Table Of Contents
Managing Security
Security Overview
Scopes
Default Permissions
Security Access Roles
Customizing Security Flow
Creating Scopes
Editing and Viewing Scope Properties
Deleting Scopes
Creating New Cisco ANA User Accounts
Granting or Editing User Rights
Editing User Rights
Defining User Security Rights
Assigning Maps to Users
Deleting a Cisco ANA User Account
Changing User Passwords
Changing Passwords as an Administrator
Changing Passwords as a User
Managing Security
This chapter describes how Cisco ANA implements a two-dimensional security engine combining a role-based security mechanism with scopes (groups of NEs) that are granted to users. In addition, it describes managing users in the Cisco ANA platform, including defining users and passwords.
This chapter includes the following sections:
•
Security Overview
•Customizing Security Flow
•Creating Scopes
•Creating New Cisco ANA User Accounts
•Granting or Editing User Rights
•Deleting a Cisco ANA User Account
•Changing User Passwords
Security Overview
This section describes the security related concepts and terms used in Cisco ANA Manage.
Scopes
Cisco ANA Manage enables you to group a collection of managed NEs so that users can view and manage the NEs based on their user role or permission.
After you allocate a scope (list of NEs) and a role to a user, the user can perform various activities on the NEs included in the scope, as follows:
•Activate services.
•Manage alarms in Cisco ANA NetworkVision.
•Manipulate graphical NEs in the map.
•View NE, inventory, and link properties.
•Add NEs to the map view.
•Manipulate business tags per NE.
•Manage advanced options such as show counters, show utilization, and refresh.
By default, Cisco ANA includes a preconfigured scope, All Managed Elements, for your use. This default scope, which cannot be edited or deleted, includes all managed NEs. A user granted the All Managed Elements scope can view and manage all NEs at any time according to the user role assigned to the scope.
Default Permissions
The role or default permission applies only to the activities that are related to GUI functionality, not the activities related to NEs. Default permissions include:
•Application login.
•Alarm management in Cisco ANA NetworkVision.
•Map management—Creating, deleting, and opening.
•Map manipulation—Arranging maps, adding NEs, managing aggregations, placing NEs in map, and setting map background.
•Business tag management.
Security Access Roles
Cisco ANA provides five predefined security access roles that you can grant to users to enable system functions (see Table 10-1).
Table 10-1 Security Access Roles
Security Access Role
|
Description
|
Administrator
|
Manages the system configuration and security. Cisco ANA Manage supports multiple administrators.
|
Configurator
|
Activates services and configures the network.
|
Operator Plus
|
Manages the alarm lifecycle.
|
Operator
|
Configures business tags and manages most day-to-day operations.
|
Viewer
|
Has view-only access to the network and to nonprivileged system functions.
|
When a new user is defined as an Administrator, this user can perform all administrative actions, including opening all maps, working with all scopes, and managing the system using Cisco ANA Manage. These activities are performed with the highest privileges. Cisco ANA Manage supports multiple administrators. Access rights do not need to be defined for an administrative user. For more information, see Security Access Roles.
Note Roles can be granted per scope or at an application level; that is, all activities that are related to GUI functionality and not the activities related to devices. Users can have different roles for different scopes. Role functionality is incremental.
Table 10-2 describes role functions according to the default permission and scope-based functionality.
Table 10-2 Roles, Default Permission, and Scope-Based Functionality
Role
|
Default Permission-Based Functionality
|
Scope-Based Functionality
|
Administrator
|
Platform management:
•Manage Cisco ANA servers, AVMs, transport, and VNEs.
•Manage global settings: Polling groups, protection groups, client licenses, and service disclaimers.
•View DB segments.
•Create and delete scopes.
•Manage user accounts.
•Manage static topology links.
•Manage VNEs from Cisco ANA Manage or Cisco ANA NetworkVision.
Map management:
•Open, edit, and delete all user maps.
|
|
Configurator
|
Map management:
•Create maps.
Advanced tools:
•Ping and Telnet an NE directly from the client.
•Enable and disable port alarms.
•Cisco ANA Command Builder.
|
Activation services:
•Allow activation commands per managed NE.
|
OperatorPlus
|
Map management:
•Create new maps and add NEs.
•Edit, delete, and rename maps.
•Save maps.
Map manipulation:
•Create and break aggregations.
•Change map layout.
•Set background image.
•Create business links.
|
Alarm management:
•Acknowledge, remove, and clear alarms that belong to the NEs within a user's scope that have the OperatorPlus role.
Map manipulation:
•Create business tags for NEs.
Display network information:
•Include path tool traffic, rates, drops, or any dynamic data.
|
Operator
|
Map manipulation:
•Create and delete business tags.
Application:
•Open Cisco ANA EventVision.
|
Display network information:
•Refresh port information from NE.
|
Viewer
|
Application:
•Log into Cisco ANA NetworkVision and Cisco ANA EventVision.
•Change user password.
•View the device list.
•View map.
•View link properties.
•Use table filter.
•Export from any table.
|
Display network and business tag information:
•View alarm list, alarm properties, and find alarms.
•Find and view attachments.
•View NE properties and inventory.
•Calculate and view affected parties.
•Open port utilization graph.
|
Customizing Security Flow
Figure 10-1 and the subsequent text describe the steps required to customize security using Cisco ANA Manage, and the order in which the steps must be performed.
Figure 10-1 Customizing Security Flow
1. Install licenses. This allows you to control and monitor the number of client and BQL connections over a limited or unlimited period of time based on the client licenses installed. For more information, see Managing Client Licenses, page 7-1.
2. Define scopes. This enables you to group specific managed NEs so that users can view and manage those NEs based on their individual user role. For more information, see Creating Scopes.
3. Define Cisco ANA user accounts. This enables you to define and manage user accounts. For more information, see Creating New Cisco ANA User Accounts.
4. Grant scopes and roles to users. This enables you to manage general user account information, the list of scopes assigned to each user, and security access roles per scope. For more information, see Granting or Editing User Rights.
Creating Scopes
Cisco ANA Manage enables you to group specific managed NEs so that users can view and manage those NEs based on their user role or permission.
After a scope is created, it can be assigned to a user. Multiple scopes can be assigned to a single user and a single scope can be assigned to multiple users. When the scope is assigned to a user, you must provide the user with security access roles that define the user's role within the assigned scope. See Granting or Editing User Rights.
To create a scope:
Step 1 Select Scopes in the Cisco ANA Manage window.
Step 2 Open the New Scope dialog box in one of the following ways:
•Right-click Scopes, then choose New Scope.
•Choose File > New Scope.
•Click New Scope in the toolbar.
Step 3 In the Scope field, enter a name for the scope.
Step 4 Specify the devices to include in the scope:
•To add devices to the scope, select the required devices from the Available Devices list and then click Add All or Add Selected to move the devices to the Active Devices list.
•To remove devices from the scope, select the devices in the Active Devices lists and then click Remove Selected or Remove All to move the devices to the Available Devices list.
Note You can select multiple devices by using the Ctrl key.
Step 5 When the Active Devices list includes the required devices for the scope, click OK. The scope is saved and is displayed in the workspace.
Editing and Viewing Scope Properties
Cisco ANA Manage enables you to edit or view the details of a scope.
To edit or view scope properties:
Step 1 Select Scopes in the tree pane.
Step 2 Select the scope that you want to edit or view in the workspace.
Step 3 Open the Properties dialog box for the scope in one of the following ways:
•Right-click the scope, then choose Properties.
•Choose File > Properties.
•Click Properties in the toolbar.
For more information about the Properties dialog box, see Creating Scopes.
Step 4 Edit and view the properties as required.
Step 5 Click OK. The Properties dialog box is closed.
Deleting Scopes
A device scope (lists of devices or NE groups) can also be deleted.
Note When a scope is deleted, it is deleted from all users who have the assigned scope.
To delete a scope:
Step 1 Select Scopes in the tree pane.
Step 2 Select the scope that you want to delete in the workspace.
Note You can select multiple scopes by using the Ctrl key.
Step 3 Right-click the scope, then choose Delete. The scope is deleted and is removed from the workspace.
Creating New Cisco ANA User Accounts
The Users branch enables you to define and manage user accounts. This includes managing general user information as well as security access rights and forced login changes, as required. You can also monitor a user's last login time.
Note Creating a new user using the New User dialog box is only one part of the process of creating a user. You also need to grant a user security rights to operate Cisco ANA applications in the User Properties dialog box. For more information, see Granting or Editing User Rights.
A new user is created with the following predefined system defaults:
•No scopes are assigned to the user.
•The number of connections is unlimited.
•The password must be changed every 30 days.
•The maximum number of login attempts is 5.
Note Cisco ANA NetworkVision has the following preconfigured password defaults:
- The maximum length of the username and full name is 20 characters.
- The minimum length of the user password is 8 characters.
- The maximum length of the password is 20 characters.
- The minimum number of digits that must be included in the user password is 1.
- The username cannot contain any special characters such as *, #, or ?.
- The password cannot contain the username or vice versa.
To define a user account:
Step 1 Select Users in the Cisco ANA Manage window.
Step 2 Open the New User dialog box in one of the following ways:
•Right-click Users, then choose New User.
•Choose File > New User.
•Click New User in the toolbar.
Note Click Show Password Rules to display the current password rules.
Step 3 Enter the information required to define a new user:
Field
|
Description
|
User Name
|
Enter the new user's name to be used for logging in.
Note The username is unique and can contain a maximum of 20 characters. Special characters cannot be used.
|
Full Name
|
(Optional) Enter the full name of the user.
Note Valid entries include a maximum of 20 characters; special characters cannot be used.
|
Description
|
(Optional) Enter a free text description of the user.
|
Password
|
Enter the new password.
Note A minimum of 8 characters must be used, including at least 1 digit. The maximum length of the user password is 20 characters.
|
Confirm Password
|
Reenter the new password.
|
Role
|
In the drop-down list, choose the security access role for the new user.
Note The permission applies only to activities or actions that are not related to an NE. For more information on the functionality that a user can perform, see Security Access Roles.
|
Force Password Change at Next Login
|
This check box is checked by default and forces the user to change the user password when they next log in.
|
Step 4 Click Create. The new username and default security access role are displayed in the workspace.
Granting or Editing User Rights
Once you have defined the scopes and the new user accounts, Cisco ANA Manage enables you to:
•Manage or edit general user account information.
•Manage the list of scopes assigned to the user.
•Associate security access roles on a per-scope basis.
•Assign maps to a user.
Note A user can have different security access roles for different scopes and maps.
In addition, you can view the properties of a user.
Editing User Rights
Cisco ANA Manage enables you to manage or edit general user account information. In addition, you can view the properties of a user.
To grant or edit a user's rights:
Step 1 Select Users in the Cisco ANA window.
Step 2 Right-click the required user, then choose Properties.
The Properties dialog box is displayed with the General tab selected by default.
Step 3 Edit the general properties as required:
Field
|
Description
|
User Name
|
The current username. The username cannot be modified.
|
Last Login
|
The date and time that the user last logged in.
|
Full Name
|
The user's full name.
|
Description
|
A description of the user.
|
Enable Account
|
Check this check box to enable the user account, or uncheck the check box to disable the user account. The user account is automatically locked when the number of logins defined is exceeded (the Limit Connections to option is enabled). You can manually lock or unlock a user's account at any time. A user whose account is locked cannot log into the system.
|
Limit Connections to
|
The number of instances of Cisco ANA client applications that the user can access at any one time. For example, if the number of connections is limited to 10, the user can have 5 instances of Cisco ANA Manage and 5 instances of Cisco ANA NetworkVision open at the same time. If the user then tries to open an instance of Cisco ANA EventVision, the attempt is refused.
|
Force Password Change After
|
1. Check this check box to force the user to change their password after a specific number of days. Uncheck this check box to allow the user to retain their current password indefinitely.
2. If you check the check box, enter the number of days after which the user is forced to change their password.
|
Force Password Change at Next Login
|
Check this check box to force the user to change their user password when they next log in. You can set this option at any time.
|
Step 4 Click Apply to accept your entries.
Step 5 Click OK to close the Properties dialog box or click the Security tab to define user security rights. (See Defining User Security Rights for more information.)
Defining User Security Rights
Use the Security tab in the User Properties dialog box to define or edit a user's security rights.
To define a user's security rights:
Step 1 Select the Users branch in Cisco ANA.
Step 2 Right-click the required user, then choose Properties.
The User Properties dialog box is displayed.
Step 3 Click the Security tab.
The Security tab enables you to manage the user's capability to view and manage applications and NEs by applying user scopes and security access roles.
Step 4 In the Default drop-down list, choose the default security level for the user. By default, a new user is assigned the viewer security access role. The level that you select here is the value displayed in the ANA Users workspace table.
Step 5 Click Add to add a scope to the active rights of the user. The Security Level dialog box is displayed.
Step 6 Choose the required scope and the appropriate security level within this scope for the user:
Field
|
Description
|
Available Scopes
|
Lists all predefined and unassigned scopes.
|
Security Level
|
Displays the security access roles for the defined scopes. For more information, see Security Access Roles.
|
Step 7 Click OK. The scope is added to the list of Active Rights in the Security tab.
Step 8 Click Apply, then OK. The Properties dialog box is closed.
Assigning Maps to Users
Cisco ANA Manage enables the administrator to assign maps to the user. When logging in to NetworkVision, new users do not have permission to view any existing maps; they can only access maps they create going forward. However, administrators can assign existing maps to new users by enabling this feature and manually assigning the maps.
To enable this feature.
Step 1 Log in to the gateway server as user sheer.
Step 2 Change to the ~sheer/Main directory.
Step 3 Run the following command (which is one line):
# ./runRegTool.sh -gs localhost set 127.0.0.1
site/mmvm/services/securitymanager/map-security-enabled true
Step 4 When the gateway server returns a success message, restart the gateway.
To assign maps to a user (after enabling this feature):
Step 1 Select Users in the Cisco ANA window.
Step 2 Right-click the required user, then choose Properties.
The User Properties dialog box is displayed.
Step 3 Click the Maps tab.
The Maps tab is divided into two parts:
•The left side displays a list of all available maps in the database that have not been assigned to the user.
•The right side displays all maps that have been assigned to the user and that the user can open and manage in Cisco ANA NetworkVision.
The following buttons are displayed between the available maps and assigned maps lists in the Maps tab:
Button
|
Description
|
|
Moves the selected map to the Assigned Maps list.
|
|
Move the entire available map list to the Assigned Maps list.
|
|
Removes a selected map from the assigned map list to the Available Map list.
|
|
Removes the entire assigned map list to the Available Map list.
|
Step 4 Choose a map from the list of Available Maps, then click the required button to add the map to the list of Assigned Maps to the user.
Note You can select multiple rows by using the Ctrl key.
Step 5 Choose and move maps between the two lists, as required, using the appropriate buttons.
Step 6 Click OK to confirm the user's assigned maps.
Deleting a Cisco ANA User Account
To delete a user account:
Step 1 Select Users in the Cisco ANA window.
Step 2 Select the user account that you want to delete in the workspace.
Note You can select multiple rows by using the Ctrl key.
Step 3 Right-click the user, then choose Delete. The selected user is deleted, and is not displayed in the workspace.
Changing User Passwords
You can use Cisco ANA Manage to change a user's password at any time. When this happens, the user is usually forced to change the password when they next log in.
The current user can also initiate a change of their password; in this scenario, they are required to enter the old password to validate the new password.
Changing Passwords as an Administrator
To change a user's password as an administrator:
Step 1 Select Users in the Cisco ANA window.
Step 2 In the workspace, select the user whose password you want to change.
Step 3 Right-click the required user, then choose Change Password. The Change Password dialog box is displayed.
Note Click Set Password Rules to display the password rules.
Step 4 Enter the new password in the Password and Confirm Password fields.
Step 5 Click OK. A confirmation message is displayed.
Step 6 Click OK. The Change Password dialog box is closed.
Changing Passwords as a User
Cisco ANA Manage enables the current user to also initiate a change of password.
To change your password as a user:
Step 1 Choose Tools > Change User Password.
The Change User Password dialog box is displayed.
Note Click Set Password Rules to display the password rules.
Step 2 Enter the old password in the Old Password field.
Step 3 Enter the new password in the New Password and Confirm Password fields.
Step 4 Click OK. A confirmation message is displayed.
Step 5 Click OK. The Change User Password dialog box is closed.
