 3. Click Close to finish. – End of Steps –

8.4 Set User Blacklist Context Only the administrator user is authorised to set the blacklist. The users in the blacklist can not log in to the system.

Steps 1. On the main menu, click Security > User Blacklist to open the User Blacklist dialogue box, in which the All Users pane and the Users in blacklist pane list all non-blacklist and blacklist users respectively. 2. Set the blacklist users in the User Blacklist dialogue box by referring to Table 8-1. Table 8-1 Button Description Button

Function

Add the user into the User Blacklist. Remove the user from the User Blacklist. 8-3 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Note: To select more than one users, you can press and hold CTRL or SHIFT on the keyboard in selecting users.

3. Click OK, and the Confirm dialogue box opens. 4. Click OK to finish.

Note: Reverse the operation to remove a user from the blacklist.

– End of Steps –

8.5 Viewing the Network Element Login Users Context This function allows you to view the users that log into the lower-level EMS. The information you can get include l l l l l

NE server name User name Login IP Login time Connection type

Steps 1. On the main menu, click Security > View NE Login User to open the View NE Login User dialogue box. 2. Click Refresh to refresh the NE login user’s information. 3. Click Close to close the dialogue box and finish. – End of Steps –

Result The information of the NE login users is displayed.

8-4 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Chapter 8 Other Functions

8.6 Modifying the User Login Password Abstract The only password of login users can be modified. A user password must contain at least 6 characters, which should be a combination of at least three types of the following characters: numbers, lower-case letters, upper-case letters, and other characters. The password must not be identical with the user account. It cannot be the reverse of the user account. It cannot be a common word. During password modification, the new password must be different from the previous five passwords.

Note: After the initial installation, the password of the system administrator (admin) is null. It is strongly recommended that you modify the password of user admin after the initial installation.

Steps 1. In the main menu, select System > User Password Setting from the main menu. The User Password Setting dialog box appears. 2. Set the new password, and click OK. Error messages l l l

l

New password cannot be the same as the old one. Password is too short. Password does not match the following rule: password must include at least three of the following four types: numbers, lowercase letters, uppercase letters, other characters. Password does not match the following rule: password cannot be the same as user name; Can not be the same as double repeat of username; Can not be the reverse of user name.

– End of Steps –

8.7 User Login Steps 1. Start the NetNumen U31 client. 2. Log in to the client with an existing user account.

8-5 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

NetNumen™ U31 R18 Security Management Operation Guide

Tip: If the user account does not exist or the password is incorrect, SSH failed is prompted. After a successful login, the number of login failures of the current user, and the last successful login date and time are displayed on the status bar of the NetNumen U31 client.

Error messages l l l l l l l l l l l l l

SSH failed User does not exist. It may be deleted. User password is incorrect. Client’s IP address is invalid. Client’s MAC address is invalid. Not in work time. The user’s password is expired. The user account is expired. The user is locked. The user is automatically disabled because of no login for days. Maximum number of connections for the user is already reached. The max. client num of the system supported is reached, can not login! The user was set in the blacklist by admin, is forbidden to login.

– End of Steps –

8-6 SJ-20110823134613-005|2011-09-23(R1.0)

ZTE Proprietary and Confidential

Figures Figure 1-1 Relation Model of Security Management.................................................. 1-3 Figure 1-2 Centralized Security Management ........................................................... 1-7 Figure 2-1 Customising User Account Rule............................................................... 2-2 Figure 3-1 Operation Set List .................................................................................... 3-3 Figure 3-2 Viewing Permitted Operations.................................................................. 3-7 Figure 4-1 Setting Parameters for a New Role .......................................................... 4-2 Figure 4-2 Role Right Icon Description...................................................................... 4-4 Figure 5-1 Parameters for Creating a Role Set ......................................................... 5-2 Figure 6-1 Department Basic Information.................................................................. 6-2 Figure 7-1 Creating a User (Basic Information Tab)................................................... 7-2 Figure 7-2 Creating a User (Advanced Information Tab)............................................ 7-5 Figure 7-3 Modifying a User...................................................................................... 7-7 Figure 7-4 Duplicating a User ................................................................................... 7-9 Figure 8-1 Login User Management.......................................................................... 8-3

I

Figures

This page intentionally left blank.

Tables Table 1-1 Security Management Example ................................................................. 1-4 Table 2-1 Parameters for Customising User Account Rule ........................................ 2-2 Table 4-1 Basic Parameters of a Role ....................................................................... 4-3 Table 4-2 Access Rights Parameters ........................................................................ 4-3 Table 5-1 Basic Parameters of a Role Set................................................................. 5-2 Table 6-1 Description of Department Parameters ...................................................... 6-2 Table 7-1 Parameters on the Basic Information Tab .................................................. 7-2 Table 7-2 Description of Advanced User Parameters ................................................ 7-5 Table 8-1 Button Description ..................................................................................... 8-3

III

Tables

This page intentionally left blank.

Glossary BSC - Base Station Controller BTS - Base Transceiver Station EMB - Enterprise Message Bus EMS - Network Element Management System GUI - Graphical User Interface J2EE - JAVA 2 platform Enterprise Edition

V

More Documents from "Vittola"