Administering Users and Roles

Administering Users and Roles
Administering Users and Roles
The Device Command and Control User Interface supports the administration of the users and roles as a
single data storage solution, and in turn utilizes the administration information across all DCC UI components.
The authorization for the DCC UI resources is controlled by the Admin functionality of the DCC UI. The
Authorization system is linked to Roles Administration and provides access control based on role specifications
for all the applications installed on the DCC UI.
You can only access role-specific applications for which you are authorized. The access for applications is
specific to a role and is automatically denied, if the tabs for accessing the application do not appear in the
login.
Log in to the DCC UI using your password credentials. The DCC UI login and authentication system verifies
the login credentials and authentication details. The Device Command and Control screen is displayed, with
the tabs that you are authorized to use. By default, the Users tab is enabled in the left navigation pane. Select
the Users tab to view the Users and Roles interface.
Figure 1: Users and Roles Screen
All the users assigned to a specific role on the DCC UI are displayed on the screen. Each Role provides
access to the various applications of the DCC UI as read-only or read-write. For example, the superuser role
Cisco RAN Management System Administration Guide, Release 5.1 MR
1
Administering Users and Roles
PAM Authentication
provides the most access to all applications of the DCC UI. However, you can define a very limited role that
provides only read-only access to the device manager, and not include access to the group and ID pool
interface. Once you have defined your roles, you can assign them to each of your users as needed.
• PAM Authentication, page 2
• User Roles and Access Permissions, page 2
• Managing Roles, page 3
• Managing Users, page 4
• User Administration: Messages, page 6
PAM Authentication
The Pluggable Authentication Module (PAM) is supported for DCC_UI to allow users to log in with their
own credentials through any Unix PAM service defined such as LDAP, SSH, and RADIUS.
The DCC UI allows user provisioning as internal or external user for authentication purposes through the Add
User and Edit User functionality.
Internal user authentication is handled by the DCC UI application through the dcc_ui database entries.
External user authentication is handled by the PAM through PAM service modules. Such users are not
authenticated by the DCC UI.
PAM authentication is driven by the following two preloaded properties in dcc.properties.
pam.service.enabled= true
pam.service= login
All users must be provisioned in the DCC_UI before login to specify the role authorization for all users.
User Roles and Access Permissions
The functionality that you can perform in the system is dependent on the permissions you are allowed. Your
ability to change information in the system will depend on whether you have read-only or read-write permission.
This table lists the permissions required for each functionality:
Table 1: User Roles and Group Type Permissions
Functionality
Description
Permission Allows
Functionality
Read-only
View Group Types table There is no “View” button. This is simply entry into
the Group Types page to view the group types and
their attributes.
Yes
Yes
Add Group Type
Add a new group type
—
Yes
Update Group Type
Modify an existing group type
—
Yes
Cisco RAN Management System Administration Guide, Release 5.1 MR
2
Read-write
Administering Users and Roles
Managing Roles
Functionality
Description
Permission Allows
Functionality
Read-only
Read-write
Delete Group Type
Delete a group type
—
Yes
Import Group Types
Import a group type (or set of group types) via CSV
text file
—
Yes
Export Group Types
Export all group types to a CSV text file
Yes
Yes
Managing Roles
Adding a Role
You can define roles that can then been assigned to various users that should have similar access rights to the
DCC UI.
Procedure
Step 1
In the left navigation bar of the Administration interface, select the Roles tab.
The Roles screen is displayed with each of the defined Roles and their permissions.
By default, the Superuser option is displayed under the Roles
list.
Click Add, to add a new role.
The display is changed for you to define the new role.
Note
Step 2
Step 3
Step 4
Step 5
Enter a name for the new role in the RoleName text box.
Update the properties: Password Lifetime, Password Warning Period, and Password Grace Period, if required.
Select the individual privileges that are to be assigned for the specific DCC UI components.
For example, to allow read-write access for creating group types, click ReadWrite under Group Types.
Step 6
After you have assigned any desired privileges, click Add Role.
The Add Role button is enabled only after selecting at least one privilege.
Step 7
If necessary, click Reset, to revert the changes and change the privilege settings.
Editing a Role
Use this task to edit an existing role.
Cisco RAN Management System Administration Guide, Release 5.1 MR
3
Administering Users and Roles
Deleting a Role
Procedure
Step 1
In the left navigation bar of the Administration interface, select the Roles tab.
The Roles screen is displayed with each of the defined Roles and their permissions.
By default, the Superuser option is displayed under the Roles
list.
Select the role that you want to change and click Edit.
The display is changed for you to define the role.
Note
Step 2
Step 3
Select the individual privileges that are to be assigned for the specific DCC UI components.
For example, to allow read-write access for creating group types, click ReadWrite under Group Types.
Step 4
Step 5
Update the properties: Password Lifetime, Password Warning Period, and Password Grace Period, if required.
After you have changed any desired privileges, click Update Role.
The Update Role button is enabled only after changing at least one privilege.
Step 6
If necessary, click Reset, to revert the changes and change the privilege settings.
Deleting a Role
Procedure
Step 1
In the left navigation bar of the Administration interface, select the Roles tab.
The Roles screen is displayed with each of the defined Roles and their permissions. You can delete a role
from the Roles screen of the DCC UI Administration interface, if no users are assigned to the role.
Step 2
Select the role from the display and click Delete.
Note
System roles cannot be deleted. Default system roles can be identified using the column 'System Role' for
a particular role.
Managing Users
Adding a User
By enabling the administrative feature, you can perform user administration for all the applications installed
on the DCC UI. With the 'Application Administrator' access you can perform user administration for the
application you are authorized for. It is similar to the Role administration. User administration requires 'Super
User' access.
Cisco RAN Management System Administration Guide, Release 5.1 MR
4
Administering Users and Roles
Editing a User
Procedure
Step 1
In the left navigation bar of the Administration interface, select the Users tab.
The Administration screen is displayed in the right pane with the list of defined users and their assigned
roles.
Step 2
Click Add to add a new user.
The Add User dialog box is displayed for you to provide information about the user.
Step 3
Enter a name for the new user.
The name must be unique. If you try to give a name which already exists, you will get an error message.
Step 4
Step 5
Step 6
Select the role to be assigned to the user from the Role drop-down list box.
Check the Is External User checkbox if the user is not authenticated from this application.
Click Add User.
The new user is added to the application and is listed in the user administration display in the right pane.
Editing a User
The Edit User screen facilitates an administrator to edit an existing user for a given application.
Procedure
Step 1
In the left navigation bar of the Administration interface, select the Users tab.
The Administration screen is displayed in the right pane with the list of defined users and their assigned
roles.
Step 2
Select a user from the display and click Edit to make changes to the user definition.
The Edit User dialog box is displayed for you to make the required changes.
Step 3
Step 4
Step 5
Check the Password Reset checkbox if you want to reset the password to the default password.
Select the role to be assigned to the user from the Role drop-down list box.
Step 6
Step 7
Check the Is External User checkbox if the user is not authenticated from this application.
If the user is an external user, the password reset option is not applicable.
Check the Lock Status check box if you want to lock the user. A locked user is not allowed to login to this
application unless theLock Status check box is unchecked.
Click Update.
Note
When editing a user, the Lock User option is displayed in the Edit window. To lock a user, check
the Lock Status checkbox.
Cisco RAN Management System Administration Guide, Release 5.1 MR
5
Administering Users and Roles
Deleting a User
• For 'pmgadmin', system user password reset is not allowed because the DCC UI to PMG
communication occurs using only the 'pmgadmin' user.
Note
• Except password reset, default system users (like rmsadmin, pmgadmin, pmguser, dccadmin) cannot
be edited.
Deleting a User
A user can be deleted from the User Administration interface.
Procedure
Step 1
In the left navigation bar of the Administration interface, select the Users tab.
The Administration screen is displayed in the right pane with the list of defined users and their assigned
roles.
Step 2
Click the user that you want to delete and click Delete icon in the Delete column of the display. The user is
deleted and the display is refreshed.
Note
Note
A logged in user cannot be
deleted.
Default system users (like rmsadmin, pmgadmin, pmguser, dccadmin) cannot be deleted.
User Administration: Messages
This table lists the status messages that can be displayed when adding or updating a user:
UI Message
Description
Successfully added '<userName>'.
Username '<userName>' already exists. Please try
another Username.
The user name provided by the user exactly
matches an already-existing user name on the
Database.
Unable to add new user '<userName>'.
Generic error message for such scenarios as
the Database is unavailable.
Unable to update user '<userName>'.
Generic error message for such scenarios as
the Database is unavailable.
Cisco RAN Management System Administration Guide, Release 5.1 MR
6
Administering Users and Roles
User Administration: Messages
Cisco RAN Management System Administration Guide, Release 5.1 MR
7
Administering Users and Roles
User Administration: Messages
Cisco RAN Management System Administration Guide, Release 5.1 MR
8
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising