Professional Documents
Culture Documents
Operating Instructions
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use of this
document.
Trademark List
All trademarks mentioned herein are the property of their respective owners.
These are shown in the document Trademark Information.
Contents
ENM Identity and Access Management System (IdAM) is a set of capabilities for:
— Provisioning of users and their access control management through the
concept of roles and target groups. All ENM users are authenticated and
authorized based on defined access rights.
All Identity and Access Management Tasks in ENM can be operated via User
Interface that is launched from the Launcher page as well as published
programmatic interface in the case of integration with an external user
management system. Identity and Access Management System can be divided
into following sub-systems:
— Access Control
Access Control
Access Control is a security function in ENM. Its purpose is to protect resources
against unauthorized use.
— Web resources - Every user login session is subject to access control. When a
HTTP request is received, the system checks if it comes from active session
and if the user has access rights to the given web resource.
— ENM application resources - once web resources grant access to a user (the
user is logged in) then applications are checked to verify if the user is
authorized to use them and what actions an be performed.
— Network Elements - users can connect from ENM to nodes supporting ECIM.
More details are available in the section Access Control for Nodes Supporting
ECIM.
Roles are always assigned to a user together with target group, but functionality
is only limited to COM roles and COM role aliases.
More information about ENM Roles is available in the Role Management on page
9 and its sub-sections. More information about ENM Users is available in the
section User Management on page 4.
— ENM application users interface to the ENM over Web based user interface or
via REST based northbound interface.
— LITP users have access to the system at the operating system level. These
are machine to machine type users such as litpmgr or puppet and also
includes the generic root user used for system operations and administration.
ENM application users and LITP users have separate authentication domains.
The same userid for a user cannot exist in both domains.
There is one overlap case and that is the case of the field technician. An ENM user
with only the role of FIELD_TECHNICIAN has no entitlements to use ENM
applications but is able to SFTP to a restricted part of the ENM to obtain node
provisioning data. SFTP is a service provided by the operating system, made
accessible through ENM application user management.
A field technician is able to log in via the ENM login page and manage their
password in the same manner as an ENM application user.
It is not permitted to assign a user as a field technician with an account that has
the same username as defined in the LITP domain in the file /etc/password.
Target Group
Management
Create Aliases
Activate Users
List Roles
Deactivate
Users
Role Management User Management
List Aliases
Modify Roles
Modify Users
Delete Roles
Each application contains an Online Help that describes in detail the steps
required to perform various security tasks.
— User Management
— Deleting Users
— Duplicating a User
— Filtering Users
".", "..", "root", "bin", "daemon", "adm", "lp", "sync", "shutdown", "halt", "mail",
"news", "uucp", "operator", "games", "gopher", "ftp", "nobody", "rpm", "vcsa",
"dbus", "ntp", "canna", "nscd", "rpc", "postfix", "mailman", "named", "amanda",
"postgres", "exim", "sshd", "rpcuser", "nsfnobody", "pvm", "apache", "xfs",
"gdm", "htt", "mysql", "webalizer", "mailnull", "smmsp", "squid", "ldap",
"netdump", "pcap", "radiusd", "radvd", "quagga", "wnn", "dovecot", "litp-
admin", "saslauth", "nfsnobody", "ovirtagent", "cloud-user", "tcpdump",
"haproxy", "enmadm", "jboss_user", "nslcd", "ssouser".
— Only the following character set is permitted when defining user names: a-z,
A-Z, 0-9, _, -, .
To see assigned roles in the User Management UI, click the User Profile menu in
the top right corner, to expand the menu and select View User Profile.
Steps
3. Assign the SECURITY_ADMIN role to the a user. For more information about
ENM roles, see Role Management on page 9.
If a user is deleted and re-created in fast sequence there can be some temporary
troubles using such user with AMOS, EM, or Scripting VMs. It is recommended to
wait at least three minutes between the two operations.
Steps
This step is mandatory for FireFox version ESR 45.1.1 (or later), as without
certificate it is not possible to access ENM.
Steps
In the event of a user with security administrator privileges loses the access to
the launcher and user management, it is possible to execute a shell script to
change the status of the default user "administrator" to enabled.
To generate credentials, user must have created an "Entity". For more information
about entities see the section Public Key Infrastructure of the document
<cite>ENM Public Key Infrastructure System Administration Guide</cite>,
2/1543-aom 901 151-3.
Steps
3. Create an Entity.
For further information, see the section Public Ley Infrastructure System
Administrative Tasks of the document ENM Public Key Infrastructure System
Administrator Guide, 2/1543-aom 901 151-3 Uen.
It is possible to define session settings (Maximum session time, Idle session time)
per user. Such configuration overwrites the common settings from System
Security Configuration.
NBI interface to configure sessions per user allows to configure longer sessions
than System Security Configuration (the same configuration for all users).
See the User Management Interface section in ENM Identity and Access
Management Programmers Guide, 19817-cna 403 3016 Uen for information on
how to configure session settings per user.
The administrator user must be used to create user specific accounts with the
SECURITY_ADMIN role, once other accounts with the SECURITY_ADMIN role are
created, the "administrator" account is disabled. The administrator account
cannot be deleted; if the system has authorization issues, the administrator user
can be resumed for debugging purposes.
— password: <Administrator_Password>
The administrator manages levels of access to the system by creating and editing
user accounts and assigning user roles to those accounts.
Table 1
S.No User Password Role Description
1 esmadmin ericssonadmin Super User Role This user has full access
to the system, including
User Management.
2 esmuser esmpass ESM_ReadOnly This user does not have
permits to make
changes to the system.
For example he can't
create any alert or any
other new user.
2 esmalertadmin n1md4tr3l4m53 ESM_AlertManager This user allows
creation, deletion, and
alteration of alerts. This
user can't create any
other new user.
Note: It is recommended to change the default password after first login. See
Changing Default Password for ESM Users section in ENM System
Monitor User Guide1/1553-cna 403 3115 Uen for more information.
Steps
1. Select Administration > Security > Users from the drop-down menu in ENM
System Monitor (ESM).
2. Select the user to edit, or use the New button to add a new user.
Results
A new user account with access to the specified resources on the system is
created.
ENM has a concept of roles which define what a user can do in the system by an
ENM application. There are system roles and application-specific roles which
apply to a single application. There are role aliases which group various roles. It
is also possible to create custom roles to define more specific access rights. A user
can be assigned any combination of the system, application-specific, and custom
roles.
All users in ENM must be assigned to at least one of the following roles:
— Application-specific roles
— Custom Roles
System-wide Roles
System-wide roles are:
— ADMINISTRATOR
— OPERATOR
— SECURITY_ADMIN
— FIELD_TECHNICIAN
System wide roles are named using capital letters only, for instance:
ADMINISTRATOR.
— Create new roles (COM Role, COM Role Alias, or Custom Role). In case of
COM Role Alias at least one COM Role needs to be selected, in case of
Custom Role also capabilities can be chosen.
— Display Role Summary to check Description, Role Type, and Status of a given
role.
— Delete roles. Roles that cannot be deleted are: ENM System Roles, roles with
assigned users and COM Roles assigned to one or more COM Role Aliases or
Custom Role.
Application-specific Roles
Application-specific roles have following naming convention:
[ApplicationName]_Administrator or [Application_Name]_Operator. A user
assigned the role of [ApplicationName]_Administrator has the same access rights
as a user that is assigned the role of ADMINISTRATOR except the scope is
limited to that single application instead of all applications. Similarly the
[Application_Name]_Operator has access to the same functionality within an
application as the OPERATOR. For more information on Application-defined
roles, see Application Specific Roles on page 14.
Custom Roles
Custom roles are roles consisting of a combination of roles and capabilities.
Custom roles allow creation of a fine-grained set of application access rights in
form of resource-action pairs. More information about Custom Roles can be
found in Custom Roles on page 113.
POSIX-based Roles
ENM Roles provide access to ENM System through User Interface (UI) or
Northbound Interface (NBI). There are roles that also allow user to access ENM
by Secure Shell (SSH) connection. For more information on these roles, see
POSIX-Based Roles on page 111.
Security Administrator can create new COM Roles and COM Role Aliases, where
the aliases are a group of COM Roles. Create new Roles (COM Role, COM Role
Alias or Custom Role). In case of COM
Security Administrator can also create new roles, referred to as Custom Roles.
Custom role is a collection of specific roles and capabilities, not grouping existing
predefined roles.
— The role must start with an alphanumeric character and must end with a
number or a letter.
— Only alpha (upper and lower case), numeric, underscore, dash, dot characters
are allowed.
Role names must comply with the naming policy otherwise they are not created
and an error message is displayed.
Table 2
A user assigned the role of ADMINISTRATOR has unrestricted access to all ENM
applications except to the USer Management, Role Management, and System
Security Configuration. Access to application is given only to users with
SECURITY_ADMIN role. Such users are given the right to manage fully the
security aspects of the ENM system. A user that has both roles has access to all
available ENM applications.
If a user with security administrator privileges loses access to the launcher and
user management applications, it is possible to execute a shell script to change
the status of the default user "administrator" to enabled.
Refer to the Enable Default Administrator User in the ENM Security Management
Troubleshooting Guide, 1/15901-aom 901 151-4 Uen.
The application Operator and application Administrator roles afford the users the
same privileges as the system-wide OPERATOR and ADMINISTRATOR roles
except the scope is limited to the specific application.
A user that is assigned the application Operator role has a subset of privileges
compared to a user that is assigned the application Administrator role.
The application Administrator role affords the user unrestricted access to the
application.
The following table shows how individual use cases in applications map to
Application and Predefined Roles.
Table 3
Application Action / Command Administrator Operator Sec Administrator Application_Admin
/Operator roles
exist
ENM CLI cmedit create yes yes no yes
ENM CLI cmedit get yes yes no yes
ENM CLI cmedit set yes no no yes
ENM CLI cmedit delete yes no no yes
This section describes the Role Based Application Control (RBAC) functionality of
Credential Manager (CREDM).
CREDM supports two application-specific roles:
— Credm_Administrator
— Credm_Operator
— credm
— read - List certificate data of services.
Table 4
The table describes the resources, actions, and associated commands allowed for each predefined role.
This section describes the roles for AMOS. Users must be authorized to run AMOS
by assigning them one of the AMOS roles in ENM.
AMOS supports two application specific roles:
— Amos_Administrator
— Amos_Operator
— amos_em
— read
— create
— patch
— execute
Table 5
The table describes the resources, actions, and associated commands
allowed for each predefined role.
acc | acce | actc | bl | bls | cr | cre | cvmk | cvms | cvput | cvrm | cvset | deb | del |
eset | eset1 | facc | fdel | lacc | lacce | lbl | lbls | ldeb | ldel | leset | leset1 | lesetc |
lfacc | lfdel | lrdel | lrset | lset | lset1 | lsetc | lsetm | pbl | pdeb | rdel | remod |
remod2 | remodu | resub | rset | set | set1 | setc | setm
fclean | fcleana | fcleane | fro | from | lfro | lfrom | sql+ | sql- | tg | tgc | tgd | tgr |
tgcr | tgdr
Known Limitations
No user is able to launch AMOS or Shell Terminal without POSIX attributes.
Element Manager Resources and Operations available for Custom Roles creation
— element_manager
These operations control the access level in Cabinet Viewer only. The Element
Manager always gets launched in write mode no matters what operation is used
while creating a custom role.
Table 6
The table describes the resources, actions, and associated commands allowed for each predefined role.
The custom role for Cabinet Viewer can be created using the read operation to
restrict users to perform write operations which includes restart, lock,
unlock.Application
Known Limitations
No user is able to launch Element Manager or Cabinet Viewer without POSIX
attributes.
This section describes the Role Based Application Control (RBAC) functionality
for Node Security.
Node Security supports two application specific roles:
— NodeSecurity_Administrator
— NodeSecurity_Operator
1.1.2.1.2.5.1 Node Security Resources and Operations available for Custom Roles creation
— snmpv3
create Allows to execute the following use cases: Create
SNMPv3 authnopriv or authpriv security parameters.
— ipsec
read Allows to execute the following use cases: get Node
IPSec status, get IPSec Certificate Enrollment State,
get IPSec Trusted Certificates on Node.
— credentials
create Allows to execute the following use case: create Node
Credentials.
— sshkey
create Allows to execute the following use case: create ssh-
keys for Node.
— ldap
create Allows to execute the following use case: configure
LDAP on Node.
— oam
read
— crlcheck
update Allows to execute the following use cases: get Node
SecurityAllows to execute the following use case:
update crlCheck status on Node.
— on_demand_crl_download
execute Allows to execute the following use case: start on
demand crl download action on Node.
— ciphers
update Allows to execute the following use case: update
ciphers on Node.
— rtsel
execute Allows to execute the following use cases: Activate/
Deactivate real time security event logging(RTSEL)
feature on Node.
— snmpv3_plain_text
get Allows to execute the following use cases: get
SNMPv3 Auth Password and Priv Password in plain
text.
— capability
— ipsec cli
activate Allows to execute the following use case: activate
ipsec configuration on node.
— https
read Allows to execute the following use case: read HTTPS
status on given Node.
— ftpes
read Allows to execute the following use case: read FTPES
status on given Node.
Prerequisites:
— The user must have the cm_edit_operator role to access to the ENM CLI.
— The user must have the roles described in the section Application Mapping to
Application and Predefined Roles on page 14 to run the correspondent NODE
SECURITY commands.
Table 7
Resource Operations
gim_ecim_user_mgmt create
gim_ecim_user_mgmt update
gim_ecim_user_mgmt read
gim_ecim_user_mgmt delete
1.1.2.1.2.5.2 Actions that can be Performed by a User with ADMINISTRATOR Role Using the
ENM CLI
Table 8
Role Resource Operations Action / Command
NodeSecurity_Administrator credentials create create credentials: secadm
credentials create
NodeSecurity_Administrator credentials update update credentials: secadm
credentials update
NodeSecurity_Administrator credentials get get credentials: secadm
NodeSecurity_Operator credentials get
No predefined custom role credentials_plain_text get get credentials: secadm
credentials get -pt show
This section describes the Role Based Application Control (RBAC) functionality of
Fault Management (FM).
FM supports three application specific roles:
— FM_Administrator
— FM_Operator
— FM_Event_Administrator
— alarm_export
query Query for Open/History alarms data to export the
same.
— alarm_overview
query Query for Open alarms data to show the overview.
— alarm_policies
create Create Alarm Route Policies.
— alarms_search
query Query for Open or History alarms data.
— nodes
execute Enabling/Disabling Supervision on Network Elements
and To initiate Alarm Synchronization.
— open_alarms
execute Perform ACK/UNACK and CLEAR operation on open
alarms.
— error_event
create create or raise an error event.
— translationmap_conversionrule
update Update TranslationMap for nodes based on
probability.
Prerequisite
It is necessary to specify the Cmedit_operator role along with FM_Operator and
FM_Administrator when creating the user in ENM. This allows the user to execute
fmedit/alarm/cmedit commands in ENM CLI or to get the node information.
Table 9
This section describes the roles for the Public Key Infrastructure (PKI)
application.
PKI system supports one predefined system role and four application specific
roles.
— SECURITY_ADMIN
— PKI_ADMINISTRATOR
— PKI_OPERATOR
— PKI_EE_ADMINISTRATOR
— PKI_EE_OPERATOR
— SecGW_Operator
— caEntity-cert-mgmt
create Allows to generate CRL and CAEntity certificate.
— caEntity_mgmt
create Allows to create CA entities.
— entity-cert-mgmt
create Allows to generate Entity certificate.
— entity_mgmt
create Allows to create entities.
— extCA_mgmt
— profile_mgmt
create Allows to create profiles.
— read_algorithms
read Allows to retrieve algorithms.
— read_caCerts
read Allows to read CAEntity certificates.
— read_caEntities
read Allows to read CAEntities.
— read_caCerts
Allows to list CRLs and download CRL.
— read_entities
read Allows to read Entities
— read_entityCerts
read Allows to read Entity certificates.
— read_extCA
read Allows to read External CA.
— read_profiles
read Allows to read profiles
— update_algorithms
update Allows to update algorithms.
Table 10
Resources, actions, and associated commands allowed for each predefined role
Table 11
Role Resource Operations Action/Command
PKI_EE_Operator topologyCollectionService read collection list
PKI_EE_Administrator topologyCollectionService read collection list
PKI_Operator topologyCollectionService read collection list
PKI_Administrator topologyCollectionService read collection list
This section describes the Role Based Application Control (RBAC) functionality of
the Release Independence (RI) Manager application.
RI application supports two application specific roles:
— NodeVersionSupport_Operator
— NodeVersionSupport_Administrator
Authorized for all actions on RI (read, execute, delete), including the ability
to read RI-related logs.
— node_version_support
read Allows to read information from Node Version Support
service, such as viewing Available Node Versions
ready for support being added, viewing Model
Validation and Node Version results.
Table 12
The UI prevents not allowed actions by disabling UI components according to the role.
This section describes the Role Based Application Control (RBAC) functionality of
Node Health Check Application (NHC).
NHC supports two predefined application specific roles:
healthcheck
node_healthcheck
Allows to read action on managed objects in the NHC services from NHC UI.
node_healthcheck
— node_healthcheck
create Allows to create NHC reports.
Prerequisite:
To access and operate on shm resource (for example,
cppinventorysynch_service), the following resources:actions are also required.
Table 13
Resource Operation
searchExecutor read
topologySearchService read
topologyCollectionsService deprecated read
create
Resource Operation
delete
All operations are deprecated
Collections_Public read
create
delete
Collections_Private read
create
delete
SavedSearch_Public read
create
delete
SavedSearch_Private read
create
delete
CollectionsOthers_Public read
SavedSearchOthers_Public read
modelInformationService read
persistentobjectservice read
Table 14
Resources, actions, and associated commands allowed for each predefined role
1.1.2.1.2.10 Role Based Application Control for Performance Management Initiation and
Collection
This section describes the Role Based Application Control (RBAC) functionality of
Performance Management Initiation and Collection (PMIC).
PMIC supports three predefined application specific roles:
— PM_Operator
— PM_Read_Operator
— PM_Topology_Operator
— subscription
create Allows to create any user defined Subscription to
enable Performance Monitoring on the Network.
— uetrace
create Allows to create a UE Trace Subscription to enable
Performance Monitoring on the Network.
— statistical
create Allows to create a Statistical Subscription, MO
Instance and Cell Instance Subscription to enable
Performance Monitoring on the Network.
— celltrace_ebs-l
create Allows to create a CellTrace/EBS-L Subscription to
enable Performance Monitoring on the Network.
— ctr
create
— uetr
create Allows to create a UETR Subscription to enable
Performance Monitoring on the Network.
— ctum
update Allows to update a CTUM Subscription.
— gpeh
create Allows to create a GPEH Subscription to enable
Performance Monitoring on the Network.
Prerequisite
The PM_Topology_Operator role must be used together with any PMIC custom
role while creating an ENM user.
— SHM_Administrator
— SHM_Operator
SHM_Operator and SHM_Administrator roles offer the users the same privileges
as the predefined OPERATOR and ADMINISTRATOR roles except the scope is
limited to the SHM application.
— cppinventorysynch_service
create Allows to create jobs such as Upgrade, Backup,
License, Restore, Delete Backup.
Prerequisite:
To access and operate on shm resource (for example,
cppinventorysynch_service), the following resources:actions are also required.
Table 15
Resource Operation
searchExecutor read
topologySearchService read
topologyCollectionsService deprecated read
create
delete
All operations are deprecated
Collections_Public read
create
delete
Collections_Private read
create
Resource Operation
delete
SavedSearch_Public read
create
delete
SavedSearch_Private read
create
delete
CollectionsOthers_Public read
SavedSearchOthers_Public read
modelInformationService read
persistentobjectservice read
Table 16
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
CM REST.
CM REST supports two predefined application specific roles:
— CM_REST_Administrator
— CM_REST_Operator
Access through CLI is not part of CM REST interface; CLI-specific resources and
roles are available separately and can be found in Role Based Authorization for
ENM CLI on page 71.
To obtain the privileges for cmedit service, cmconfig service, bulkImport service
and bulk export service also, specify the Cmedit_Operator (for read) or
Cmedit_Administrator (for create, read, update, delete) when creating the user in
ENM.
— cm_bulk_rest_nbi
read Get information about bulk import export job through
REST NBI services.
— cm_config_rest_nbi
— cell-management-nbi
Table 17
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Network Health Monitor (NHM).
NHM consists of four applications:
— Node Monitor
— KPI Management
— NHM_Administrator
— NHM_Operator
— nhm
read Allows monitoring of selected nodes and viewing of
KPI information.
— kpi-service
read Allows querying of KPI service for calculated KPI
values.
Prerequisite:
Ensure to select either AMOS_Administrator or AMOS_Operator along with
NHM_Administrator or NHM_Operator when creating a user in the ENM system.
This allows the user to access AMOS directly from the Node Monitor application.
To allow the user to perform operations on the Administrative State of Cells (for
example, “Lock/Unlock/Soft lock”) from the Network Health Analysis application,
select Cell_Management_Administrator role. If this requirement is not met, the
operations are not available.
To access and operate on nhm resource, the following resources:actions are also
required:
Table 18
Resource Operation
open_alarms execute
update
query
alarms_search query
alarm_overview query
alarm_export query
modelInformationService read
searchExecutor read
nodes query
topologySearchService read
topologyCollectionsService deprecated read
create
delete
All operations are deprecated
Collections_Public read
create
delete
update
Collections_Private read
create
delete
update
SavedSearch_Public read
create
delete
update
SavedSearch_Private read
create
delete
update
CollectionsOthers_Public read
SavedSearchOthers_Public read
persistentobjectservice read
Table 19
Operation Application Resource used to control Description
access
create KPI Management nhm Allows creation of a KPI
definition
update KPI Management nhm Allows updating of a KPI
definition
delete KPI Management nhm Allows deletion of a user
defined inactive KPI
read KPI Management nhm Read a single KPI definition,
get a single KPI definition's
attributes
query KPI Management nhm Get all KPI definitions
execute KPI Management nhm Allows activating/deactivating
a KPI
read KPI Service (part of the NHM kpi_service Read the values calculated for
service) a KPI, get KPI values for worst
performing nodes, get KPI
values for nodes in breach. Also
used by NHM monitoring Apps
to get basic info about KPIs.
Table 20
Resources, actions, and associated commands that are allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Network Explorer.
Network Explorer supports two predefined application specific roles:
— Network_Explorer_Administrator
— Network_Explorer_Operator
Network Explorer Resources and Operations available for Custom Roles creation
— topologySearchService
Read Perform searches in Network Explorer. Requires
resource 'searchExecutor' to perform searches.
— Collection_Public
read View owned Public Collections.
— Collection_Private
read View owned Private Collections.
— SavedSearch_Public
read View owned Public Saved Searches.
— SavedSearch_Private
read View owned Private Saved Searches.
— CollectionOthers_Public
read View not owned Public Saved Collections.
— SaveSearchOthers_Public
read View not owned Public Saved Searches.
— modelInformationService
read Read Models and associated attributes in
CriteriaBuilder.
— searchExecutor
read Perform searches in Network Explorer. Requires
resource 'topologySearchService' to display search
results.
— nested_collection
read Allows the user to read nested collections.
— system_created_object
Table 21 Resources, actions, and associated commands allowed for each role
Role Resource Operations Action/Command
Network_Explorer_Administrat modelInformationService read Read Models and associated
or attributes in CriteriaBuilder
searchExecutor read Perform searches in Network
Explorer. Requires resource
'topologySearchService' to
display search results
topologySearchService read Perform searches in Network
Explorer. Requires resource
'searchExecutor' to perform
searches
persistentobjectservice read View managed object
instances in Topology Browser
rootAssociations read Get NetworkElement
associated to root managed
object instances
Collections_Public read View owned Public Collections.
Expotr owned Public
Collections.
Collections_Private read View owned Private
Collections.
Export owned Private
Collections.
Collections_Public create Create Public Collections
Collections_Private create Create Private Collections
Collections_Public delete Delete owned Public
Collections
Collections_Private delete Delete owned Private
Collections
Collections_Public update Update owned Public
Collections
Collections_Private update Update owned Private
Collections
SavedSearch_Public read View owned Public Saved
Searches
SavedSearch_Private read View owned Private Saved
Searches
SavedSearch_Public create Create Public Saved Searches
SavedSearch_Private create Create Private Saved Searches
SavedSearch_Public delete Delete owned Public Saved
Searches
SavedSearch_Private delete Delete owned Private Saved
Searches
SavedSearch_Public update Update owned Public Saved
Searches
SavedSearch_Private update Update owned Private Saved
Searches
SavedSearchOthers_Private delete Delete not owned Private
Saved Searches
CollectionsOthers_Private delete Delete not owned Private
Collections
— Topology_Browser_Administrator
— Topology_Browser_Operator
Topology Browser Resources and Operations available for Custom Roles creation
Table 22
Resource Operations
rootAssociations read
persistentobjectservice read
persistentobjectservice update
modelInformationService read
Table 23
Resources, actions, and associated commands allowed for each role
Lcm_Administrator role gives to the users the same privileges as the predefined
ADMINISTRATOR roles, except the scope is limited to the specific application.
License Manager Resources and Operations available for Custom Roles creation
Not supported.
Table 24
Role Resource Operations Actions/Command
Lcm_Administrator NA NA list installed feature and
capacity licenses
list current usage
install a license file
remove an installed license
export current usage
export historical usage
activate an Emergency Unlock
license
set threshold for alarm
notification of license expiry
set threshold for alarm
notification of capacity usage
get threshold information for a
specified license
get threshold information for
all installed licenses
get information about licenses
with Grace Periods
get information about
Emergency Unlock licenses
get information about Capacity
Enforcement
This section describes the Role Based Application Control (RBAC) functionality of
CM CONFIG.
CM CONFIG supports two predefined application specific roles:
— Cmedit_Administrator
— Cmedit_Operator
— config
create Create or copy a network configuration.
Table 25
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
BULK EXPORT.
BULK EXPORT supports two predefined application specific roles:
— Cmedit_Administrator
— Cmedit_Operator
Bulk Export Resources and Operations available for Custom Roles creation
— cmedit
read Retrieve information from the network database and
export it to a file.
This section describes the Role Based Application Control (RBAC) functionality of
ENM System Monitor (ESM).
ESM supports one predefined application specific role:
— System_Monitor
— ESMAdmin
Authorized for all actions in ESM (create a new user, role, alerts).
— ESM_AlertManager
Authorized for all actions on Alerts (create, update, delete, and view).
— ESM_ReadOnly
Authorized for read only access to the user (the user does not have permits to
make changes to the system).
Table 26
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
CM EVENTS.
CM EVENTS supports two predefined application specific roles:
— CM_EVENTSNBI_Administrator
— CM_EVENTSNBI_Operator
CM EVENTS NBI Resources and Operations available for Custom Roles creation
— cm-events-nbi
read Get events/filters for cm events nbi.
This section describes the Role Based Application Control (RBAC) functionality of
BULK IMPORT.
BULK IMPORT supports one predefined application specific role:
— Cmedit_Administrator
The Cmedit_Administrator role give the users the same privileges as the
predefined ADMINISTRATOR role, though the scope is limited to the cmedit
service, cmconfig service, bulk Import service and bulk export service.
Bulk Import Resources and Operations available for Custom Roles creation
— cmedit
create Modify network cm data based on a import file and
retrieve information on the status and details of
import jobs.
Table 27
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
ENM CLI.
ENM CLI supports two predefined application specific roles:
— Cmedit_Administrator
— Cmedit_Operator
— cmedit
get Read Network Configuration Data
Table 28
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Automatic Alarm Handling (FMX).
FMX supports two application specific roles:
— FMX_Administrator
— FMX_Operator
— fmxModuleManagement
Prerequisites
It is necessary to specify the Element_Manager_Operator role along with
FMX_Administrator role when creating the user in ENM. This allows the user to
export FMX Rule Editor display into the visualization tool and use sticky sessions.
Table 29
Resources, actions, and associated commands allowed for each role
— Perform Unload
operation on Modules
— Remove Archived
Module from Archive.
read Module Monitor:
— Subscribe to Rule
Trace
Time Periods
— Query Loaded
Modules status in
Module Management
— Query Archived
Modules status in
Module Management
Rule Module
Parameters:
— Perform Activate/
Deactivate operations
in Module
Management
Rule Module
Parameters:
— Modify running
Module Parameters
Event Simulator:
—Create Sequence,
—Insert/Edit/Move/
Delete Event, Wait or
Loop in Event
Sequence
—Add Additional
Attributes to event
definition in Event
Sequence
—Load/Save Event
Sequence
Time Periods
— Delete Rule/
Procedure/File in
Rule Module
— Subscribe to Rule
Trace
Time Periods
— Query Loaded
Modules status in
Module Management
— Query Archived
Modules status in
Module Management
Rule Module
Parameters:
— Perform Activate/
Deactivate operations
in Module
Management
Rule Module
Parameters:
— Modify running
Module Parameters
— Create Sequence,
— Insert/Edit/Move/
Delete Event, Wait or
Loop in Event
Sequence
— Add Additional
Attributes to event
definition in Event
Sequence
— Load/Save Event
Sequence
Time Periods
This section describes the Role Based Application Control (RBAC) functionality of
ENM Automatic ID Management.
ENM Automatic ID Management supports two predefined application specific
roles:
— AutoId_Administrator
— AutoId_Operator
Prerequisites
To access and operate on Automatic ID Management resource (for example,
autocellid_services), the following resources actions are also required:
Table 30
Resources Operation
searchExecutor read
topologySearchService read
topologyCollectionsService read, create, delete
modelInformationService read
persistentobjectservice read
Note: For any custom role related with "autocellid_services" resource and
create, update or delete operations, it is also required
"autocellid_services" resource read operation as prerequisite.
Table 31
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Netlog.
Netlog supports one application specific role:
— NetworkLog_Administrator
The table describes the actions required for the resource "netlogService" for the
role "NetworkLog_Administrator".
Table 32
S.No Task Action
1 Describe the list of supported Logs for query
each node.
2 Upload supported logs from nodes. execute
3 Retrieve the status of Network Log query
collections.
4 Request the export of Node Logs collected export
by ENM into user defined storage.
5 Delete Node Logs from ENM SFS delete
Prerequisites
It is necessary to specify the Cmedit_operator role along with
NetworkLog_Administrator role when creating the user in ENM. This allows the
user to execute netlog commands in ENM CLI to query or execute the logs
available for nodes.
Table 33
Resources, actions, and associated commands allowed for each role
This section describes the Custom-Defined Roles for VNF Life Cycle
Manager(VNF-LCM) application.
VNF-LCM supports two predefined application specific roles:
— VNFLCM_Operator
— VNFLCM_Administrator
— vnflcm
read Launch VNF-LCM GUI, view workflow and instance
details.
Prerequisite:
To access and operate on vnflcm resource (for example, vnflcm), the following
resources:actions are also required.
Table 34
Resource Operation
vnflcm read
execute
Table 35
This section describes the Role Based Application Control (RBAC) functionality of
PM FLS.
FLS supports the predefined application specific role:
— PM_NBI_Operator.
PM_NBI_Operator roles give the users the same privileges query FLS for
obtaining the file related metadata, and the scope is limited to the PM FLS
application reached by REST interface.
To obtain the privileges for querying FLS for file metadata service, specify the
PM_NBI_OPERATOR (for read) when creating the user in ENM.
Access through CLI is not part of PM FLS REST interface. CLI-specific resources
and roles are available separately and can be found in Role Based Authorization
for ENM CLI on page 71.
Table 36
Resources, actions, and associated commands allowed for the role
This section describes the Custom-Defined Roles for Cell Management GUI
application.
Cell Management GUI supports two predefined application specific roles as of
now:
— Cell_Management_Operator
— Cell_Management_Administrator
Lists the Cell information and cell related data. Allows to update the
AdministrativeState of cells.
— Cell_Management_View - deprecated
Cell Management GUI Resource and Operation available for Custom Roles
creation
— cell-management-gui
read Allows read access to cell information and cell related
data.
Prerequisite:
To access and operate on cell management gui resource (for example, cell-
management-gui), the following resources:actions are also required.
Table 37
Resource Operation
searchExecutor read
Resource Operation
topologySearchService read
topologyCollectionsService read
create
delete
modelInformationService read
persistentobjectservice read
rootAssociations read
Table 38
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Parameter Management.
Parameter Management supports two predefined application specific roles:
— Parameter_Management_Administrator
— Parameter_Management_Operator
— parametermanagement
execute To view and edit configuration parameter data
Prerequisites
To access and operate on parameter management resource (for example,
parametermanagement), the following resources:actions are also required.
Table 39
Resource Operation
searchExecutor read
topologySearchService read
topologyCollectionsService deprecated read
create
delete
update
All operations are deprecated
Collection_Public read
create
delete
update
Collections_Private read
create
delete
update
SavedSearch_Public read
create
delete
update
SavedSearch_Private read
create
update
delete
CollectionsOthers_Public read
SavedSearchOthers_Public read
modelInformationService read
persistentobjectservice read,update
Table 40
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Analytic Session Record.
ASR supports three predefined application specific roles:
— ASR_Administrator
— ASR-L_Administrator
Authorized for all actions on Analytic Session Record for LTE (ASR-L)
— ASR-L_Schema_Operator
Authorized to read AVRO Schema of Analytic Session Record for LTE (ASR-
L)
Table 41
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
SON Optimization Manager Portal.
SON Optimization Manager Portal application supports the following application
specific roles:
— SON_OM_Administrator
— SON_General_Operator
Allows General access to SON Optimization Manager.
— SON_SDG_Operator
— SON_SIS_Operator
— SON_SAS_Operator
— SON_ACOM_Operator
— manage_regions
read Allows access to Manage Regions in SON
Optimization Manager.
— sdg_manage_instances
read Allows access to Manage SON DATA Gateway
Connections in SON Optimization Manager.
— sdg_configure_flavor
read Allows access to Configure SON DATA Gateway
Collection Task in SON Optimization Manager.
— sdg_toggle_flavor
read Allows access to Toggle SON DATA Gateway
Collection Task in SON Optimization Manager.
— sdg_start_task
read Allows access to Start SON DATA Gateway Collection
Task in SON Optimization Manager.
— sdg_stop_task
read Allows access to Stop SON DATA Gateway Collection
Task in SON Optimization Manager.
— sdg_set_mysql
read Allows access to Set SON DATA Gateway MySQL Host
in SON Optimization Manager.
— sdg_reset_database
read Allows access to Reset SON DATA Gateway
Database(s) in SON Optimization Manager.
— sdg_repair_database
read Allows access to Repair SON DATA Gateway
Database(s) in SON Optimization Manager.
— sis_manage_instances
read Allows access to Manage SON Implementation Service
Connections in SON Optimization Manager.
— sis_manage_profiles
read Allows access to Manage SON Implementation Service
Profiles in SON Optimization Manager.
— sis_schedule_task
read Allows access to Schedule SON Implementation
Service Implementation Task in SON Optimization
Manager.
— sis_remove_task
read Allows access to Remove SON Implementation Service
Implementation Task in SON Optimization Manager.
— sis_set_mysql
read Allows access to Set SON Implementation Service
MySQL Host in SON Optimization Manager.
— sis_set_shared_data_path
read Allows access to Set SON Implementation Service
Shared Data Path in SON Optimization Manager.
— sas_user
read Allows access to SON Application Service User in SON
Optimization Manager.
— sas_manage_instances
read Allows access to Manage SON Application Service
Connections in SON Optimization Manager.
— sas_toggle_use_case
read Allows access to Toggle SON Application Service Use
Case in SON Optimization Manager.
— sas_configure_use_case
read Allows access to Configure SON Application Service
Use Case in SON Optimization Manager.
— sas_start_use_case
read Allows access to Start SON Application Service Use
Case in SON Optimization Manager.
— sas_manage_exceptions
read Allows access to Manage SON Application Service
Exceptions in SON Optimization Manager.
— sas_set_mysql
— acom_user
read Allows access to ACOM User in SON Optimization
Manager.
— acom_manage_instances
read Allows access to Manage ACOM Connections in SON
Optimization Manager.
— acom_toggle_use_case
read Allows access to Toggle ACOM Use Cases in SON
Optimization Manager.
— acom_configure_use_case
read Allows access to Configure ACOM Use Case in SON
Optimization Manager.
— acom_start_use_case
read Allows access to Start ACOM Use Case in SON
Optimization Manager.
This section describes the Role Based Application Control (RBAC) functionality of
BO NETAN standalone UI.
bonetanstandalonui supports application specific role:
— BO_NETAN_Operator
— bo-netan-access
read shows link for bonetanstandalonui on ENM Launcher.
Table 42
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Business Intelligence Launch Pad.
Business Intelligence Launch Pad supports two predefined application specific
roles:
— BO_Administrator
Allows administrator access to Business Objects client tools and web
applications.
— BO_Report_Operator
Allows access to BI Launch Pad and Web Intelligence Rich Client Tool.
— bo-admin-access
read shows link for Business Intelligence Launch Pad on
ENM Launcher.
— bo-report-operator-access
read shows link for Business Intelligence Launch Pad on
ENM Launcher.
Table 43
Resources, actions, and associated commands allowed for each predefined role
1.1.2.1.2.34 Role Based Authorization for Business Objects Central Management Console
This section describes the Role Based Application Control (RBAC) functionality of
Business Objects Central Management Console.
Business Objects Central Management Console supports one predefined
application specific role:
— BO_Administrator
Allows administrator access to Business Objects client tools and web
applications.
— bo-admin-access
read shows link for Business Objects Central Management
Console on ENM Launcher.
Table 44
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Information Design Tool.
Information Design Tool supports two predefined application specific roles:
— BO_Administrator
Allows administrator access to Business Objects client tools and web
applications.
— BO_Report_Operator
Information Design Tool Resources and Operations available for Custom Roles
creation
— bo-admin-access
read shows link for Information Design Tool on ENM
Launcher.
— bo-universe-access
read shows link for Information Design Tool on ENM
Launcher.
Table 45
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Network Analytics Server Analyst.
Network Analytics Server Analyst supports two predefined application specific
roles:
— NetworkAnalytics_Administrator
Allows administrator access to Network Analytics Server Analyst and
Network Analytics Server Web Player service.
— NetworkAnalytics_BusinessAnalyst_Operator
Is for users that are required to create and edit Analyses and Information
Packages using the Network Analytics Server Analyst tool, and to also create
and view Analysis through the Network Analytics Server Web Player.
— netan-server-admin-access
read shows link for Network Analytics Server Analyst on
ENM Launcher.
— netan-business-analyst-access
read shows link for Network Analytics Server Analyst on
ENM Launcher.
1.1.2.1.2.37 Role Based Authorization for Network Analytics Server Web Player
This section describes the Role Based Application Control (RBAC) functionality of
Network Analytics Server Web Player.
Network Analytics Server Web Player supports four predefined application
specific roles:
— NetworkAnalytics_Administrator
Allows administrator access to Network Analytics Server Analyst and
Network Analytics Server Web Player service.
— NetworkAnalytics_BusinessAnalyst_Operator
Is for users that are required to create and edit Analyses and Information
Packages using the Network Analytics Server Analyst tool, and to also create
and view Analysis via the Network Analytics Server Web Player.
— NetworkAnalytics_BusinessAuthor_Operator
Is for users that are required to create and edit the Analyses on the Network
Analytics Server Web Player.
— NetworkAnalytics_Consumer_Operator
Network Analytics Server Web Player Resources and Operations available for
Custom Roles creation
— netan-server-admin-access
read shows link for Network Analytics Server Web Player
on ENM Launcher.
— netan-business-analyst-access
read shows link for Network Analytics Server Web Player
on ENM Launcher.
— netan-business-author-access
— netan-consumer-access
read shows link for Network Analytics Server Web Player
on ENM Launcher.
This section describes the Role Based Application Control (RBAC) functionality of
Universe Design Tool.
Universe Design Tool supports two predefined application specific roles:
— BO_Administrator
Allows administrator access to Business Objects client tools and web
applications.
— BO_Report_Operator
Universe Design Tool Resources and Operations available for Custom Roles
creation
— bo-admin-access
read shows link for Universe Design Tool on ENM Launcher.
— bo-universe-access
read shows link for Universe Design Tool on ENM Launcher.
Table 46
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Web Intelligence Rich Client.
Web Intelligence Rich Client supports two predefined application specific roles:
— BO_Administrator
Allows administrator access to Business Objects client tools and web
applications.
— BO_Report_Operator
Allows access to BI Launch Pad and Web Intelligence Rich Client Tool.
Web Intelligence Rich Client Resources and Operations available for Custom
Roles creation
— bo-admin-access
read shows link for Web Intelligence Rich Client on ENM
Launcher.
— bo-report-operator-access
read shows link for Web Intelligence Rich Client on ENM
Launcher.
Table 47
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Netlog
FM SNMP NBI application supports three predefined application specific roles:
— NbiFmSnmpConfig_Operator
— NbiFmSnmpConfig_Administrator
— NbiFmSnpmManager
FM SNMP NBI Resources and Operations available for Custom Roles creation
Table 48
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Uplink Spectrum Analyzer (ULSA).
ULSA application supports two predefined application specific roles:
— ULSA_Operator
Authorized to perform read-only tasks in ULSA.
— ULSA_Administrator
— ulsa
read allows processing of already collected ULSA files.
Prerequisites
To start and stop file collection using ENM CLI the following actions are also
required:
Table 49
Resources Action
cm_editor create
read
update
execute
delete
logViewer_access read
Table 50
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Add Node.
Add Node supports one predefined application specific role:
— AddNode_Administrator
This section describes the Role Based Application Control (RBAC) functionality of
EEA.
EEA supports one predefined application specific role:
— EEA_Operator
— eea
read shows link for EEA launch on ENM Launcher.
Table 51
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Autonomic Incident Management (AIM).
AIM supports two predefined application specific roles:
— AIM_Operator
— AIM_Administrator
Prerequisite:
To setup AIM, user must have the AIM_Administrator role or a custom role with
the following capabilities:
Table 52
Application Resource Operation
Autonomic Incident Management AIM update
Kpi Service kpi_service read
TopologyBrowser persistenobjectservice read
Table 53
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Node CLI Launch.
Node CLI Launch supports two predefined application specific roles:
— NodeCLI_Administrator
Authorized for all actions in Node CLI, such as launch, close, and export the
content in CLI to text file.
— NodeCLI_Operator
Authorized for all actions in Node CLI, such as launch, close and export the
content in CLI to text file.
Table 54
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Target Group Management (TGM).
TGM supports one predefined application specific role:
— Target_Group_Administrator
Table 55
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
CM Bulk Import.
CM Bulk Import application supports two predefined application specific roles:
— CM_Bulk_UI_Import_Operator
— CM_Bulk_UI_Import_Administrator
Table 56
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality
for customer adaptations. On installation a customer adaptation can be assigned
an appropriate adaptation role.
Several predefined roles are supported for customer adaptations, for different
types of users:
— Adaptation Installer Roles
Table 57
Resources, actions, and associated commands allowed for each predefined role
Customer Adaptation role is used to support RBAC for customer adaptations and
ensures RBAC separation for individual customer adaptation functions.
It includes:
— function specific customer adaptations: to support specific adaptation
functionality. In some cases also support for an integrated 3PP NE. This
mirrors standard ENM functionality (and related roles/capabilities), for
example, adaptation_element_manager.
Table 58
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Physical Link Management.
Physical Link Management supports two predefined application specific roles:
— LinkManagement_Administrator
— LinkManagement_Operator
Authorized for perform read and query actions actions on Physical Link
Management
Prerequisite:
To access and operate on Link Management, the following resources:actions are
also required.
Table 59
Application Resource Operation
TopologyBrowser persistentobjectservice read
NetworkExplorer searchExecutor read
NetworkExplorer topologySearchService read
NetworkExplorer topologyCollectionsService read
create
update
delete
Command Line Interface (CLI) cm_editor read
Table 60
Resources, actions, and associated commands allowed for each predefined role
This section describes the Role Based Application Control (RBAC) functionality of
Network Viewer application.
Network Viewer supports two predefined application specific roles:
— NetworkViewer_Administrator
— NetworkViewer_Operator
Prerequisite:
No prerequisites.
Table 61
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality of
Configuration Templates application.
Configuration Templates application supports two predefined application specific
roles:
— ConfigurationTemplates_Administrator
— ConfigurationTemplates_Operator
Prerequisite:
No prerequisites.
Table 62
Resources, actions, and associated commands allowed for each role
This section describes the Role Based Application Control (RBAC) functionality
for Operations Procedure Support (OPS) .
OPS application supports one predefined application specific role:
— OPS_Operator
Prerequisite:
No prerequisites.
Table 63
All ENM roles provide access to ENM applications. Some roles however provide
access not only via UI (User Interface) or NBI (North Bound Interface), but also
via SSH (Secure Shell) connection. These roles are called POSIX-based roles.
POSIX (Portable Operating System Interface for uniX) is a set of standard
operating system interfaces based on the UNIX operating system.
— Administrator
— Operator
— Amos_Administrator
— Amos_Operator
— Element_Manager_Operator
— Scripting_Operator
— WinFIOL_Operator
— FIELD_TECHNICIAN
It is also possible to create custom roles supporting POSIX for AMOS application.
See Custom Roles on page 113 and AMOS ENM Roles and Associated Moshell
Commands on page 28 sections for details.
Table 64
Role name Description
SystemAdministrator Provides full control over Managed Element model fragments related to System
Functions, Equipment, and Transport, excluding the fragment related to Security
Management.
All these roles are defined for COM/ECIM and VTFRadioNode nodes and the
privileges for these roles are defined on the node itself.
For advanced troubleshooting of the node issue, Ericsson supported user roles
needs to be created as per the Node CPI guidelines.
Role Management allows the user to create roles of the following types:
COM roles represent privileges on Nodes supporting ECIM.
ENM system roles are predefined, the user cannot define system-wide roles. For
details on these roles, see the sections System-Wide Roles on page 12 ,
Predefined COM Roles on page 111, and Application Specific Roles on page 14.
For more information about Custom Roles see the section Custom Roles on page
113.
In ENM there are System-wide roles which are available regardless of which
ENM applications are deployed. There are also Application Specific Roles which
define specific roles that are delivered with each ENM application and Network
Element Roles which define specific roles that are defined for different Network
Elements. A user can be assigned to any combination of these roles. When these
roles are not sufficient there is also a possibility to define Custom Roles.
ENM applications can expose its resources and actions that can be executed on
them. The Custom Roles framework allows a customer to define their own roles
based on these resources and actions. The Custom Roles are finer grained than
the default application specific roles or default roles. These new custom roles can
be created, saved and associated with a user. Custom roles are capable of
containing entries with any combination of COM and ENM application use cases.
Example 1
The SHM_Operator role has the ability to perform the tasks:
It can be desirable to further subdivide these tasks and to create a role that
allows a user to view the software inventory without privilege to view the license
or hardware inventories. Further functionality from other applications can be also
included in the same Custom Role.
It can be a valid scenario where two custom roles contain the same application
specific roles. For example, a customer can be taking a new feature at a later
point which would require the modification of only one of the custom roles.
1.1.2.3.1.2 Capabilities
CU or other Services can create customer specific solution and add specific access
control. Below capabilities can be used to have access control to the customer
specific solutions. The capabilities provides RBAC support for customer
adaptations. The adaptation provider or installer (Ericsson Services) determines
the appropriate capability to use.
groups and the grouped entities are known as targets. Users then can be
assigned access to target groups.
The concept of Target Group Management is to allow a managed network to be
subdivided into a number of target groups. A target group is a grouping of
targets. These groups are then used for granting access to end users. An
important distinction is between targets and target groups.
A user can be assigned to a target group and then the targets can be added or
removed from the target group as needed without constantly having to modify
the user.
— All ENM system roles and custom roles to use in Application Level scenario.
Assign Manually User must manually assign at least one Target Group.
Note: COM roles and COM alias have assigned Target Group NONE by default.
ENM System role and custom role have assigned Target Group ALL by
default.
For more information about roles and the COM roles, see Role Management
on page 9.
— A target group is a grouping of targets. These groups are used for granting
access to end users.
— Target Groups can be created and deleted in ENM using the Target Group
Management user interface.
— Target string information for the node is set using the attributes:
ManagedElement, SystemFunctions, SecM, UserManagement, targetType
with ENM CLI application.
These attributes define the list of target strings the node belongs to.
— targetType on the node can contain several values. Besides the name of the
ManagedElement, the names of the target groups the node is part of must be
set.
— targetType always contains the name of the Managed Element, which is the
string of the attribute networkManagedElementId in MO ManagedElement.
— By default in ENM roles are assigned to a user with predefined target group
NONE, which means that a user has no privileges on all nodes, regardless of
the target groups defined on the node.
— To set access control to a node when creating a user and assigning a target
group to them, the appropriate target group granting access to particular
nodes must be explicitly assigned to this user.
— The target group in ENM must be created before the targetType attribute is
set on the node. Otherwise authentication for users to this node does not
work correctly.
— In ENM there is a special user COMuser, not visible in the UI, created during
installation, with target group ALL assigned.
This user is used internally by ENM applications, and must never be deleted
by users with Security Administrator privileges.
Note: Router 6672 does not support all security related ECIM fragments from
18A onwards.
For more information about targets and target groups, see Target Groups
Management on page 129.
This means that the node has target string: "ManagementElement1" and belongs
to target group: "SOUTH".
— A user can not be allowed to logon using newly created user account or
changed password.
Table 66
Number of users in the system Maximum time for updating one user [s]
0 3
500 5
1000 10
2000 15
5000 35
Table 67
Number of users to be created/updated Maximum time for synchronizing all users [s]
500 60
1000 300
2000 600
5000 3000
— Password Lockout
— Password Ageing
— Password History
The password policies can be modified by any user with security administrator
role from the System Security Configuration section on the ENM Launcher or by
REST interface described in the Validation Management Interface and Validation
Rules section in the Identity and Access Management Programmers Guide,
19817-cna 403 3016 Uen.
When creating or updating the user password, the new password has to conform
with all of the following password complexity policies (default values):
Note: For more information on Password Policies, refer to the Online Help for
System Security Configuration application.
That time period is configurable in System Security Configuration. The user has
configurable number of days, from the first time it is notified to change the
password, to perform this action.
If the password is not changed within this time period, the user is not able to log
in and the System Administrator is required to reset the password.
Whenever the user changes the password from a state where he is not already
logged in, there is the need to logon with the new password to access the system.
The user is locked out for three minutes after three consecutive failed logon
attempts within a five minute period. The account is unlocked after three minutes
or, in alternative, administrator can unlock it manually resetting users password.
This prevents potential security attacks where the user attempts to authenticate
with a three invalid passwords until the correct one is found.
Note: The administrator account has a special policy that does not expire and
the user is not forced to change upon first logon. It is recommended to
disable the default "administrator" account as soon as the System
Administrator role has been assigned to an alternate user.
Password ageing parameters can be optionally managed per single user. For
additional information, see User Management on page 4.
This task outlines the steps for exporting the ENM Root CA certificate from ENM
and importing it into all the user client browser as trusted certificates.
When successfully completed, the Client Browser reports a trusted connection.
If the ENM PKI Root CA has been signed by an External CA universally trusted
(using the External CA Support in the document <cite>ENM Public Key
Infrastructure System Administration Guide</cite>, 2/1543-aom 901 151-3
Uen), then this task can be avoided because the trusted certificate is imported in
the browser by default.
This tasks describes the steps to export an ENM PKI Root CA certificate.
The procedure must be performed after creation of new user account. Every user
receives both user account details and a certificate to enable them to use the
ENM Launcher.
Prerequisites
A Security Administrator user is required.
Steps
2. In the launcher screen click Command Line Interface (CLI) (ENM CLI
appears).
Results
The ENM PKI Root CA Certificate is locally downloaded.
This task describes how to import ENM PKI Root CA Certificate into Firefox
Browser as trusted certificate. This procedure must be performed before logging
into the system for the first time to remove the warnings that are generated when
connecting through an untrusted connections.
Prerequisites
Steps
2. Select Options > Advanced > Certificates and click View Certificates
Results
A valid certification is installed on Firefox browser. No security warnings are
displayed when accessing the ENM Launcher page.
This task describes how to import ENM PKI Root CA Certificate into Chrome
Browser as trusted certificate. This procedure must be performed before logging
into the system for the first time to remove the warnings that are generated when
connecting through an untrusted connections.
Prerequisites
Steps
2. Close the remaining windows and navigate to ENM launcher page. The
launcher opens without any warnings.
3. Select Settings > Show advanced settings > Manage certificates and click
Trusted Root Certification Authorities tab
4. Select Import
5. Click Next > Browse in Certificate Import Wizard window and in the directory
explorer change expected file format to All Files (*.*) then select certificate
received from security administrator and click Open.
6. Click Next in Certificate Import Wizard and ensure that Place all certificates
in the following store Downloading Certificate radio button is checked and
points to Trusted Root Certification Authorities.
7. Click Next > Finish and in the Security Warning window select Yes
8. Restart Chrome browser and navigate to ENM launcher page. The launcher
opens without any warnings.
Results
A valid certification is installed on Chrome browser. No security warnings are
displayed when accessing the ENM Launcher page.
This task outlines how a Security Administrator can add a security exception for
ENM to FireFox browser. The procedure is performed once, on first logon, when
the ENM PKI Root CA certificate is not yet imported into the browser as trusted
certificate.
Prerequisites
The system is up and running with all components installed. When accessing the
ENM Launcher the warning about untrusted connection appears.
Steps
Results
The security exception for ENM is added to the FireFox browser. Security
Administrator can reach the ENM Logon page.
This task outlines how a Security Administrator can add a security exception for
ENM to Chrome browser. The procedure is performed once, on first login, when
the ENM PKI Root CA certificate is not yes imported into the browser as trusted
certificate.
Prerequisites
The system is up and running with all components installed. When accessing the
ENM Launcher the warning about untrusted connection appears.
Steps
Results
The security exception for ENM is added to the Chrome browser. Security
Administrator can reach the ENM Logon page.
ENM provides the possibility to show and hide the "Logon Successful" screen
after a user successfully logs in through:
— User Interface (UI) using System Security Configuration application. See
Help Online > User Interface > General Settings for details.
Multiple Tabs Support allows the user to use multiple ENM instances from the
same browser.
The first step to provide possibility to access multiple ENM instances from the
same browser is to set SSO_COOKIE_DOMAIN to ENM FQDN in SED. This
change applies to the system during upgrade.
Limitation
When sso cookie domain change is applied to the system, then session cookies
with domain set to ENM sub-domain are no longer accepted by OpenAM
(component responsible for authentication in ENM). It results in following issues:
All previously used session cookies with ENM sub-domain needs to be removed
from browser. Thereafter the user is able to logon to ENM.
There is no possibility to use ENM system with sso cookie domain set to ENM
FQDN and ENM system with sso cookie domain set to ENM sub-domain from
single browser if sub-domain of first system is a part of FQDN of second system.
When TBAC is enabled for a user, that user is only able to browse nodes
belonging to the Target Groups assigned to that user when using Topology
Browser functionality to set the network scope for FM applications supporting
TBAC. Users with that custom roles assigned have access only to selected FM
applications and Topology Browser from ENM launcher.
A target group is a grouping of targets. These groups are used for granting access
to end users. Target Groups can be created and deleted in ENM using the Target
Group Management user interface.
— Create a user and assign to the user only the Custom Role defined in the
previous step (see User Management on page 4).
— Assign Target Groups to the user (TBAC checks are enabled in ENM by doing
this). If any of the needed Target Groups is not yet created, then create it (see
Target Groups Management on page 129).
— ENM
— ENIQ
— VNFM
— NFVO
1.5.2 Targets and Target Groups for AMOS, Element Manager, and Cabinet
Viewer
A target group is a grouping of targets. These groups are used for granting access
to end users. Target Groups can be created and deleted in ENM using the Target
Group Management user interface.
Configure a user for TBAC on AMOS, Element Manager, and Cabinet Viewer
To configure a user for TBAC on AMOS, Element Manager, and Cabinet Viewer
the following steps are needed:
— Create a Custom Role with AMOS, Element Manager, and Cabinet Viewer
capabilities (see the table) only (see Role Management on page 9).
— Create a user and assign to the user only the Custom Role defined in the
previous step (see User Management on page 4).
— Assign Target Groups to the user (TBAC checks are enabled in ENM by doing
this). If any of the needed Target Groups is not already created, then create it
(see Target Groups Management on page 129).
A target group is a grouping of targets. These groups are used for granting access
to end users. Target Groups can be created and deleted in ENM using the Target
Group Management user interface.
— Create a Custom Role with CM-CLI capabilities (see the table) only (see Role
Management on page 9).
— Create a user and assign to the user only the Custom Role defined in the
previous step (see User Management on page 4).
— Assign Target Groups to the user (TBAC checks are enabled in ENM by doing
this). If any of the needed Target Groups is not already created, then create it
(see Target Groups Management on page 129).
A target group is a grouping of targets. These groups are used for granting access
to end users. Target Groups can be created and deleted in ENM using the Target
Group Management user interface.
— Create a Custom Role with SHM capabilities (see the table) only (see Role
Management on page 9).
— Create a user and assign to the user only the Custom Role defined in the
previous step (see User Management on page 4).
— Assign Target Groups to the user (TBAC checks are enabled in ENM by doing
this). If any of the needed Target Groups is not already created, then create it
(see Target Groups Management on page 129).
Some Identity Provider servers are not fully compliant with this recommendation
(for example, Oracle Unified Directory 11.1.2.2.0), preventing ENM remote user
authentication. In this case, according to the Identity Provider Server capability,
it can be possible to add this OID in the “Access Control” to allow the correct
LDAP message handling and complete with success the remote authentication.
A new attribute AuthMode=Local/Remote has been added for each ENM user in
User Management application.
In the Local DB, Remote user must be configured with the same username stored
in External DB.
ENM, according to Customer Directory Information Trees (DIT), can support the
following two scenarios:
NOSEARCH
The following figure is an example of Customer DIT: in green the users that can
be authenticated remotely according to the NOSEARCH profile.
STANDARD
The following figure is an example of Customer DIT: in green the users that can
be authenticated remotely according to the STANDARD profile.
Use Cases
Enable System wide Remote Authentication with External Identity: see the
procedure Enable System Wide Remote Authentication with External Identity on
page 149.
Disable System wide Remote Authentication with External Identity: see the
procedure Disable System Wide Remote Authentication with External Identity on
page 164.
Enable / Disable Remote Authentication for individual ENM User: see the
procedure Enable and Disable Remote Authentication for Individual ENM User
on page 164.
This task allows the operator to configure the system having ENM User
Authentication with External Identity Provider.
Prerequisites
— Root access privileges to log on one SECSERV virtual machine.
— PKI_Administrator
— in case of ldap secure connection mode the CA certificate that signs Ext IdP
certificate.
uid=$user,ou=pdu,dc=acme,dc=com
In this case the only parameter that we leave is the value of the attribute
uid.
uid=$user
Steps
ENM user can drag the pem file into ENM CLI and run the command:
Example
pkiadm extcaimport -fn file:ldap-otp.pem --chainrequired false --name ExtIdP →
CA
With the command the external CA certificate in pem file is imported in PKI →
with the name "ExtIdpCA".
pkiadm extcalist
Figure 4 Example 1
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh read
bindDN = uid=extldapadmin,ou=pdu_nam,dc=acme,dc=com
baseDN = dc=acme,dc=com
bindPassword = nUNY5bz22kVEcSgbv884d4xi1LawLranV5pcCPxgkMA=
primaryServerAddress = 141.137.87.62:1636
ldapConnectionMode = LDAPS
authType = REMOTEAUTHN
secondaryServerAddress = 141.137.87.62:6389
userBindDNFormat = uid=$user,ou=pdu_nam,dc=acme,dc=com
remoteAuthProfile = STANDARD
Log on any SECSERV VM as root user and configure the attributes and
related values as in the table:
remoteAuthProfile=NOSEARCH
authType value=REMOTEAUTHN
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh <CO →
MMAND> [<OPTIONS>]
Log on any SECSERV VM as root user and configure the attributes and
related values reported in the table below:
remoteAuthProfile=STANDARD
userBindDNFormat value=< According to the setting on External IdP>
authType value=REMOTEAUTHN
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh <CO →
MMAND> [<OPTIONS>]
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh upd →
ate -b
Interactive output:
Username: Administrator
1.6.1.1 Update Trust Profile IdP_NBI_TP with an External CA already Imported in PKI
These steps are required to avoid that, during the procedure, CredM executes
automatic checks for certificate validity performing VM restart.
/ericsson/tor/data/credm/conf/
credentialManagerConfigurator.properties
checkCertsStatusOnTimeout=false
cronAllowed=false
forceCertificateRenewal=true
If the file and the folder are not present they must be created first.
/opt/ericsson/ERICcredentialmanagercli/bin/credentialmanagercliCron →
tab.sh
/var/log/enmcertificates/enmCertificatesCrontab.log
and search for the last information logged in the file, if all is gone as
expected you have to see the 2 lines as following:
/ericsson/to r/data/credm/conf/
credentialManagerConfigurator.properties: line 1:
checkCertsStatusOnTimeout: command not found
/ericsson/tor/data/credm/conf/
credentialManagerConfigurator.properties: line 2:
cronAllowed: command not found
/ericsson/tor/data/credm/conf/
credentialManagerConfigurator.properties: line 3:
forceCertificateRenewal: command not found
Instantiated CommandCheck
Execute CommandCheck
Connected to 10.247.246.153:8080
checkCertificateValidity /ericsson/credm/cli/data/
certs/credmApiKS.JKS Connected to 10.247.246.153:8080
read TRUST : credmApiCA from C=SE, OU=BUCI_DUAC_NAM,
O=ERICSSON, CN=ENM_Management_CA REST: internal trust
ENM_Management_CA ReWrite Trust for credMServiceProfile
deleteEntry credmApiCA in /ericsson/credm/cli/data/
certs/credmApiTS.JKSThis means that addTrustedEntry
credmApiCA_ENM_Management_CA in something has not
worked as expected because the credentialmanager check
has been executed.Connected to 10.247.246.153:8080
checkCertificateValidity /ericsson/credm/cli/data/
certs/credmApiKS.JKS Connected to 10.247.246.153:8080
read TRUST : credmApiCA from C=SE, OU=BUCI_DUAC_NAM,
O=ERICSSON, CN=ENM_Management_CA /ericsson/credm/cli/
data/certs/credmApiTS.JKS REST: internal trust
ENM_Management_CA SYSTEM RECORDER COMMAND = { ReWrite
/ericsson/tor/data/credm/conf/
credentialManagerConfigurator.properties
Correct them and repeat the check described in step a. before going
on with the procedure.
2. Export Idp_NBI_TP
Run the command from ENM CLI to export the trust profile Idp_NBI_TP. The
trust profile Idp_NBI_TP already exists in PKI since it is one of the
predefined trust profiles.
6 <ExternalCA>
7 <CertificateAuthority>
8 <Id>25</Id>
9 <Name>ExtIdPCA</Name>
10 <IsRootCA>true</IsRootCA>
11 <Subject>
12 <SubjectField>
13 <Type>COMMON_NAME</Type>
14 <Value>IT00114405.ericsson.se</Value>
15 </SubjectField>
16 <SubjectField>
17 <Type>ORGANIZATION</Type>
18 <Value>OpenDJ RSA Self-Signed Certificate</Value>
19 </SubjectField>
20 </Subject>
21 <Issuer>
22 <Id>0</Id>
23 <IsRootCA>false</IsRootCA>
24 <CAStatus>NEW</CAStatus>
25 <PublishToCDPS>false</PublishToCDPS>
26 <IsIssuerExternalCA>false</IsIssuerExternalCA>
27 </Issuer>
28 <CAStatus>ACTIVE</CAStatus>
29 <PublishToCDPS>false</PublishToCDPS>
30 <IsIssuerExternalCA>false</IsIssuerExternalCA>
31 </CertificateAuthority>
32 </ExternalCA>
33 </TrustProfile>
34 </Profiles>
In the example the same name chosen in the example at step 1 ("ExtIdPCA")
has been used instead of the BNF <ext CA Name> to avoid
misunderstanding.
18 </CertificateAuthority>
19 </ExternalCA>
</TrustProfile>
</Profiles>
4. Update IdP_NBI_TP
Drag and drop Idp_NBI_TP.xml file on ENM CLI, and run the command to
add the IdP external CA to IdP_NBI_TP trust profile:
pkiadm extcalist
For example:
Figure 5
a. Log on the MS as root user and run the command to find the SSO VM
instances applicable for your deployment.
b. From the MS, log on one of the SVC nodes hosting the SSO VM as the
litp-admin user and then switch to the root user.
[litp-admin@svc-1~]$ su -
Password:
[litp-admin@svc-1~]# hagrp -state | grep sso
ii. Verify that the SSO service group are OFFLINE checking the output
of the command.
This means that it is required to wait more time and repeat the
check:
iii. On the SVC node where SSO instance is OFFLINE, run the
commands:
• Log on the SVC node as the litp-admin user and then switch to
the root user.
Example of command:
This means that we need more time and repeat the check:
vi. Verify that the SSO service group has completed installation/
configuration.
Wait for the complete installation/configuration of the SSO instance
just restarted.
To check this condition login on ms-1 VM as root user and run the
command:
10.247.246.86 httpd-instance-2
iorfile2.ieatENM5266-6.athtem.eei.ericsson.se # Created
by LITP. Please do not edit
10.247.246.85 httpd-instance-1
iorfile1.ieatENM5266-6.athtem.eei.ericsson.se # Created
by LITP. Please do not edit
141.137.206.30 haproxy
ieatENM5266-6.athtem.eei.ericsson.se # Created by LITP.
Please do not edit
In the command result take note of the sso instances, for example:
sso-instance-1.ieatENM5266-6.athtem.eei.ericsson.se
sso-instance-2.ieatENM5266-6.athtem.eei.ericsson.se
command.
c. Restart the VM.
From LAF, the consul members monitoring displays the sequence failed
→ left → alive.
For SECSERV VM instances it's enough to wait for ONLINE status after
restart to go on with the procedure.
— secserv offline
— virsh undefine
— secserv online
command.
c. Restart the VM.
From LAF, the consil members monitoring displays the sequence failed
→ left → alive.
Log on the MS with root privilege and remove from file /ericsson/tor/
data/credm/conf/credentialManagerConfigurator.properties the
following lines:
checkCertsStatusOnTimeout=false cronAllowed=false
forceCertificateRenewal=true
If the file contains only the above lines it can be removed with:
rm -f /ericsson/tor/data/credm/conf/credentialManagerConfigurator.properties
This task allows the operator to turn off the Remote Authentication at system
wide.
This can be required to allow ENM User Access in case both primary and
secondary Ext IdP Servers are not available at the same time.
Prerequisites
— Root access privileges to log on one SECSERV virtual machine.
— The authentication with External IdP is already enabled. See Enable System
Wide Remote Authentication with External Identity on page 149.
Steps
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh update - →
-name=authType --value=LOCAL
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh →
update --name=authType --value=REMOTEAUTHN
1.6.3 Enable and Disable Remote Authentication for Individual ENM User
This task allows the operator to configure each ENM user for Local or Remote
Authentication.
From User Management application, you can enable or disable the remote
authentication per user basis, updating the AuthMode attributes. See the User
Management application.
Note: AuthMode can not be set to Remote for the Administrator user.
Disabling User Status in User Management page for a remote user has no effect
in terms of preventing this user to access the system: this status configuration
makes sense only for 'local' users and has no meaning for 'remote' users.
In order to prevent a 'remote' user to access the system, update its AuthMode to
local and then configure its Status to Disabled.
2 IDAM Limitations
This section provides the limitations of the IDAM security solution in the current
ENM system.
Where possible preventative steps are included to minimize outcome of
limitation. Limitations
User is able to login anytime (except the first login, see “change password”).
For the Security Admin the availability of the system during upgrade, in
addition to the above, is as follows:
— Change password
End user experience then OpenIDM is down (from the User Management
application point of view):
— The user account is created, but one can not access ENM using this
account, until OpenIDM synchronizes this account to LDAP.
When creating users, do not use the combination of a username starting with
“temporary_amos_”, a first name starting with “Temporary”, and a last name
starting with “Amos”. This combination is reserved for use by AMOS. If this
combination is used, the user does not appear in User Management (neither
on the NBI or in the UI) and later the user is automatically deleted by the
system. This means that if a user that meets this criteria is added, it is not
possible to manage that user after the creation.
— BO_Administrator
— BO_Report_Operator
— BO_Universe_Operator
— NetworkAnalytics_Administrator
— NetworkAnalytics_BusinessAnalyst_Operator
— NetworkAnalytics_BusinessAuthor_Operator
— NetworkAnalytics_Consumer_Operator
The limitation is due to Active Directory in OCS for SSO configuration. Refer
to "SSO Configuration for OCS AD DS Server" of System Administrator Guide,
1543-CNA 403 2826 Uen.
5. User Management database
All user data is stored in PostgreSQL, which is the primary User Management
database.
Only relevant admin roles are allowed to launch certain security applications
even though operator roles are allowed to do so.