User Guide for CiscoWorks Common Services 3.1 - Administering Groups [CiscoWorks Common Services Software]

Table Of Contents

Administering Groups

Groups - Components and Basic Concepts

Group Concept

Groups in Single-Server and Multi-Server Setup

Group Administration

Creating Groups

Specifying Group Properties

Defining Group Rules

Assigning Group Membership

Viewing Group Details

Modifying Group Details

Refreshing Groups

Deleting Groups

DCR Mode Changes and Group Behavior

Administering Groups

The Groups feature in Common Services helps you to group devices managed by CiscoWorks applications. It helps in creating, managing, and sharing groups of devices. The groups created using this feature are shared across applications. The groups created in applications can also be viewed from Common Services.

The section explains the following:

•Groups - Components and Basic Concepts

•Group Concept

•Groups in Single-Server and Multi-Server Setup

•Group Administration

•DCR Mode Changes and Group Behavior

Groups - Components and Basic Concepts

This section explains the components of a group and the basic concepts of a group.

Components

The following are the components of a group:

•Group Server:

Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by the application. It interfaces with an application service adapter (ASA) to evaluate group rules and retrieve devices of a particular group.

•Application Service Adapters (ASAs):

Application-specific information repository that serves as source of the devices and attributes that are grouped by the Groups Server. It provides an interface between applications and Groups Server. For Common Services, Device and Credential Repository (DCR) acts as the ASA. See Managing Device and Credentials for detailed information on DCR.

•Group Admin:

Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.

Basic Concepts

The following are the basic concepts of a group:

•Group Class:

Representation of a set of devices belonging to DCR. In this context a device in Device and Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set of attributes and a unique device ID.

•Group Object:

Device in a group class. Each device in the group will have a set of attributes stored in DCR. Associated with every device is a unique and immutable device ID.

•Group:

Named aggregate entity comprising a set of devices belonging to a single class or a set of classes, with a common superclass. Groups can be shared between users or applications, subject to access-control restrictions. The membership of a group is determined by a rule.

•Group Rule:

Consists of one or more rule expressions combined by operators, which can be AND, OR or EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.

Group Concept

A group is a named set of devices. The group is characterized by a set of properties such as an associated rule, name, description, type, and access permission. The rule determines the membership of a group, which may change whenever the rule is evaluated.

Groups are hierarchical. Groups can be dynamic or static. They can be Private or Public.

This section explains the following:

•Group Hierarchy

•Dynamic Group

•Static Group

•Container Groups

•System Defined and User Defined Groups

•Common Groups and Shared Groups

•Secure Views

Group Hierarchy

Groups are managed in a hierarchical fashion that supports subgrouping. Each child group is a subgroup of a parent group, and its group membership will be a subset of its parent group.

Dynamic Group

A dynamic group is a group for which the membership list is always up-to-date.

Whenever you view a dynamic group, it always displays the latest group membership list.

Static Group

A static group is a group for which the membership is refreshed only when you explicitly request it. Between re-evaluations, the Group Server stores the membership list and group definition of the static group.

Whenever you view a static group, you get the membership list that the ASA created the last time the group rule was evaluated.

Container Groups

Container groups are groups without a rule. The group membership is the union of the membership of its subgroups. If a container group does not have subgroups, the membership list will be blank.

System Defined and User Defined Groups

After you install Common Services, you get two predefined groups. They are:

•System Defined groups

System-defined groups are automatically created based on the device type information in DCR. When you add devices to DCR, the devices appear under the corresponding System-defined groups.

Just in Time groups (JIT) are groups that are automatically created/deleted as when devices are added/deleted/modified.

•User Defined groups

You can create groups here based on device attributes in DCR. This is possible only if you have administrator privileges.

These predefined groups come under the Provider group (or the root group), which, by default, is of the format CS@hostname. This Provider group is the parent of all Common Services groups found in the server.

You can change the Provider group name by changing the CiscoWorks home page Server Name. This can be configured at Common Services > Server > Home Page Admin> Settings. See Setting Up CiscoWorks Home Page for details.

You have to restart Daemon Manager after you change the CiscoWorks Server name, for the Provider group name change to take effect. After this, the Provider group name will be in the CS@Home Page Server Name format.

You can see these groups in Device and Credential Repository Administration and Device Center, and perform operations on the members of the group.

JIT groups are created based on the device types that are currently available in DCR. If all devices belonging to a single MDF type are deleted, the corresponding JIT group also gets deleted.

Common Groups and Shared Groups

Common group is the Common Services (CS) groups that are seen in the Groups UIs of Applications. Shared groups are the application groups other than the application's local group, that can be seen from the Common Services, and Groups UIs of Applications.

You have read-only access on shared groups. You can:

•Check group details

•Refresh group

To perform any operation on CS groups, you have to invoke the Groups UI from Common Services. From the Common Services Group Admin UI, you cannot perform create, edit, and delete operations on Application Groups.

For example, if you have a machine on which Common Services, RME, and Campus Manager are installed. If you invoke the Groups UI from Common Services, you can see three provider groups. They are:

•CS@hostname

•RME@hostname

•Campus@hostname

The group CS@hostname is the local group. The groups RME@hostname and Campus@hostname are shared groups.

If you invoke the Groups UI from RME, you will find three provider groups:

•CS@hostname

•RME@hostname

•Campus@hostname

Here, RME@hostname is the local group. CS@hostname is the common group, and Campus@hostname is a shared group.

Similarly, in the Groups UI in Campus Manager, Campus@hostname is the local group. RME@hostname is a shared group, and CS@hostname is the common group.

Figure 6-1, is a screen shot taken from the Group Administration UI in Common Services, on a machine (machine name: idu-test-sf440-1) that has Common Services, Campus Manager, RME, and DFM installed, illustrates the concept.

Figure 6-1 Common Services Group Administration Window

In the Group Selector available in the Group Administration page, you can see:

•CS@idu-test-sf440-1

•Campus@idu-test-sf440-1

•RME@idu-test-sf440-1

•DFM@idu-test-sf440-1

Here, CS@idu-test-sf440-1 is the local group, and the rest are shared groups.

Secure Views

Secure Views allow access to devices of a group to be restricted. Secure Views enables filtering of group membership based on the user and the application task context in which a request is made. Filtering will be performed only when operating in ACS mode. While operating in Non ACS mode, filtering is not performed. If you evaluate a group in Non ACS mode, all devices of that group are returned.

For example, assume there are two users A and B configured in ACS with different sets of privileges such that A can operate on devices D1, D2, D3 and B can operate on D4 and D5. If B tries to perform any operation on the group to which all the above devices belong, B will be able to see only D4 and D5. This is because B is authorized to perform operations only on those two devices. For details on ACS login mode see Setting the Login Module to ACS.

Note Groups UI is enabled only on servers in which DCR is in Master or Standalone mode. The groups created in DCR master servers are copied to Groups instances on servers where DCR is in Slave mode.

Groups in Single-Server and Multi-Server Setup

This section has the following subsections:

•Groups in Single Server Scenario

•Groups in Multi-Server Scenario

Groups in Single Server Scenario

The devices you see in the Group Administration UI in applications depend on whether the devices are being managed by that particular application or not.

For example, if there are Common Services, Campus Manager, and RME installed on a server, you can see the following groups in the Groups UIs of Common Services, Campus Manager, and RME.

•CS@hostname

•RME@hostname

•Campus@hostname

For example, if you add 100 devices to the subgroup Routers in Common Services, all the 100 routers you have added are listed whenever you perform any operation on the group Routers, from the Groups UI in Common Services.

However, if you perform any operation on the subgroup Routers, from the Groups UI in RME, you may not see all 100 devices you have added to the group from Common Services. Instead, only the devices that RME manages are displayed.

Assume that you create a subgroup in Campus Manager, based on subnets, and add 30 devices. When you perform any operation on this subgroup from the Groups UI in RME, the number of devices you will see may be less than 30. This depends on whether RME is managing those devices.

Groups in Multi-Server Scenario

Groups you create in Common Services groups UI in the Master get synchronized with the Slave. This does not happen in the case of applications.

If you create a subgroup under CS@Master hostname in one server, it appears under CS@Slave hostname in the peer server.

However, in the Master server, if you create a subgroup under application@Master hostname, it will always appear under application@\Master hostname\, in the Slave. That is, the subgroup created in the Master appear under the application's shared group in the Slave.

Note You cannot create groups in Common Services if it is in Slave mode. However, for applications, you can create groups even if the server on which they are installed is in Slave mode.

For example, if you have two servers M and S, where M is in Master mode, and S is in Slave mode. Assume both the machines have Common Services, Campus Manager and RME installed.

In M, you can see the following groups:

•CS@Master hostname

•Campus@Master hostname

•Campus@Slave hostname

•RME@Master hostname

•RME@Slave hostname

Figure 6-2 Common Services Groups Window in a Multi-Server Setup

In Figure 6-2, you can see the groups displayed in the Common Services Groups UI, in a multi server scenario.

Note that the machine idutest-dell-pc2 is the Master, and the machine bundle-sunv440-4 is the Slave, in the figure.

In the CS groups UI you can see:

•CS@idutest-dell-pc2 (The local CS group of the Master)

•Campus@idutest-dell-pc2 (Application group pertaining to the Master)

•Campus@bundle-sunv440-4 (Application group pertaining to the Slave)

•RME@idutest-dell-pc2 (Application group pertaining to the Master)

•RME@bundle-sunv440-4 (Application group pertaining to the Slave)

Similarly, in S you can see the following groups from the applications groups UI:

•CS@Slave hostname

•Campus@Master hostname

•Campus@Slave hostname

•RME@Master hostname

•RME@Slave hostname

Figure 6-3 Groups Window in Application in a Multi-Server Setup

In Figure 6-3, you can see the groups displayed in the Application (RME) Groups UI, in a multi server scenario.

Note that the machine idutest-dell-pc2 is the Master, and the machine bundle-sunv440-4 is the Slave, in the figure.

In the applications groups UI you can see:

•CS@idutest-dell-pc2 (The local CS group of the Master)

•Campus@idutest-dell-pc2 (Application group pertaining to the Master)

•Campus@bundle-sunv440-4 (Application group pertaining to the Slave)

•RME@idutest-dell-pc2 (Application group pertaining to the Master)

•RME@bundle-sunv440-4 (Application group pertaining to the Slave)

If you have created a subgroup under CS@Master hostname, in S, you can see this subgroup under CS@Slave hostname.

However, if you create a subgroup in M under RME@Master hostname, this subgroup appears in S under RME@Master hostname, and not under RME@Slave hostname.

In a cluster if you have M as the Master, and S1 and S2 as M's slaves, and you want to evaluate S1's groups from S2, you need to import the certificate of S1 to S2 and vice versa.

Group Administration

The Group Administration and Configuration UI helps you to create, manage, view, and delete groups. The UI provides you a Group Selector which contains the following predefined higher-level groups:

•System Defined Groups

•User Defined Groups

The System Defined Groups shows subgroups only after Device and Credential Repository is populated.

You can create subgroups only under User Defined Groups. You cannot create them under System Defined Groups. However, you can view the details of a subgroup under System Defined Groups and refresh the group.

Note Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone mode. The groups created in DCR master will be copied to Group Administration instances on servers where DCR is in Slave mode.

The following sections provide information on how to perform group administrative tasks in Common Services:

•Creating Groups

•Modifying Group Details

•Viewing Group Details

•Refreshing Groups

•Deleting Groups

Creating Groups

You can create device groups using this feature.

To create a new device group:

Step 1 Go to the CiscoWorks home page and select Common Services > Groups > Group Admin

The Groups Administration page appears.

If LMS Portal is installed on the CiscoWorks Server, you can also navigate to this page from the LMS Portal home page.

The Group Administration and Configuration dialog box in the Group Administration page provides you a Group Selector.

Step 2 Select the group from the groups listed in Group Selector to create a new subgroup.

The Group Info fields on the right, display details of the selected group.

The group you select here is the parent group for the new group you are about to create. You can change the parent group later, if required. You cannot create groups under System Defined Groups but can view details and refresh the group.

Users in admin role have read-write access to User Defined groups based on the visibility scope (public or private). If you possess appropriate permissions, you can create subgroups under groups.

Step 3 Click Create to create a new group.

The Group Administration Creation wizard is launched and guides you through the process of creating a new group.

Perform the following tasks using the Groups Create wizard.

a. Specifying Group Properties

b. Defining Group Rules

c. Assigning Group Membership

The first page in the wizard is the Properties:Create window. While creating a new group you must complete all the three tasks in this sequence to create a group.

If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the group will not be created.

The default limit of User Defined Groups you can create is 100. If you try to create more than 100 User Defined Groups, you will get a message saying that you have exceeded the limit.

Specifying Group Properties

While specifying group properties, you can enter the properties such as name and description, and modify the parent group, if required, and update membership, and specify the visibility scope.

To complete the tasks in this phase:

Step 1 Go to the CiscoWorks home page and select Common Services > Groups > Groups Admin .

The Groups Administration page appears.

If LMS Portal is installed on the CiscoWorks Server, you can also navigate to this page from the LMS Portal home page.

Step 2 Click the Create button in the Group Administration and Configuration dialog box.

The Properties:Create dialog box opens.

Step 3 Enter a name for the group in the Group Name field in the Properties:Create dialog box.

The group name should be unique within the Parent group. However, it need not be so across groups. The same group name cannot be used in the same group hierarchy.

For example, if you have a group /CS@Servername/User Defined Groups/MyView, you cannot create another group with the same name "MyView" under /CS@Servername/User Defined Groups.

Step 4 Click Select Group, if you want to copy the attributes of an existing group.

The Replicate Attributes dialog box appears.

Step 5 Select the group you need from the Replicate Attributes list and click OK.

Step 6 Click Change Parent, to change the Parent group.

The Group Selector page appears.

Step 7 Select the group you need from the Select Parent list.

Step 8 Click OK.

The Group Administration wizard changes the Parent group to the one you selected, and returns to the Properties:Create window.

Step 9 Enter a description for the group.

Typically, you can enter a detailed description of the group identifying its characteristics in this field.

Step 10 Select the Membership Update mode for the group.

The modes of membership updates available are:

•Automatic:

The membership of the group is automatically recomputed each time the group is invoked.

•Only Upon User Request:

The membership of the group is recomputed only when an explicit request is made, using the Refresh option.

If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request, the group will be a Static group.

Step 11 Select either Public or Private radio button to specify the visibility scope.

•Private

The group created can be viewed only by user who creates the group.

•Public

The group created can be viewed by all users.

Step 12 Click Next to get to the Rule:Create dialog box.

Defining Group Rules

In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase determine the contents of the group. The rules you specify here determine the devices to be included in the group.

In the Rules:Create dialog box, you can either enter the rules directly in the Rule Text field, or select the components of the rule from the Rule Expression fields, and form a rule.

The rule expression has the following components:
Class.attribute operator "value" 
If you have created the group by copying the attributes of another group, the rules specified for that group appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a new set of rules.

The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this facility to validate the rules you have created. If you leave the rule blank, it creates a Container group.

Click View Parent Rules to display the rules defined for its ancestor groups.

Defining a Group Rule

To create a group rule:

Step 1 Complete all the tasks in the Properties:Create dialog box. See Specifying Group Properties for more information.

Step 2 Delete the rules displayed in the Rule Text field, if any.

Step 3 Select appropriate parameters for the following:

• Object Type — Denotes the object type used for forming a group. All expressions start with the string Device.

• Variables — Denotes the device attributes, which are used to form a device group.

The list of variables for creating groups are:

–Category

–DeviceIdentity

–DisplayName

–DomainName

–HostName

–ManagementIpAddress

–MDFId

–Model

–Series

–SystemObjectID

–User defined fields, if any.

See System Defined and User Defined Attributes for details on the variables.

The device attributes listed in Variables list box are specific to Common Services only. The list of device attributes are different across CiscoWorks applications. The Group Administration windows of respective applications display the respective device attributes as variables

• Operators — Denotes the various operators to be used with the rule. The list of operators includes equals, contains, startswith and endswith. The list of operators changes dynamically with the value of the variable selected.

For the ManagementIpAddress variable, you can select the range operator other than the standard list of operators. See Using IP Address Range Operator for more information.

• Value — Denotes the value of the variable. The value field changes dynamically with the value of the variable and operator selected, and this may be a text field or a list box.

Step 4 Click Add Rule Expression.

The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field.

For example, the rule type:
:CMF:DCR:Device.DisplayName equals "joe"

will select the device with the DisplayName joe.

The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression.

You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field. See Defining Composite Group Rules for more information.

You can validate rules that are entered directly into the Rules Text field or rules formed using the Add Rules Expression option in the dialog box.

•To check whether the syntax is valid, click Check Syntax.

•To view the rules defined for the parent groups, click View Parent Rules.

Step 5 Click Next.

The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information.

If you have entered an invalid IP Address range or invalid values in the Value field, an error message will be displayed. You should correct the values and then navigate to the Membership:Create dialog box.

Defining Composite Group Rules

Composite rule contain more than one rule expression separated by a Boolean operator.

The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you have entered at least one rule expression.

When the composite rule has more than two simple rule expressions, you can adjust priorities among the expressions using opening and closing parenthesis.

To create a composite rule:

Step 1 Delete the rules displayed in the Rule Text field and click any other field.

Step 2 Form a simple rule. See Defining a Group Rule for forming a simple rule.

Step 3 Click Add Rule Expression.

The Group Administration wizard creates the rule based on the parameters you specified and adds the rule to the Rules Text field.

The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type field in Rules Expression.

Step 4 Select a Boolean Operator from the drop-down list.

Step 5 Select the appropriate parameters for Object Type, Variables, and Operators.

Step 6 Enter a value in the Value field.

Step 7 Click Add Rule Expression.

You can validate rules that are entered directly into the Rules Text field or rules formed using the Add Rules Expression option in the dialog box.

•To check whether the syntax is valid, click Check Syntax.

•To view the rules defined for the parent groups, click View Parent Rules.

Step 8 Click Next.

The wizard takes you to the Membership:Create dialog box, where you can further refine the group definition by adding or deleting specific devices from the group. See Assigning Group Membership for more information.

Using IP Address Range Operator

The range operator enables you to group the devices of the specified range of IP Addresses. You can select the range operator only for the ManagementIpAddress variable.

You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address ranges.

When you enter the IP Address range in the text field, you should:

•Specify the range with permissible values for one or more octets in the IP Address.

The minimum limit in the range is 0 and the maximum limit is 255.

•Use the hyphen character (-) as a separator between the numbers within a range.

•Specify the range of IP Addresses within the [and] characters to create a group rule.

For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.

You should not:

•Enter numbers lesser than 0 and greater than 255 in the IP Address range.

•Enter any other characters other than the range separator (-).

•Enter the value of highest limit in the range as less than the value of smallest limit number. For example, you should not enter 10.10.10.[8-4].

See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on the IP Address Range based device groups in a multi-server setup.

Examples

Example to Create a Simple Group Rule

To create a group of all devices ending with the hostname Test, you should:

Step 1 Create an expression in the Rules:Create dialog box by entering:

a. Select Variable as HostName

b. Select Operator as endswith

c. Enter the Value as Test

Step 2 Click Add Rule Expression.

The rule is added into the Rule Text.

You can also check the syntax of the group rule entered.

Example to Create a Composite Group Rule

If you may want to group all the devices in the network that matches all of the following criteria:

•Display name of the device should contain TestDevice

•Category of the device should be equal to Routers or IP Address of the device should starts with 10.77

To create this composite rule:

Step 1 Create an expression in the Rules:Create dialog box by entering:

a. Select Variable as DisplayName

b. Select Operator as contains

c. Enter the Value as TestDevice

Step 2 Click Add Rule Expression.

The rule is added into the Rule Text.

Step 3 Create another rule expression by entering:

a. Select AND as the Boolean operator

b. Select Variable as Category

c. Select Operator as equals

d. Enter the Value as Routers

Step 4 Click Add Rule Expression.

The rule is appended into the Rule Text.

Step 5 Create another rule expression by entering:

a. Select OR as the Boolean operator

b. Select Variable as ManagementIPAddress

c. Select Operator as startswith

d. Enter the Value as 10.77

Step 6 Click Add Rule Expression.

The following composite rule is formed in the Rule Text Area:
Device.DisplayName contains "TestDevice" AND
Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77"
Step 7 Edit the rule expression in the text area to adjust the priorities among the group expressions.

You should place two rule expressions together within an opening and a closing parentheses. Ensure that you leave a space between the parenthesis and the group expressions.

The edited composite rule is:
Device.DisplayName contains "TestDevice" AND
( Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77" )
You can also check the syntax of the group rule entered.

Step 8 Click Next to proceed further.

Example to Create a Group Rule Using Range Operator

To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you should:

Step 1 Create an expression in the Rules:Create dialog box by entering:

a. Select Variable as ManagementIPAddress

b. Select Operator as range

c. Enter the Value as 10.10.[0-212].[207-247]

Step 2 Click Add Rule Expression.

The rule is added into the Rule Text.

You can also check the syntax of the group rule entered.

System Defined and User Defined Attributes

The following table provides details on the System Defined attributes that are available in Common Services. These are predefined attributes, available by default.

Attribute

Description

DisplayName

Device name, as you want it to be represented in reports or graphical displays. This can be derived from Host Name, Management IP address or Device Identity.

ManagementIpAddress

IP address used to access the device. Both IPv4 and IPv6 address types are supported.

HostName

Device Host name.

DomainName

Domain name of the device.

DeviceIdentity

Identifies pre-provisioning devices. The value would be application specific.

SystemObjectID

sysObjectID value. It may be UNKNOWN in the case the facility that populates the repository does not know the value.

Category

Category into which the device falls. The first level entries in the Device Type tree in DCR Device Management UI. For example, Routers is a category.

Series

Series to which the device belongs. The second level entries in the Device Type tree in DCR Device Management UI.

For example, Cisco 3100 Series Routers, that falls under the category Routers.

Model

Model of the device. The third level entries in the Device Type tree in DCR Device Management UI.

For example, the model Cisco 3101 Router falls under the Cisco 3100 Series Routers, which comes under the category Routers.

MDFId

Normative name for the device type as described in Cisco's Meta Data Framework (MDF) database. Each device type has a unique normative name defined in MDF.

The User Defined Fields available in the Variable drop-down list is taken from DCR. You can create Used Defined Fields at Common Services > Device and Credentials > Admin. For details, see Adding User Defined Fields.

If you create a User Defined Field which is similar to one of the predefined System Defined attributes, an _UDF suffix is appended to the User Defined field you add, to distinguish these two attributes.

For example if you create a User Defined Field called DisplayName (which is one of the predefined attribute present in the Variable drop-down list), this will be displayed as DisplayName_UDF.

Note You should not create a User Defined fields in the format System Defined Field_UDF, where System Defined Field stands for any attribute listed in the above table.

By default, four User Defined fields are available. You can create six User Defined fields additionally in DCR. The maximum number of User Defined fields that can be added in the Variable drop-down list is 10.

Assigning Group Membership

You can include more devices or exclude devices using this option. To decide which devices are available to the group you have created, the wizard uses the details of the parent members and rules you have already specified.

These devices appear in Available Objects From Parent Group column based on the properties and rules you have already specified in the Properties:Create and Rule:Create dialog boxes. See Specifying Group Properties and Defining Group Rules for more information.

Note You can add devices from the list of available objects in the parent group even if they do not match membership criteria.

To add devices to the group you have created:

Step 1 Select one or more devices in Available Objects From Parent Group column.

To select multiple devices, hold the Ctrl or Shift keys down and click.

Step 2 Click Add.

The selected devices are removed from Available Objects From Parent Group and added to the Object Matching Membership Criteria column.

To remove devices from the group:

Step 1 Select one more devices in Object Matching Membership Criteria column.

To select multiple devices, hold the Ctrl or Shift keys down and click.

Step 2 Click Remove.

The selected devices are removed from the Object Matching Membership Criteria column and added to Available Objects From Parent Group.

Step 3 Click Next.

The Summary:Create window appears. It displays the group name, the parent group, description, the membership update type, group rules, and the visibility scope of the group you created.

If you want to change the parameters, click Back to go back to the previous windows and make changes.

Step 4 Click Finish to create the group based on the parameters specified.

Viewing Group Details

You can view the details of a group using this feature.

To view the details of a group:

Step 1 Go to the CiscoWorks home page and select Common Services > Groups

The Group Administration page appears.

If LMS Portal is installed on the CiscoWorks Server, you can also navigate to this page from the LMS Portal home page.

Step 2 Select a group from the Group Selector pane.

The Group Info pane on the right side displays the high-level properties of the selected group.

Step 3 Click Details.

The Group Administration wizard displays the details of the group in Properties:Details window.

•Click View Parent Rules to display the rules set for the parent group.

The rules set for the parent group are displayed in the Show Parent Rules window.

•Click Membership Details to display a list of devices and their corresponding object types.

The membership details are displayed in Membership:Details window.

In the Membership:Details window, you can:

–Click on the column headers to sort the entries in the table.

–Select the number of rows to be displayed in the table in the Rows per page option.

•Click Property Details to return to the Property:Details window.

Step 4 Click Cancel to return to the Group Administration and Configuration page.

Modifying Group Details

You can modify some of the details for a group using this feature.

To modify the details of a group:

Step 1 Go to the CiscoWorks home page and select Common Services > Groups > Group Admin.

The Group Administration page appears.

If LMS Portal is installed on the CiscoWorks Server, you can also navigate to this page from the LMS Portal home page.

Step 2 Select a group from the Group Selector pane.

The Group Info fields on the right side displays details of the selected group.

Step 3 Click Edit.

The Group Administration wizard guides you through the process of editing a group. It displays the details of the group in Properties:Edit window.

Step 4 Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit dialog box.

You cannot change the Parent group or copy attributes from a different group in Edit mode.

Step 5 Click Next.

The wizard takes you to the Rules:Edit window.

Step 6 Change the rules as required. For details on creating the rules, see Defining a Group Rule.

Step 7 Click Next.

The wizard takes you to the Membership:Edit window.

Step 8 Add or remove devices from the list of objects in Objects Matching Membership Criteria as required. For details on creating the rules, see System Defined and User Defined Attributes.

Step 9 Click Next.

The wizard takes you to the Summary window.

If you want to change the parameters specified, click Back to go back to the previous windows and make changes to the properties or rules.

Step 10 Click Finish to modify the group.

Step 11 Click OK.

The Group Administration wizard copies the attributes of the selected group and displays it in the corresponding fields in Properties:Create window.

Note that the Parent group you have selected for the group does not change even if you are copying attributes from a group that belongs to a different Parent group.

Refreshing Groups

You can recompute the membership of a group by re-evaluating the group's rule. The membership of Automatic groups is recomputed dynamically.

The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with this option.

Note Only users with read-write access can refresh the Only-upon-user-request groups.

To refresh a group:

Step 1 Go to the CiscoWorks home page and select Common Services > Groups > Group Admin.

The Group Administration page appears.

If LMS Portal is installed on the CiscoWorks Server, you can also navigate to this page from the LMS Portal home page.

Step 2 Select a group from the Group Selector pane.

The Group Info fields on the right pane displays details of the selected group.

Step 3 Click Refresh.

The Group Administration pop-up window prompts you for confirmation.

Step 4 Click Yes.

The selected group is recomputed and the window, refreshed.

Whenever you delete devices from a group, refresh the group so that group membership is recomputed.

Deleting Groups

You can delete a group from the Group Selector. When you delete a group, all the child groups under the group are also deleted. You can also delete the stale groups (groups that are belonging to users removed from CiscoWorks).

To delete a group:

Step 1 Go to the CiscoWorks home page and select Common Services > Groups > Group Admin.

The Group Administration page appears.

If LMS Portal is installed on the CiscoWorks Server, you can also navigate to this page from the LMS Portal home page.

Step 2 Select the group from Group Selector.

The Group Info fields on the right pane displays details of the selected group.

Step 3 Click Delete.

The Group Administration and Configuration dialog box prompts you for confirmation.

Step 4 Click Yes.

The selected group is deleted.

Deleting Stale Groups Using CLI

You can delete groups that belonged to users removed from CiscoWorks. To delete a stale group, you must run the DeleteStaleGroups utility.

To run the DeleteStaleGroups utility:

On Windows:

Step 1 Enter NMSROOT\bin

Step 2 Enter DeleteStaleGroups -user username -pfile passwordfile -staleuser StaleUser

On Solaris:

Step 1 Enter NMSROOT/bin

Step 2 Enter DeleteStaleGroups.sh -user username -pfile passwordfile -staleuser StaleUser

The explanation for these optional entries are as follows:

-user: Current user who has the necessary privileges to delete groups.

-pfile: Absolute Path of the text file with current user's CiscoWorks login password in one line.

-staleuser: The user whose group has to be deleted.

If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale groups will be deleted.

DCR Mode Changes and Group Behavior

The DCR modes have a bearing on how groups are displayed in the Groups UI. Also the DCR mode decides whether you can perform any operation on the groups.

In Standalone mode, the groups you create in the CS Groups UI are propagated to the application Group instances of the applications installed in the same machine.

To perform operations on application groups, you should launch Groups UI from the application.

In Slave mode, the CS group admin UI is disabled. You cannot create any CS groups when the machine is in Slave mode. The UI is enabled automatically when the mode changes to Master or Standalone.

Therefore, in a cluster that has several Slaves and a Master, if you need to create CS group, you need to go to the CS Groups UI in the Master and create the group. The group you create there, will be synchronized with the Slaves.

The following table gives details of DCR mode changes and implications on Groups.

Mode Changed to:

The Initial Mode

Standalone

Slave

Master

Standalone

Not applicable.

Master will get all the Slave groups. That is, if Slave has App-1 installed, Master will have all the groups that belong to App-1 on Slave.

All these groups appear under the root group, /App-1@Slave.

Also, Slave will get Master's groups. Group UI gets disabled.

No change in the Group hierarchy.

Slave

Groups UI gets enabled. The groups pertaining to Master and Slaves will be removed.

The Slave's groups will disappear from the Master.

The groups pertaining to the Slave whose mode was changed will disappear from other Slaves in the cluster.

Not applicable.

Groups UI gets enabled. Groups pertaining to the previous Master and the associated Slaves will be removed.

Master

All dependent Slaves will switch to Standalone mode.

All groups pertaining to other machines will be removed. Groups UI will be enabled on all machines in the cluster.

If you select Inform current Slaves of new Master Hostname when you change the mode to Slave, all the Slaves in the domain, switch to the new Master.

In this case, the application groups of all the Slaves in the domain, and the groups in the Master will be seen in the new Slave.

The Groups UI will be disabled.

If this check box is not selected, the new Slave will pickup the groups of the new Master. Other Slaves in the domain will move to Standalone mode.

Not applicable.

Unregistering a Slave

The Unregister Slave utility helps you unregister a Slave which is no longer part of the domain.

The utility is useful in the following scenarios:

•Change in Slave's mode because of Backup and Restore. That is, if data is restored from Standalone/Master belonging to a different domain.

•When you uninstall CiscoWorks from the Slave.

•Change in Slave's mode, when master is not reachable. If the Master is down when the Slave's mode changes, the Master will not be aware of the Slave's mode change, when it comes up.

The Master will not receive any data from the Slave, but the Slave information will still be in its registry. A redundant group (such as CS@Slave) will still appear in the Master's Groups UI.

In the case of DCR, any device operation on Master will update the Slave list. However, this does not happen in the case of Groups.

You can run the UnregisterSlave utility to remove any unwanted slave information:

From the CLI, run:

NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name

You have to enter the hostname of the machine you want to unregister.

For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of Backup-Restore on DCR and Effects of Backup-Restore on Groups.

Behavior of IP Address Range Based Device Groups in Multi-Server Setup

The range operator allows you to group devices within a specified range of IP addresses.

In a Master-Slave setup:

•When the Master server is using an earlier version of Common Services software, you cannot create device groups based on IP Address range.

•When the Slave server is using an earlier version of Common Services software, the IP Address Range based device groups information in the Master are synchronized with the Slave.

Even if you change the mode of Slave server to Standalone, the IP address range based device groups will remain as it was before in the Groups Server.

However, you cannot retrieve the device group information from the Standalone CiscoWorks Server to view them in the user interface. To retrieve and view the device group information, you should either:

–Upgrade the Common Services application in Standalone CiscoWorks Server to the latest version.

Or

–Change the mode of the CiscoWorks Server that has the earlier version of Common Services from Standalone to Slave for a DCR Master with the latest version of the software.