EPOM Getting Started Guide Release 5.0 - Chapter 3 Managing the EPOM and BTS Users [Cisco BTS 10200 Softswitch]

Table Of Contents

Managing EPOM and BTS Users

Managing Domains, Groups, and Users

Managing Groups

Adding Groups

Changing Group Permissions

Deleting Groups

Managing Domains

Adding Domains

Adding EMS Servers to a Domain

Managing Users

Adding Users

Editing and Deleting EPOM Users

Changing Your User Information

Managing User Security

Restricting User Access By Group 1

Restricting User Access By Group 2

Defining Group Settings

restrictedTree.xml

Restricting User Access By EPOM GUI Visibility

Viewing User History

Managing EPOM and BTS Users

Managing Domains, Groups, and Users

Assign read, write, or read-only access for EPOM users using the following administrative tools:

•group—organize users based on the domains to which you want them to have accesss

•domain—organize networks into logical groups accessible to specific user groups

•user

Managing Groups

Adding Groups

Whan you create a group, it is automatically assigned to a default domain. Reassign the group to another domain after:

1. adding the group

2. adding the domain

Step 1 Click Add.

The Add user window opens.

Step 2 Define the :

•Group Name—Enter the name of the group. The group name must not exceed thirty two characters.

•BTS Login—Enter the BTS Login ID.

•BTS Navigation Tree—Enter the BTS customised navigation tree . The navigation tree can contain two hundred and fifty five characters.

Step 3 Click OK.

The group is added, and you return to the User Administration window where the new group is listed.

Click Cancel if you do not want to add the EPOM group.

Changing Group Permissions

Step 1 Next to XYZ Domain Groups, click Edit.
The Group Edit window opens listing all groups and their current access.

Step 2 Select access type, Read/Write or Read Only.

Step 3 Click OK.

Deleting Groups

First delete the domain associated with the group. You cannot delete the default group admin and the default userid admin.

Step 1 Click Users if you are not already in the User Administration window.

Step 2 In the navigation pane, click Groups.

The Group Administration window opens listing existing groups.

Step 3 In the row for the group that you want to delete, click Delete.

The Delete Group window opens.

Step 4 Click OK.

Managing Domains

Adding Domains

Add a domain to create a network group accessible to specific user groups. A domain includes an EMS server and groups with access to the domain.

Whan you create a group, it is automatically assigned to a default domain. Reassign the group to another domain after:

1. adding the group

2. adding the domain

Step 1 Click Domains.

Step 2 Click Add.

The Add Domain window opens.

Step 3 Define the domain:

a. Domain Name.

b. (Optional) Description

c. Click OK.

Adding EMS Servers to a Domain

Step 1 Click Domains.

Step 2 Click Edit.

The Modify Domain window opens.

Step 3 Next to No Inventory Found, click Edit.
The Inventory Edit window opens listing existing EMS servers.

Step 4 Select the server to add.

Step 5 Click OK.

Managing Users

Adding Users

Before adding a users, ensure its group already exists.

EPOM's Security Wizard allows admin users to:

•create both BTS and EPOM users

•create users in multiple EMS servers with appropriate security levels in a single operation

•add EPOM user information

•add group membership for an inventory or multiple inventories

Step 1 Select BTS or EPOM, depending on user type.

Step 2 Click Next.

The list of current users appears.

Step 3 Click Add.

The Add user window opens.

Step 4 Define the user:

•Username—name the user will use to log in to EPOM

•Password—initial password for EPOM access, the user can change this later

•Confirm Password

•Shell—command session

•Command Level—command levels based on the security levels

•Work Groups—names of the workgroups

•Inventory—select inventory and move to Selected; to deselect, move it back to Available

Step 5 Click OK.

Step 6 Click Finish .

Editing and Deleting EPOM Users

You can modify or delete EPOM user information. If you are not a member of the Administrator group, you can change your password, first name, last name and email, but not your login ID or group association.

If you are a member of the admin group, you can:

•change user information, including group membership

•delete users

Step 1 Click Users if you are not already in the User Administration window.

Step 2 The list of current users appears.

Step 3 In the row for the user whom you want to change, do one of the following:

•To modify user information:

a. Click Edit.

The Edit User window opens.

b. Make the changes and click Edit to save them.

c. To delete the user, click Delete.

The Delete User window opens.

d. Click Delete.

You return to the User Administration window, showing the list of users.

Changing Your User Information

If you are not a member of the admin group:

•you can change your password, name and email

•you cannot change your userid or group association

Step 1 Click Users.

The User Administration window opens.

Step 2 Select your row.

Step 3 Click Edit.

The Edit User window opens.

Step 4 Make changes.

Step 5 Click Edit.

Managing User Security

Restricting User Access By Group 1

EPOM provisions restricted BTS command access not on a per-user basis, but on a per-group basis. Each group has a single BTS login (therefore a single BTS device, unless multiple BTS devices have similar logins and restricted access applied to them).

However, a single EPOM user can be associated with multiple EPOM Groups to provision restricted access across various BTS devices across the network.

Restrict a user's access to that of the BTS login name and password of their EPOM group. When a user logs in to EPOM, their group is examined for a BTS login:

•If EPOM finds a group, it queries the BTS user table for the user's security level and work groups.

•If no BTS login name is assigned to the EPOM group, security defaults to the user login and password for the device.

Each time a user enters a command, EPOM determines if the user has permission. If the user does not meet or exceed permission requirements, a "permission denied" message appears.

Note If you modify BTS login security level or groups, EPOM users must log out and log in to EPOM for changes to take effect.

Note If you change the security level or groups for BTS commands, restart EPOM for changes to take effect.

Step 1 Create BTS users.

Step 2 Create EPOM user groups.

Step 3 On the EPOM server:

a. create users

b. assign users to user groups

Step 4 Select Users > user name > Edit.

Step 5 Enter a password to access EPOM.

Step 6 Choose Users > Groups > Edit.

Step 7 Select a group.

Step 8 Click Edit.

Step 9 Assign the EPOM user group to a BTS user by entering the user's BTS Login and (optional) BTS Navigation Tree.

If a EPOM user group is not assigned to a BTS user, all users in that group have a security level of 10 (unrestricted).

Step 10 To verify the assigned BTS login, choose Users > Groups > group name > Edit.

Restricting User Access By Group 2

Defining Group Settings

This section describes how to analyse the portions of defaulttree.xml.

<tree name="default">

The above line defines the tree name, when customizing the tree, say in Group settings you gave the navigation tree name as customizedtree.

In this if $EPOM_INSTALL_DIR is the EPOM installation directory then you would create a new xml file named customizedtree.xml under the directory $EPOM_INSTALL_DIR/tomcat/webapps/ROOT/xml/bts/navigation.

Change the above line to <tree name="customizedtree">.
<baseurl name="bts">
   <urlprefix><![CDATA[/bts/btscomp.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btssearch">
      <urlprefix><![CDATA[/bts/btscompsearch.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btsstatus">
      <urlprefix><![CDATA[/bts/btscompstatus.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btsdiag">
      <urlprefix><![CDATA[/bts/btscompdiag.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btsreset">
      <urlprefix><![CDATA[/bts/btscompreset.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btswizard">
      <urlprefix><![CDATA[/bts/btswizard.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
The above lines form the backbone of ascertaining, the actions to be invoked for various BTS CLI nouns. The following is the summary of associations they make:

1. bts keyword is associated with the btscomp.jsp page.

2. btssearch keyword is associated with the btsscompearch.jsp page.

3. btsstatus keyword is associated with the btscompstatusjsp page.

4. btsdiag keyword is associated with the btscompdiag.jsp page.

5. btsdiag keyword is associated with the btscompdiag.jsp page.

6. btsreset keyword is associated with the btscompreset.jsp page.

7. btswizard keyword is associated with the btscompwizard.jsp page.

These associations are further extended in the next section and finally used on a per BTS CLI noun basis.
<baseurlverbmap base="bts" verb="show"/>
<baseurlverbmap base="btssearch" verb="show"/>
<baseurlverbmap base="btsstatus" verb="status"/>
<baseurlverbmap base="btsdiag" verb="diag"/>
<baseurlverbmap base="btsreset" verb="reset"/>
The above lines further implicate the default BTS CLI verbs to be associated to the keywords defined in above section.

Finally we proceed further with the actual BTS CLI noun formations in the navigation tree.
<branch reskey="bts.head.ain">
<node reskey="bts.ani_wb_list">
<url base="bts">ani_wb_list</url>
</node>
</branch >
<branch reskey="bts.head.isdn">
<node reskey="bts.isdn_bchan" image="btssearch">>
<url base="btssearch">isdn_bchan</url>
</node>
</branch >
The above defines two different nouns and verb actions to be invoked from them.

•The first <branch....ain>, statement defines that the ain, would be displayed as the heading under which all other nouns would appear.

In this example ani_wb_list would appear after node ain is expanded. The <url base="bts"> signifies that show verb would be used for that noun and it would be invoked in btscomp.jsp.

•The second <branch....isdn>, statement defines that the isdn, would be displayed as the heading under which all other nouns would appear.

In this example isdn_bchan would appear after node isdn is expanded. The <url base="btssearch"> signifies that show verb would be used for that noun and it would be invoked in btscompsearch.jsp. Where before invoking show command, parameters would be accepted to build where clauses while searching the noun.

This is to provide access to just subscriber show, change.

Step 1 Create a new BTS user restrictedBTSUser, with just show privileges on subscriber noun. Associate it properly with BTS workgroups.

Step 2 Add a group in EPOM:

a. Click on "Users" (#1) in the primary navigation

b. Click on Groups in the left side navigation tree, (#2)

c. Click on the "Add" button, (#3)

Step 3 Use parameters as

a. Groupname: restrictedGroup

This is the EPOM group that you are creating.

b. BTS Login restrictedBTSUser

This BTS id was created with restricted access on the BTS server and proper BTS workgroup, and command associations were made on BTS (see BTS CLI Reference for more Details).

c. BTS Navigation tree:restrictedTree

This points to the XML file that you put on the EPOM server, customized using the Navigation Trees section in this document. Change <tree name="restrictedTree"> in the file $EPOM_INSTALL_DIR/tomcat/webapps/ROOT/xml/bts/navigation/restrictedTree.xml. Review the example restrictedTree.xml file at end of the document

Specifying the BTS Login ID indicates that EPOM users of group restrictedGroup can only issue BTS commands with the authority and privilege of BTS user restrictedBTSUser . By creating the restrictedBTSUser user in the BTS CLI file, you are limiting the commands that the users can perform.

The BTS Navigation tree identifies an XML file that will be used to list the users of the restricted Group from the BTS configuration items for them to select.

Step 4 Create Users with a Group of "restrictedGroup"

Step 5 Need to associate the All domain with the "restrictedGroup"

a. Click on Domains

b. Click on the All domain in the navigation tree.

c. Click on Edit

d. Scroll down to All Groups and press Edit

For the RestrictedGroup specify READWRITE

e. Press OK

Step 6 Logout, log back in as one of the users that you created in Step 5.

They should only have access to see, subscribe, show, and change.

restrictedTree.xml
<tree name="restrictedTree">
<baseurl name="bts">
<urlprefix><![CDATA[/bts/btscomp.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btssearch">
<urlprefix><![CDATA[/bts/btscompsearch.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btsstatus">
<urlprefix><![CDATA[/bts/btscompstatus.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btsdiag">
<urlprefix><![CDATA[/bts/btscompdiag.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btsreset">
<urlprefix><![CDATA[/bts/btscompreset.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="btswizard">
<urlprefix><![CDATA[/bts/btswizard.jsp?_inv=[_inv]&_noun=]]></urlprefix>
</baseurl>
<baseurl name="images">
<urlprefix>../images/treemenuimage</urlprefix>
</baseurl>
<baseurlverbmap base="bts" verb="show"/>
<baseurlverbmap base="btssearch" verb="show"/>
<baseurlverbmap base="btsstatus" verb="status"/>
<baseurlverbmap base="btsdiag" verb="diag"/>
<baseurlverbmap base="btsreset" verb="reset"/>
<imagepath>
<url base="images"/>
</imagepath>
<image name="BTS10200">
<url base="images">16x16_BTS_10200_Softswitch_Blue.gif</url>
</image>
 
<image name="tablegrp">
<url base="images">table16_window.gif</url>
</image>
<image name="bts">
<url base="images">table16.gif</url>
</image>
<image name="btssearch">
<url base="images">table16_basicquery.gif</url>
</image>
<image name="btsstatus">
<url base="images">table16_show.gif</url>
</image>
<image name="btsdiag">
<url base="images">table16_diag.gif</url>
</image>
<image>
<url base="images">menu_folder_open.gif</url>
</image>
<image>
<url base="images">menu_folder_closed.gif</url>
</image>
<image>
<url base="images">menu_corner.gif</url>
</image>
<image>
<url base="images">menu_corner_plus.gif</url>
</image>
<image>
<url base="images">menu_corner_minus.gif</url>
</image>
<image>
<url base="images">menu_bar.gif</url>
</image>
<cssclassmap type="branch" class="parent_node"/>
<cssclassmap type="node" class="child_node"/>
<imagemap type="branch" image="tablegrp"/>
<imagemap type="node" image="bts"/>
<root name="[_hostname]" class="parent_node" image="BTS10200">
<url base="btsstatus"><![CDATA[system&_cmd=do_status]]></url>
<branch name="Restricted Commands">
<node reskey="bts.subscriber" image="btssearch">
<url base="btssearch">subscriber</url>
</node>
</branch>
</root>
</tree>
Restricting User Access By EPOM GUI Visibility

To prevent a user from seeing (therefore modifying or deleting) BTS objects on the EPOM GUI, create custom navigation trees. These trees are defined by an .xml file that follows simple syntax rules.

The defaulttree.xml file is in: /opt/CSCOepom/tomcat/webapps/ROOT/xml/bts/navigation. Use defaulttree.xml as a template for defining new trees.

Step 1 Create your customized navigation tree as an .xml file.

Step 2 Place the .xml file in the /opt/CSCOepom/tomcat/webapps/ROOT/xml/bts/navigation directory.

Step 3 Choose Users > Groups > group name > Edit.

The Edit Group window appears.

Step 4 In the BTS Navigation Tree field, enter the name of the file you created.

Step 5 Click OK.

Viewing User History

Because all commands are issued from EPOM, each command appears in the BTS audit logs as being performed by a single BTS user.

The audit.log and trace.log files are on the EPOM server in /var/opt/CSCOepom/logs:

•audit.log--shows you which user issued which command

•audit.log--shows you access denials

	EPOM Getting Started Guide Release 5.0
	Chapter 3 Managing the EPOM and BTS Users
EPOM Getting Started Guide Release 5.0 Chapter 1 Installing, Starting, and Logging into EPOM Chapter 2 Learning the EPOM GUI Chapter 3 Managing the EPOM and BTS Users Chapter 4 Configuring BTS Components Chapter 5 Using Provisioning Flows and Templates Chapter 6 Maintaining and Troubleshooting EPOM	Download this chapter Chapter 3 Managing the EPOM and BTS Users Download the complete book EPOM Getting Started Guide - Book Length PDF (PDF - 1 MB) Table Of Contents Managing EPOM and BTS Users Managing Domains, Groups, and Users Managing Groups Adding Groups Changing Group Permissions Deleting Groups Managing Domains Adding Domains Adding EMS Servers to a Domain Managing Users Adding Users Editing and Deleting EPOM Users Changing Your User Information Managing User Security Restricting User Access By Group 1 Restricting User Access By Group 2 Defining Group Settings restrictedTree.xml Restricting User Access By EPOM GUI Visibility Viewing User History Managing EPOM and BTS Users Managing Domains, Groups, and Users Assign read, write, or read-only access for EPOM users using the following administrative tools: •group—organize users based on the domains to which you want them to have accesss •domain—organize networks into logical groups accessible to specific user groups •user Managing Groups Adding Groups Whan you create a group, it is automatically assigned to a default domain. Reassign the group to another domain after: 1. adding the group 2. adding the domain Step 1 Click Add. The Add user window opens. Step 2 Define the : •Group Name—Enter the name of the group. The group name must not exceed thirty two characters. •BTS Login—Enter the BTS Login ID. •BTS Navigation Tree—Enter the BTS customised navigation tree . The navigation tree can contain two hundred and fifty five characters. Step 3 Click OK. The group is added, and you return to the User Administration window where the new group is listed. Click Cancel if you do not want to add the EPOM group. Changing Group Permissions Step 1 Next to XYZ Domain Groups, click Edit. The Group Edit window opens listing all groups and their current access. Step 2 Select access type, Read/Write or Read Only. Step 3 Click OK. Deleting Groups First delete the domain associated with the group. You cannot delete the default group admin and the default userid admin. Step 1 Click Users if you are not already in the User Administration window. Step 2 In the navigation pane, click Groups. The Group Administration window opens listing existing groups. Step 3 In the row for the group that you want to delete, click Delete. The Delete Group window opens. Step 4 Click OK. Managing Domains Adding Domains Add a domain to create a network group accessible to specific user groups. A domain includes an EMS server and groups with access to the domain. Whan you create a group, it is automatically assigned to a default domain. Reassign the group to another domain after: 1. adding the group 2. adding the domain Step 1 Click Domains. Step 2 Click Add. The Add Domain window opens. Step 3 Define the domain: a. Domain Name. b. (Optional) Description c. Click OK. Adding EMS Servers to a Domain Step 1 Click Domains. Step 2 Click Edit. The Modify Domain window opens. Step 3 Next to No Inventory Found, click Edit. The Inventory Edit window opens listing existing EMS servers. Step 4 Select the server to add. Step 5 Click OK. Managing Users Adding Users Before adding a users, ensure its group already exists. EPOM's Security Wizard allows admin users to: •create both BTS and EPOM users •create users in multiple EMS servers with appropriate security levels in a single operation •add EPOM user information •add group membership for an inventory or multiple inventories Step 1 Select BTS or EPOM, depending on user type. Step 2 Click Next. The list of current users appears. Step 3 Click Add. The Add user window opens. Step 4 Define the user: •Username—name the user will use to log in to EPOM •Password—initial password for EPOM access, the user can change this later •Confirm Password •Shell—command session •Command Level—command levels based on the security levels •Work Groups—names of the workgroups •Inventory—select inventory and move to Selected; to deselect, move it back to Available Step 5 Click OK. Step 6 Click Finish . Editing and Deleting EPOM Users You can modify or delete EPOM user information. If you are not a member of the Administrator group, you can change your password, first name, last name and email, but not your login ID or group association. If you are a member of the admin group, you can: •change user information, including group membership •delete users Step 1 Click Users if you are not already in the User Administration window. Step 2 The list of current users appears. Step 3 In the row for the user whom you want to change, do one of the following: •To modify user information: a. Click Edit. The Edit User window opens. b. Make the changes and click Edit to save them. c. To delete the user, click Delete. The Delete User window opens. d. Click Delete. You return to the User Administration window, showing the list of users. Changing Your User Information If you are not a member of the admin group: •you can change your password, name and email •you cannot change your userid or group association Step 1 Click Users. The User Administration window opens. Step 2 Select your row. Step 3 Click Edit. The Edit User window opens. Step 4 Make changes. Step 5 Click Edit. Managing User Security Restricting User Access By Group 1 EPOM provisions restricted BTS command access not on a per-user basis, but on a per-group basis. Each group has a single BTS login (therefore a single BTS device, unless multiple BTS devices have similar logins and restricted access applied to them). However, a single EPOM user can be associated with multiple EPOM Groups to provision restricted access across various BTS devices across the network. Restrict a user's access to that of the BTS login name and password of their EPOM group. When a user logs in to EPOM, their group is examined for a BTS login: •If EPOM finds a group, it queries the BTS user table for the user's security level and work groups. •If no BTS login name is assigned to the EPOM group, security defaults to the user login and password for the device. Each time a user enters a command, EPOM determines if the user has permission. If the user does not meet or exceed permission requirements, a "permission denied" message appears. Note If you modify BTS login security level or groups, EPOM users must log out and log in to EPOM for changes to take effect. Note If you change the security level or groups for BTS commands, restart EPOM for changes to take effect. Step 1 Create BTS users. Step 2 Create EPOM user groups. Step 3 On the EPOM server: a. create users b. assign users to user groups Step 4 Select Users > user name > Edit. Step 5 Enter a password to access EPOM. Step 6 Choose Users > Groups > Edit. Step 7 Select a group. Step 8 Click Edit. Step 9 Assign the EPOM user group to a BTS user by entering the user's BTS Login and (optional) BTS Navigation Tree. If a EPOM user group is not assigned to a BTS user, all users in that group have a security level of 10 (unrestricted). Step 10 To verify the assigned BTS login, choose Users > Groups > group name > Edit. Restricting User Access By Group 2 Defining Group Settings This section describes how to analyse the portions of defaulttree.xml. <tree name="default"> The above line defines the tree name, when customizing the tree, say in Group settings you gave the navigation tree name as customizedtree. In this if $EPOM_INSTALL_DIR is the EPOM installation directory then you would create a new xml file named customizedtree.xml under the directory $EPOM_INSTALL_DIR/tomcat/webapps/ROOT/xml/bts/navigation. Change the above line to <tree name="customizedtree">. <baseurl name="bts"> <urlprefix><![CDATA[/bts/btscomp.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btssearch"> <urlprefix><![CDATA[/bts/btscompsearch.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btsstatus"> <urlprefix><![CDATA[/bts/btscompstatus.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btsdiag"> <urlprefix><![CDATA[/bts/btscompdiag.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btsreset"> <urlprefix><![CDATA[/bts/btscompreset.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btswizard"> <urlprefix><![CDATA[/bts/btswizard.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> The above lines form the backbone of ascertaining, the actions to be invoked for various BTS CLI nouns. The following is the summary of associations they make: 1. bts keyword is associated with the btscomp.jsp page. 2. btssearch keyword is associated with the btsscompearch.jsp page. 3. btsstatus keyword is associated with the btscompstatusjsp page. 4. btsdiag keyword is associated with the btscompdiag.jsp page. 5. btsdiag keyword is associated with the btscompdiag.jsp page. 6. btsreset keyword is associated with the btscompreset.jsp page. 7. btswizard keyword is associated with the btscompwizard.jsp page. These associations are further extended in the next section and finally used on a per BTS CLI noun basis. <baseurlverbmap base="bts" verb="show"/> <baseurlverbmap base="btssearch" verb="show"/> <baseurlverbmap base="btsstatus" verb="status"/> <baseurlverbmap base="btsdiag" verb="diag"/> <baseurlverbmap base="btsreset" verb="reset"/> The above lines further implicate the default BTS CLI verbs to be associated to the keywords defined in above section. Finally we proceed further with the actual BTS CLI noun formations in the navigation tree. <branch reskey="bts.head.ain"> <node reskey="bts.ani_wb_list"> <url base="bts">ani_wb_list</url> </node> </branch > <branch reskey="bts.head.isdn"> <node reskey="bts.isdn_bchan" image="btssearch">> <url base="btssearch">isdn_bchan</url> </node> </branch > The above defines two different nouns and verb actions to be invoked from them. •The first <branch....ain>, statement defines that the ain, would be displayed as the heading under which all other nouns would appear. In this example ani_wb_list would appear after node ain is expanded. The <url base="bts"> signifies that show verb would be used for that noun and it would be invoked in btscomp.jsp. •The second <branch....isdn>, statement defines that the isdn, would be displayed as the heading under which all other nouns would appear. In this example isdn_bchan would appear after node isdn is expanded. The <url base="btssearch"> signifies that show verb would be used for that noun and it would be invoked in btscompsearch.jsp. Where before invoking show command, parameters would be accepted to build where clauses while searching the noun. This is to provide access to just subscriber show, change. Step 1 Create a new BTS user restrictedBTSUser, with just show privileges on subscriber noun. Associate it properly with BTS workgroups. Step 2 Add a group in EPOM: a. Click on "Users" (#1) in the primary navigation b. Click on Groups in the left side navigation tree, (#2) c. Click on the "Add" button, (#3) Step 3 Use parameters as a. Groupname: restrictedGroup This is the EPOM group that you are creating. b. BTS Login restrictedBTSUser This BTS id was created with restricted access on the BTS server and proper BTS workgroup, and command associations were made on BTS (see BTS CLI Reference for more Details). c. BTS Navigation tree:restrictedTree This points to the XML file that you put on the EPOM server, customized using the Navigation Trees section in this document. Change <tree name="restrictedTree"> in the file $EPOM_INSTALL_DIR/tomcat/webapps/ROOT/xml/bts/navigation/restrictedTree.xml. Review the example restrictedTree.xml file at end of the document Specifying the BTS Login ID indicates that EPOM users of group restrictedGroup can only issue BTS commands with the authority and privilege of BTS user restrictedBTSUser . By creating the restrictedBTSUser user in the BTS CLI file, you are limiting the commands that the users can perform. The BTS Navigation tree identifies an XML file that will be used to list the users of the restricted Group from the BTS configuration items for them to select. Step 4 Create Users with a Group of "restrictedGroup" Step 5 Need to associate the All domain with the "restrictedGroup" a. Click on Domains b. Click on the All domain in the navigation tree. c. Click on Edit d. Scroll down to All Groups and press Edit For the RestrictedGroup specify READWRITE e. Press OK Step 6 Logout, log back in as one of the users that you created in Step 5. They should only have access to see, subscribe, show, and change. restrictedTree.xml <tree name="restrictedTree"> <baseurl name="bts"> <urlprefix><![CDATA[/bts/btscomp.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btssearch"> <urlprefix><![CDATA[/bts/btscompsearch.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btsstatus"> <urlprefix><![CDATA[/bts/btscompstatus.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btsdiag"> <urlprefix><![CDATA[/bts/btscompdiag.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btsreset"> <urlprefix><![CDATA[/bts/btscompreset.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="btswizard"> <urlprefix><![CDATA[/bts/btswizard.jsp?_inv=[_inv]&_noun=]]></urlprefix> </baseurl> <baseurl name="images"> <urlprefix>../images/treemenuimage</urlprefix> </baseurl> <baseurlverbmap base="bts" verb="show"/> <baseurlverbmap base="btssearch" verb="show"/> <baseurlverbmap base="btsstatus" verb="status"/> <baseurlverbmap base="btsdiag" verb="diag"/> <baseurlverbmap base="btsreset" verb="reset"/> <imagepath> <url base="images"/> </imagepath> <image name="BTS10200"> <url base="images">16x16_BTS_10200_Softswitch_Blue.gif</url> </image> <image name="tablegrp"> <url base="images">table16_window.gif</url> </image> <image name="bts"> <url base="images">table16.gif</url> </image> <image name="btssearch"> <url base="images">table16_basicquery.gif</url> </image> <image name="btsstatus"> <url base="images">table16_show.gif</url> </image> <image name="btsdiag"> <url base="images">table16_diag.gif</url> </image> <image> <url base="images">menu_folder_open.gif</url> </image> <image> <url base="images">menu_folder_closed.gif</url> </image> <image> <url base="images">menu_corner.gif</url> </image> <image> <url base="images">menu_corner_plus.gif</url> </image> <image> <url base="images">menu_corner_minus.gif</url> </image> <image> <url base="images">menu_bar.gif</url> </image> <cssclassmap type="branch" class="parent_node"/> <cssclassmap type="node" class="child_node"/> <imagemap type="branch" image="tablegrp"/> <imagemap type="node" image="bts"/> <root name="[_hostname]" class="parent_node" image="BTS10200"> <url base="btsstatus"><![CDATA[system&_cmd=do_status]]></url> <branch name="Restricted Commands"> <node reskey="bts.subscriber" image="btssearch"> <url base="btssearch">subscriber</url> </node> </branch> </root> </tree> Restricting User Access By EPOM GUI Visibility To prevent a user from seeing (therefore modifying or deleting) BTS objects on the EPOM GUI, create custom navigation trees. These trees are defined by an .xml file that follows simple syntax rules. The defaulttree.xml file is in: /opt/CSCOepom/tomcat/webapps/ROOT/xml/bts/navigation. Use defaulttree.xml as a template for defining new trees. Step 1 Create your customized navigation tree as an .xml file. Step 2 Place the .xml file in the /opt/CSCOepom/tomcat/webapps/ROOT/xml/bts/navigation directory. Step 3 Choose Users > Groups > group name > Edit. The Edit Group window appears. Step 4 In the BTS Navigation Tree field, enter the name of the file you created. Step 5 Click OK. Viewing User History Because all commands are issued from EPOM, each command appears in the BTS audit logs as being performed by a single BTS user. The audit.log and trace.log files are on the EPOM server in /var/opt/CSCOepom/logs: •audit.log--shows you which user issued which command •audit.log--shows you access denials
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.