The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter explains how to set up network administrators at the local and regional clusters. The chapter also includes local and regional cluster tutorials for many of the administration features.
The types of functions that network administrators can perform in Cisco Prime IP Express are based on the roles assigned to them. Local and regional administrators can define these roles to provide granularity for the network administration functions. Cisco Prime IP Express predefines a set of base roles that segment the administrative functions. From these base roles you can define further constrained roles that are limited to administering particular addresses, zones, and other network objects.
The mechanism to associate administrators with their roles is to place the administrators in groups that include these roles.
How Administrators Relate to Groups and Roles
There are three administrator objects in Cisco Prime IP Express—administrator, group, and role:
Adding administrators is described in Managing Administrators.
Adding groups is described in Managing Groups.
Adding roles is described in Managing Roles.
There are two basic types of administrators: superusers and specialized administrators:
Tip | You have to create the superuser and password at installation, or when you first log into the web UI. |
For an example of creating a local zone or host administrator, see Create the Administrators.
A license type is associated with each role-subrole combination. A role-subrole is enabled only if that license is available in that cluster.
You can limit an administrator role by applying constraints. For example, you can use the host-admin base role to create a host administrator, named 192.168.50-host-admin, who is constrained to the 192.168.50.0 subnet. The administrator assigned a group that includes this role then logs in with this constraint in effect. Adding roles and subroles is described in Managing Roles.
You can further limit the constraints on roles to read-only access. An administrator can be allowed to read any of the data for that role, but not modify it. However, if the constrained data is also associated with a read-write role, the read-write privilege supersedes the read-only constraints.
Tip | An example of adding role constraints is in Create a Host Administrator Role with Constraints. |
The interplay between DNS and host administrator role assignments is such that you can combine an unconstrained dns-admin role with any host-admin role in a group. For example, combining the dns-admin-readonly role and a host-admin role in a group (and naming the group host-rw-dns-ro) provides full host access and read-only access to zones and RRs. However, if you assign a constrained dns-admin role along with a host-admin role to a group and then to an administrator, the constrained dns-admin role takes precedence, and the administrator privileges at login will preclude any host administration.
Certain roles provide subroles with which you can further limit the role functionality. For example, the local ccm-admin or regional-admin, with just the owner-region subrole applied, can manage only owners and regions. By default, all the possible subroles apply when you create a constrained role.
The predefined roles are described in Table 1 (local), and Table 2 (regional).
Administrator groups are the mechanism used to assign roles to administrators. Hence, a group must consist of one or more administrator roles to be usable. When you first install Cisco Prime IP Express, a predefined group is created to correspond to each predefined role.
Roles with the same base role are combined. A group with an unconstrained dhcp-admin role and a constrained dns-admin role, does not change the privileges assigned to the dns-admin role. For example, if one of the roles is assigned unconstrained read-write privileges, the group is assigned unconstrained read-write privileges, even though other roles might be assigned read-only privileges. Therefore, to limit the read-write privileges of a user while allowing read-only access to all data, create a group that includes the unconstrained read-only role along with a constrained read-write role. (See Roles, Subroles, and Constraints for the implementation of host-admin and dns-admin roles combined in a group.)
Cisco Prime IP Express includes a RADIUS client component and Active Directory (AD) client component, which are integrated with the authentication and authorization modules of the CCM server. To enable external authentication, you must configure a list of external RADIUS or an AD server at local and regional clusters, and ensure all authorized users are appropriately configured on the respective servers.
When external authentication is enabled, the CCM server handles attempts to log in via the web UI, SDK, or CLI, by issuing a RADIUS request to a RADIUS server or a LDAP request to a AD server that is selected from the configured list. If the corresponding server validates the login request, access is granted, and the CCM server creates an authorized session with the group assignments specified by the RADIUS or the AD server.
Note | Any administrators defined in the CCM server's database are ignored when external authentication is enabled. Attempting to log in with these usernames and passwords will fail. To disable external authentication, you must remove or disable all the configured external servers or change the auth-type attribute value to Local. |
Tip | If all logins fail because the RADIUS servers are inaccessible or misconfigured, use the local.superusers file to create a temporary username and password. See Managing Administrators for more details. |
Cisco Prime IP Express administrators must be assigned to one or more administrator groups to perform management functions. When using a RADIUS server for external authentication, these are set as a vendor specific attribute for each user. Using the Cisco vendor id (9), create the Cisco Prime IP Express groups attribute for each administrator, using the format cnr:groups=group1 ,group2 ,group3 .
For example, to assign an administrator to the built-in groups dhcp-admin-group and dns-admin-group , enter:
cnr:groups=dhcp-admin-group,dns-admin-group
To assign superuser access privileges, the reserved group name superusers is used. To provide superuser privileges to an administrator, enter:
cnr:groups=superusers
Note | You cannot add, delete, or modify external user names and their passwords or groups using Cisco PrimeIP Express. You must use the RADIUS server to perform this configuration. |
To add an external configuration server, do the following:
Local Advanced and Regional Web UI
Local Advanced and Regional Web UI
To delete an RADIUS external authentication server, select the server in the RADIUS pane and click the Delete RADIUS icon, then confirm the deletion. You can also cancel the deletion by clicking the Close button.
Cisco Prime IP Express administrators must be assigned to one or more administrator groups to perform management functions. When using an AD server for external authentication, these are set as a vendor specific attribute for each user. Using the Cisco vendor id (9), create the Cisco Prime IP Express groups attribute for each administrator, using the format cnr:groups=group1 ,group2 ,group3
For example, to assign an administrator to the built-in groups dhcp-admin-group and dns-admin-group, enter:
cnr:groups=dhcp-admin-group,dns-admin-group
To assign superuser access privileges, the reserved group name superusers is used. To provide superuser privileges to an administrator, enter:
cnr:groups=superusers
The superuser privileges override all other groups.
A group needs to be created to access CPIPE and add the users to that group. Select an user attribute and provide the group information in the format cnr:group1,group2,..
To configure an Active Directory (AD) external authentication server:
For the Cisco PrimeIP Express to communicate with the AD server, the Kerbero’s Realm and KDC servers are required. To configure the Kerbero’s Realm and KDC servers in Windows and Linux platforms follow the below examples.
If the Cisco Prime IP Express is running on Windows platform (ksetup), define a KDC entry for a realm by running the following command:
ksetup /AddKdc <RealmName> [KdcName]
For example, Ksetup /AddKdc ECNR.COM tm-chn-ecnr-ad.ecnr.com
ksetup /dumpstate
The result should be similar to the message below:
default realm = partnet.cisco.com (NT Domain) ECNR.COM: kdc = tm-chn-ecnr-ad.ecnr.com Realm Flags = 0x0No Realm Flags No user mappings defined.
If the Prime IP Express is running on Linux platform, the changes need to be configured in krb5.conf (/etc/krb5.conf) file, as shown below:
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 1d default_realm = ECNR.COM default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false forwardable = true [realms] ECNR.COM = { kdc = <kdc server host name> admin_server = <kdc server host name> } [domain_realm] .ecnr.com = ECNR.COM ecnr.com = ECNR.COM
To add an external configuration server, do the following:
Local Advanced and Regional Web UI
Step 1 | From the Administration menu, choose Active Directory under the External Authentication submenu. The List/Add Active Directory Server page is displayed. |
Step 2 | Click the Add Active Directory icon in the Active Directory pane, enter the name, hostname of the server, domain you want to configure as the external authentication server, and you can set the base domain, LDAP user attribute map, AD group name which will be used for communicating with this server in the External Authentication dialog box, and click Add External Authentication Server. |
Step 3 | Change the auth-type attribute to Active Directory in the Manage Server page, click Save and then restart Cisco Prime IP Express. |
To create an external authentication server, use auth-server name create address [attribute =value.
Local Advanced and Regional Web UI
To delete an AD external authentication server, select the server in the AD pane and click the Delete Active Directory icon, then confirm the deletion. You can also cancel the deletion by clicking the Close button.
When you first log in, Cisco Prime IP Express will have one administrator—the superuser account. This superuser can exercise all the functions of the web UI and usually adds the other key administrators. However, ccm-admin and regional-admin administrators can also add, edit, and delete administrators. Creating an administrator requires:
Tip | If you accidentally delete all the roles by which you can log into Cisco Prime IP Express (those having superuser, ccm-admin, or regional-admin privileges), you can recover by creating a username/password pair in the install-path /conf/priv/local.superusers file. You must create this file, have write access to it, and include a line in it with the format username password . Use this username and password for the next login session. Note, however, that using the local.superusers file causes reduced security. Therefore, use this file only in emergencies such as when temporarily losing all login access. After you log in, create a superuser account in the usual way, then delete the local.superusers file or its contents. You must create a new administrator account for each individual, to track administrative changes. |
To add a administrator, do the following:
Step 1 | From the Administration menu, choose Administrators under theUser Access submenu. This opens the List/Add Administrators page (see the Create the Administrators for an example). |
Step 2 | Click the Add Administrator icon in the Administrators pane, enter a name and password in the Add Admin dialog box, then click Add Admin. |
Step 3 | Choose one or more existing groups from the Groups Available list (or whether the administrator should be a superuser), then click Save. |
To edit an administrator, select the administrator in the Administrators pane, then modifying the name, password, superuser status, or group membership on the Edit Administrator page, then click Save. The active group or groups should be in the Selected list.
To delete an administrator, select the administrator in the Administrators pane, click the Delete icon, and then confirm or cancel the deletion.
Passwords are key to administrator access to the web UI and CLI. In the web UI, you enter the password on the Login page. In the CLI, you enter the password when you first invoke the nrcmd program. The local or regional CCM administrator or superuser can change any administrator password.
You can prevent exposing a password on entry. In the web UI, logging in or adding a password never exposes it on the page, except as asterisks. In the CLI, you can prevent exposing the password by creating an administrator, omitting the password, then using admin name enterPassword, where the prompt displays the password as asterisks. You can do this instead of the usual admin name set password command that exposes the password as plain text.
Administrators can change their own passwords on clusters. If you want the password change propagated from the regional server to all local clusters, log into the regional cluster. First ensure that your session admin-edit-mode is set to synchronous, and then update your password.
Note | The password should not be more than 255 characters long. |
A superuser, ccm-admin, or regional-admin can create, edit, and delete administrator groups. Creating an administrator group involves:
To add a group, do the following:
Step 1 | From the Administration menu, choose Groups under the User Access submenu. This opens the List/Add Administrator Groups page (see the Create a Group to Assign to the Host Administrator for an example). |
Step 2 | Click the Add Groups icon in the Groups pane, enter a name and an optional description in the Add Group dialog box, then click Add CCMAdminGroup. |
Step 3 | Choose one or more existing roles from the Roles Available list and then click Save. |
To edit a group, click the name of the group that you want to edit in the Groups pane to open the Edit Administrator Group page. You can modify the name, description, or role membership in this page. You can view the active roles in the Selected list.
To delete a group, select the group in the Groups pane, click the Delete icon, and then confirm the deletion. Click Cancel in the confirmation window to cancel the deletion.
A superuser, ccm-admin, or regional-admin administrator can create, edit, and delete administrator roles. Creating an administrator role involves:
To add a role, do the following:
Step 1 | From the Administration menu, choose Roles under the User Access submenu. This opens the List/Add Administrator Roles page. |
Step 2 | Click the Add Role icon in the Roles pane, enter a name, in the Add Roles dialog box and click Add Role. |
Step 3 | On the List/Add Administrator Roles page, specify any role constraints, subrole restrictions, or group selections, then click Save. |
Step 1 | From the Administration menu, choose Roles under theUser Access submenu. This opens the List/Add Administrator Roles page. |
Step 2 | Click the Add Role icon in the Roles pane, enter a name, and a base role in the Add Roles dialog box and click Add Role. |
Step 3 | On the List/Add Administrator Roles page, specify any role constraints, subrole restrictions, or group selections, then click Save. |
To edit a role, select the role in the Roles pane, then modify the name or any constraints, subrole restrictions, or group selections on the Edit Administrator Role page. The active subroles or groups should be in the Selected list. Click Save.
To delete a role, select the role in the Roles pane, click the Delete icon, and then confirm the deletion.
Note | You cannot delete the default roles. |
To add and edit administrator roles, use role name create base-role (see the role command in the CLIGuide.html file in the /docs directory for syntax and attribute descriptions). The base roles have default groups associated with them. To add other groups, set the groups attribute (a comma-separated string value).
Granular administration prevents unauthorized users from accidentally making a change on zones, address blocks, subnets, and router interfaces. It also ensures that only authorized users view or modify specific scopes, prefixes, and links. Granular administration constraints administrators to specific set of scopes, prefixes, and links. A constrained administrator can view or make changes to authorized scope, prefix, and link objects only. The CCM server uses owner and region constraints to authorize and filter IPv4 address space objects, and DNS zone related objects (CCMZone, CCMReverseZone, CCMSecondaryZone, CCMRRSet, and CCMHost). The zones are constrained by owners and regions. Owner or region attributes on the CCMSubnet control access to scopes. Also, owner or region attributes on the Prefix and Link objects control access to prefixes and links.
Step 1 | From the Administration menu, choose Roles to open the List/Add Administrator Roles page. |
Step 2 | Click the Add Role icon in the Roles pane, enter a name for the custom role, for example, my-dhcp, and choose dhcp-admin from the Role drop-down list and click Add Role. |
Step 3 | Click True or False radio button as necessary, on the Add DHCP Administrator Role page. |
Step 4 | Choose the required sub roles in the Available field and move them to the Selected field. |
Step 5 | Click Add Constraint. |
Step 6 | Click
Save.
The name of the custom role appears on the list of roles in the List/Add Administrator Roles page. |
A dhcp admin user can view or modify a scope if any of the following conditions is met:
Owner of the subnet for the scope matches the dhcp-admin owner.
Region of the subnet for the scope matches the region role constraints.
Owner or region of the parent address block matches the dhcp-admin owner or region role constraints. Note that the most immediate parent address block that has owner or region defined takes precedence.
The following conditions are also valid:
If the matching owner or region constraint is marked as read-only, you can only view the scope.
If a scope has a primary network defined, the primary subnet and its parent address block owner or region constraints override secondary subnets.
If no parent subnet or address block defines owner or region constraints, then you can access the scope.
If you are an unconstrained dhcp-admin user, you can have access to all scopes.
Note | These hierarchical authorization checks for dhcp-admin owner/region constraints are applicable to scopes, subnets, and parent address blocks. Identical hierarchical authorization checks for addrblock-admin owner/region constraints apply to address blocks and subnets. If you have dhcp-admin and the addrblock-admin privileges, you can access address blocks and subnets, if either of the roles allow access. |
Parent CCMAddrBlock 10.0.0.0/8 has owner 'blue' set. Scope 'A' has subnet 10.0.0.0/24 has parent CCMSubnet with owner 'red'. Scope 'B' has subnet 10.0.1.0/24 has parent CCMSubnet with no owner set. Scope 'C' has subnet 10.10.0.0/24 has parent CCMSubnet with owner 'green' and primary-subnet 10.0.0.0/24. Scope 'D' has subnet 100.10.0.0/24 has parent CCMSubnet with owner unset, and no parent block. Scope 'A' owner is 'red'. Scope 'B' owner is 'blue'. Scope 'C' owner is 'red'. Scope 'D' owner is unset. Only unconstrained users can access this scope.
To add scopes, do the following:
Step 1 | From the Design menu, choose Scopes under the DHCPv4 submenu to open the List/Add DHCP Scopes. | ||
Step 2 | Click the Add Scopes icon in the Scopes pane, enter a name, subnet, primary subnet, choose policy, and enter a selection-tag-list in the Add DHCP Scope dialog box. | ||
Step 3 | Click Add DHCP Scope. The List/Add DHCP Scopes page appears. | ||
Step 4 | Enter values for the fields or attributes as necessary. | ||
Step 5 | To unset any attribute value, check the check box in the Unset? column, then click Unset Fields at the bottom of the page. | ||
Step 6 | Click
Save to
add scope, or
Revert to
cancel the changes.
|
You can view or modify a prefix, if you have either of the following:
You can view or modify a prefix if any of the following conditions is true:
You can view or modify a prefix if any of the following conditions is true:
Link 'BLUE' has owner 'blue' set. Parent Prefix 'GREEN' has owner 'green' set. Prefix 'A' has owner 'red' set, no parent prefix, and no parent link. Prefix 'B' has owner 'yellow' set, parent Prefix 'GREEN' and parent link 'BLUE'. Prefix 'C' has no owner set, parent prefix 'GREEN', and no parent link. Prefix 'C' has no owner set, no parent prefix, and no parent link. Prefix 'A' owner is 'red'. Prefix 'B' owner is 'blue'. Prefix 'C' owner is 'green'. Prefix 'D' owner is unset. Only unconstrained users can access this prefix.
To view unified v6 address space, do the following:
Step 1 | From the Design menu, choose Address Tree under the DHCPv6 submenu to open the DHCP v6 Address Tree page. |
Step 2 | View a prefix by adding its name, address, and range, then choosing a DHCP type and possible template (see the "Viewing IPv6 Address Space" section in Cisco PrimeIP Express 8.3 DHCP User Guide). |
Step 3 | Choose the owner from the owner drop-down list. |
Step 4 | Choose the region from the region drop-down list. |
Step 5 | Click Add Prefix. The newly added Prefix appears on the DHCP v6 Address Tree page. |
To list or add DHCP prefixes, do the following:
Step 1 | From the Design menu, choose Prefixes under the DHCPv6 submenu to open the List/Add DHCP v6 Prefixes page. |
Step 2 | Click the Add Prefixes icon in the Prefixes pane, enter a name, address, and range for the prefix, then choose the DHCP type and possible template. |
Step 3 | Choose the owner from the owner drop-down list. |
Step 4 | Choose the region from the region drop-down list. |
Step 5 | Click Add IPv6 Prefix. The newly added Prefix appears on the List Prefixes page. |
You can view or modify a link if:
If you are an unconstrained user, then you have access to all links.
The following is an example of Link Level Constraints:
Link 'BLUE' has owner 'blue' set. Link 'ORANGE' has owner unset. Link 'BLUE' owner is 'blue'. Link 'ORANGE' owner is unset. Only unconstrained users can access this link.
To add links, do the following:
Step 1 | From the Design menu, choose Links under the DHCPv6 submenu to open the List/Add DHCP v6 Links page. |
Step 2 | Click the Add Links icon in the Links pane, enter a name, then choose the link type, and enter a group. |
Step 3 | Click Add Link. The newly added DHCPv6 Link appears on the List/Add DHCP v6 Links page. |
As a regional or local CCM administrator, you can:
Each of these functions involves having at least one regional CCM administrator subrole defined. The following table describes the subroles required for these operations.
Central Administrator Management Action |
Required Regional Subroles |
---|---|
Create, modify, push, pull, or delete administrators |
authentication |
Create, modify, push, pull, or delete groups or roles |
authorization |
Create, modify, push, pull, or delete groups or roles with associated owners or regions |
authorization owner-region |
Create, modify, push, pull, or delete external authentication servers |
authentication |
You can push administrators to, and pull administrators from local clusters on the List/Add Administrators page in the regional cluster web UI.
You can create administrators with both local and regional roles at the regional cluster. However, you can push or pull only associated local roles, because local clusters do not recognize regional roles.
Pushing Administrators to Local Clusters
Pushing administrators to local clusters involves choosing one or more clusters and a push mode.
Step 1 | From the Administration menu, choose Administrators. |
Step 2 | On the List/Add Administrators Page, click thePush All icon in the Administrators pane to push all the administrators listed on the page. This opens the Push Data to Local Clusters dialog box. |
Step 3 | Choose a push mode by clicking one of the Data Synchronization Mode radio buttons. If you are pushing all the administrators, you can choose Ensure, Replace, or Exact. If you are pushing a single administrator, you can choose Ensure or Replace. In both cases, Ensure is the default mode. You would choose Replace only if you want to replace the existing administrator data at the local cluster. You would choose Exact only if you want to create an exact copy of the administrator database at the local cluster, thereby deleting all administrators that are not defined at the regional cluster. |
Step 4 | Choose one or more local clusters in the Available field of the Destination Clusters and move it or them to the Selected field. |
Step 5 | Click Push Data to Clusters. |
Step 6 | On the View Push Data Report dialog box, view the push details, then click OK to return to the List/Add Administrators page. |
You can automatically push the new user name and password changes from the regional cluster to the local cluster. To do this, you must enable the synchronous edit mode in the regional cluster. The edit mode is set for the current Web UI session, or set as default for all users is set in the CCM Server configuration.
When synchronous mode is set, all the subsequent changes to user name and password are synchronized with local clusters. You can modify your password on the regional server, and this change is automatically propagated to local clusters.
If you are an admin user, you can make multiple changes to the user credentials on the regional cluster. All these changes are automatically pushed to local clusters.
Step 1 | From the Operate menu, choose Manage Servers under Servers submenu to open the Manage Servers page. | ||
Step 2 | Click the Local CCM Server link on the Manage Servers pane to open the Edit CCM Server page. | ||
Step 3 | Choose the synchronous radio buttons for the regional edit mode values for admin, dhcp, and dns. | ||
Step 4 | Choose the webui mode value from the webui-mode drop-down list. | ||
Step 5 | Enter the idle-timeout value. | ||
Step 6 | To unset any
attribute value, check the check box in the Unset? column, then click
Unset
Fields at the bottom of the page. To unset the attribute value or to change
it, click
Save, or
Cancel to
cancel the changes.
|
You must connect to the CLI in Regional Mode. The -R flag is required for regional mode. To set the synchronous edit mode:
nrcmd-R> session set admin-edit-mode=synchronous
Pulling administrators from the local clusters is mainly useful only in creating an initial list of administrators that can then be pushed to other local clusters. The local administrators are not effective at the regional cluster itself, because these administrators do not have regional roles assigned to them.
When you pull an administrator, you are actually pulling it from the regional cluster replica database. Creating the local cluster initially replicates the data, and periodic polling automatically updates the replication. However, to ensure that the replica data is absolutely current with the local cluster, you can force an update before pulling the data.
Step 1 | From the Administration menu, choose Administrators under theUser Access submenu. | ||
Step 2 | On the List/Add Administrators page, click Pull Replica on theAdministrators pane. This opens the Select Replica Administrator Data to Pull dialog box. | ||
Step 3 | Click the Replicate icon in the Update Replica Data column for the cluster. (For the automatic replication interval, see the Replicating Local Cluster Data.) | ||
Step 4 | Choose a replication mode using one of the Mode radio buttons. In most cases, you would leave the default Replace mode enabled, unless you want to preserve any existing administrator properties already defined at the regional cluster by choosing Ensure, or create an exact copy of the administrator database at the local cluster by choosing Exact (not recommended). | ||
Step 5 | Click Pull Core Administrators next to the cluster, or expand the cluster name and click Pull Administrator to pull an individual administrator in the cluster. | ||
Step 6 | On the Select
Replica Admin Data to Pull dialog box, view the change set data, then click
OK. You return
to the List/Add Administrators page with the pulled administrators added to the
list.
|
To push external authentication servers to the local cluster, do the following:
Regional Advanced Web UI
Step 1 | From the Administration menu, choose RADIUS under the External Authentication submenu to view the List/Add RADIUS Server page in the regional web UI. |
Step 2 | Click Push All icon in the RADIUS pane to push all the external authentication servers listed on the page, or Push to push an individual external authentication server. This opens the Push Data to Local Clusters dialog box. |
Step 3 | Choose a push mode using one of the Data Synchronization Mode
radio buttons.
|
Step 4 | Click Push Data to Clusters. |
To pull the external authentication server data from the local cluster, do the following:
Regional Advanced Web UI
Step 1 | From the Administration menu, choose RADIUS under the External Authentication submenu to view the List/Add RADIUS Server page in the regional web UI. | ||
Step 2 | On the List/Add RADIUS Server page, click Pull Data on the RADIUS pane. This opens the Select Replica External Authentication Server Data to Pull dialog box. | ||
Step 3 | Click the Replica icon in the Update Replica Data column for the cluster. (For the automatic replication interval, see the Replicating Local Cluster Data.) | ||
Step 4 | Choose a replication mode using one of the Mode radio buttons.
Leave the default Replace mode enabled, unless you want to preserve any existing external authentication server properties at the local cluster by choosing Ensure.
| ||
Step 5 | Click Pull All External Authentication Servers next to the cluster. | ||
Step 6 | On the Report Pull Replica Authentication servers page, view the pull details, then click Run.
On the Run Pull Replica Authentication servers page, view the change set data, then click OK. You return to the List/Add Authentication Server page with the pulled external authentication servers added to the list. |
To push external authentication servers to the local cluster, do the following:
Regional Advanced Web UIStep 1 | From the Administration menu, choose Active Directory under the External Authentication submenu to view the List/Add Active Directory Server page in the regional web UI. |
Step 2 | Click Push to push the external authentication server. This opens the Push Data to Local Clusters dialog box. |
Step 3 | Choose a push mode using one of the Data Synchronization Mode
radio buttons.
Choose Replace only if you want to replace the existing external authentication server data at the local cluster. Choose Exact only if you want to create an exact copy of the external authentication server data at the local cluster, thereby deleting all external authentication servers that are not defined at the regional cluster. |
Step 4 | Click Push Data to Clusters. |
Regional Advanced Web UI
Step 1 | From the Administration menu, choose Active Directory under theExternal Authentication submenu to view the List/Add Active Directory Server page in the regional web UI. | ||
Step 2 | On the List/Add Active Directory Server page, click Pull Data on theActive Directory pane. This opens the Select Replica External Authentication Server Data to Pull dialog box. | ||
Step 3 | Click the Replica icon in the Update Replica Data column for the cluster (For the automatic replication interval, see the Replicating Local Cluster Data). | ||
Step 4 | Choose a replication mode using one of the Mode radio buttons.
Leave the default Replace mode enabled, unless you want to preserve any existing external authentication server properties at the local cluster by choosing Ensure.
| ||
Step 5 | Click Pull All External Authentication Servers next to the cluster. | ||
Step 6 | On the Report Pull Replica Authentication servers page, view
the pull details, then click
Run.
On the Run Pull Replica Authentication servers page, view the change set data, then click OK. You return to the List/Add Authentication Server page with the pulled external authentication servers added to the list. |
Pushing and pulling groups is vital in associating administrators with a consistent set of roles at the local clusters. You can push groups to, and pull groups from, local clusters on the List/Add Administrator Groups page in the regional cluster web UI.
Pushing groups to local clusters involves choosing one or more clusters and a push mode.
Step 1 | From the Administration menu, choose Groups under the User Access submenu. |
Step 2 | On the List/Add Administrator Groups page, click the Push All icon on Groups pane to push all the groups listed on the page, or Push to push an individual group. This opens the Push Data to Local Clusters dialog box. |
Step 3 | Choose a push mode using one of the Data Synchronization Mode radio buttons. If you are pushing all the groups, you can choose Ensure, Replace, or Exact. If you are pushing a single group, you can choose Ensure or Replace. In both cases, Ensure is the default mode. You would choose Replace only if you want to replace the existing group data at the local cluster. You would choose Exact only if you want to create an exact copy of the group data at the local cluster, thereby deleting all groups that are not defined at the regional cluster. |
Step 4 | By default, the associated roles and owners are pushed along with the group. Roles are pushed in Replace mode and owners in Ensure mode. To disable pushing the associated roles or owners, uncheck the respective check box. |
Step 5 | Choose one or more local clusters in the Available field of the Destination Clusters and move it or them to the Selected field. |
Step 6 | Click Push Data to Clusters. |
Step 7 | On the View Push Group Data Report page, view the push details, then click OK to return to the List/Add Administrator Groups page. |
Pulling administrator groups from the local clusters is mainly useful only in creating an initial list of groups that can then be pushed to other local clusters. The local groups are not useful at the regional cluster itself, because these groups do not have regional roles assigned to them.
When you pull a group, you are actually pulling it from the regional cluster replica database. Creating the local cluster initially replicates the data, and periodic polling automatically updates the replication. However, to ensure that the replica data is absolutely current with the local cluster, you can force an update before pulling the data.
Step 1 | From the Administration menu, choose Groups under the User Access submenu. |
Step 2 | On the List/Add Administrator Groups page, click the Pull Replica icon on Groups pane. This opens the Select Replica CCMAdminGroup Data to Pull dialog box. |
Step 3 | Click the Replica icon in the Update Replica Data column for the cluster. (For the automatic replication interval, see the Replicating Local Cluster Data.) |
Step 4 | Choose a replication mode using one of the Mode radio buttons. In most cases, you would leave the default Replace mode enabled, unless you want to preserve any existing group properties at the local cluster by choosing Ensure, or create an exact copy of the group data at the local cluster by choosing Exact (not recommended). |
Step 5 | Click Pull Core Groups next to the cluster, or expand the cluster name and click Pull Group to pull an individual group in the cluster. |
Step 6 | On the Report Pull Replica Groups page, view the pull details, then click Run. |
Step 7 | On the Run Pull Replica Groups page, view the change set data, then click OK. You return to the List/Add Administrator Groups page with the pulled groups added to the list. |
You can push roles to, and pull roles from, local clusters on the List/Add Administrator Roles page in the regional cluster web UI. You can also push associated groups and owners, and pull associated owners, depending on your subrole permissions (see Table 1).
Pushing administrator roles to local clusters involves choosing one or more clusters and a push mode.
Step 1 | From the Administration menu, choose Roles under the User Access submenu. |
Step 2 | On the List/Add Administrator Roles page, click the Push All icon in the Roles pane to push all the roles listed on the page, or Push to push an individual role. This opens the Push Data to Local Clusters dialog box. |
Step 3 | Choose a push mode using one of the Data Synchronization Mode radio buttons. If you are pushing all the roles, you can choose Ensure, Replace, or Exact. If you are pushing a single role, you can choose Ensure or Replace. In both cases, Ensure is the default mode. You would choose Replace only if you want to replace the existing role data at the local cluster. You would choose Exact only if you want to create an exact copy of the role data at the local cluster, thereby deleting all roles that are not defined at the regional cluster. |
Step 4 | By default,
the associated groups and owners are pushed along with the role. Groups are
pushed in Replace mode and owners in Ensure mode. To disable pushing the
associated roles or owners, uncheck the respective check box:
|
Step 5 | Choose one or more local clusters in the Available field of the Destination Clusters and move it or them to the Selected field. |
Step 6 | Click Push Data to Clusters. |
Step 7 | On the View Push Role Data Report page, view the push details, then click OK to return to the List/Add Administrator Roles page. |
Pulling administrator roles from the local clusters is mainly useful only in creating an initial list of roles that can then be pushed to other local clusters. The local roles are not useful at the regional cluster itself.
When you pull a role, you are actually pulling it from the regional cluster replica database. Creating the local cluster initially replicates the data, and periodic polling automatically updates the replication. However, to ensure that the replica data is absolutely current with the local cluster, you can force an update before pulling the data.
Step 1 | From the Administration menu, choose Roles under the User Access submenu. |
Step 2 | On the List/Add Administrator Roles page, click the Pull Replica icon in the Roles pane. This opens the Select Replica Administrator Role Data to Pull dialog box. |
Step 3 | Click the Replicate icon in the Update Replica Data column for the cluster. (For the automatic replication interval, see the Replicating Local Cluster Data.) |
Step 4 | Choose a replication mode using one of the Mode radio buttons. In most cases, you would leave the default Replace mode enabled, unless you want to preserve any existing role properties at the local cluster by choosing Ensure, or create an exact copy of the role data at the local cluster by choosing Exact (not recommended). |
Step 5 | If you have the owner-region subrole permission, you can decide if you want to pull all the associated owners with the role, which is always in Ensure mode. This choice is enabled by default. |
Step 6 | Click Pull Core Roles next to the cluster, or expand the cluster name and click Pull Role to pull an individual role in the cluster. |
Step 7 | On the Report Pull Replica Roles page, view the pull details, then click Run. |
Step 8 | On the Run Pull Replica Roles page, view the change set data, then click OK. You return to the List/Add Administrator Roles page with the pulled roles added to the list. |