ENM Identity and Access Management System Administrator Guide

ENM Identity and Access Management
System Administrator Guide
Operating Instructions
2/1543-AOM 901 151-1 Uen C

Copyright
© Ericsson AB 2018. All rights reserved. No part of this document may be

reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use of this
document.
Trademark List
All trademarks mentioned herein are the property of their respective owners.
These are shown in the document Trademark Information.
2/1543-AOM 901 151-1 Uen C | 2018-07-25

Contents
Contents
1 Identity and Access Management System 1

1.1 Identity and Access Administration 2
1.1.1 User Management 4
1.1.1.1 User Name Policy 4
1.1.1.2 Create a New Security Administrator 5
1.1.1.3 Create a User Account 5
1.1.1.4 Password Ageing per User 6
1.1.1.5 Allow Users to Generate Credentials 6
1.1.1.6 User Management Settings Available over NBI only 7
1.1.1.7 Predefined User Accounts 7
1.1.1.8 User Management for ENM System Monitor 8
1.1.2 Role Management 9
1.1.2.1 ENM Roles 12
1.1.2.2 Node Roles 111
1.1.2.3 User Defined Roles 112
1.1.3 Target Groups Management 129
1.2 Access Control for Nodes Supporting ECIM 131
1.2.1 Targets and Target Groups 131
1.2.2 Example of Setting Target Group Information for the Node 132
1.3 User Data Provisioning Principles 133
1.4 Managing System Configuration and Utilities 134
1.4.1 Password Handling 134
1.4.1.1 Password Complexity 134
1.4.1.2 Force Password Change 135
1.4.1.3 Password Lockout 135
1.4.1.4 Password Ageing 135
1.4.1.5 Password History 136
1.4.2 Install ENM Trusted Certificate into Client Browser 136
1.4.2.1 Export ENM PKI Root CA Certificate 136
1.4.2.2 Import ENM PKI Root CA Certificate into Firefox Browser 137
1.4.2.3 Import ENM PKI Root CA Certificate into Chrome Browser 138
1.4.2.4 Manage the FireFox Browser Security Warning on First Logon 139
1.4.2.5 Manage the Chrome Browser Security Warning on First Logon 139
1.4.3 Enabling and Disabling Logon Successful Screen in ENM 140
1.4.4 Multiple Tabs Support 140
1.5 Target Based Access Control 141
1.5.1 Targets and Target Groups for FM and Topology Browser 141
1.5.2 Targets and Target Groups for AMOS, Element Manager, and
Cabinet Viewer 143
1.5.3 Targets and Target Groups for CM-CLI 143
1.5.4 Targets and Target Groups for SHM 145
2/1543-AOM 901 151-1 Uen C | 2018-07-25

ENM Identity and Access Management System Administrator Guide
1.6 Authentication with External Identity Provider 146

1.6.1 Enable System Wide Remote Authentication with External
Identity 149
1.6.1.1 Update Trust Profile IdP_NBI_TP with an External CA already
Imported in PKI 154
1.6.2 Disable System Wide Remote Authentication with External
Identity 164
1.6.3 Enable and Disable Remote Authentication for Individual ENM
User 164
2 IDAM Limitations 166
Security Reference List 169
2/1543-AOM 901 151-1 Uen C | 2018-07-25

Identity and Access Management System
1 Identity and Access Management System
ENM Identity and Access Management System (IdAM) is a set of capabilities for:
— Provisioning of users and their access control management through the
concept of roles and target groups. All ENM users are authenticated and
authorized based on defined access rights.
— Industry-standard password management in terms of complexity and control

(reset, force password change and similar).
All Identity and Access Management Tasks in ENM can be operated via User
Interface that is launched from the Launcher page as well as published
programmatic interface in the case of integration with an external user
management system. Identity and Access Management System can be divided
into following sub-systems:
— Access Control
— Identity and Access Administration
— User Data Provisioning Principles and Managing System Configuration and

Utilities
Access Control
Access Control is a security function in ENM. Its purpose is to protect resources
against unauthorized use.
Access control is implemented on different layers:
— Web resources - Every user login session is subject to access control. When a
HTTP request is received, the system checks if it comes from active session
and if the user has access rights to the given web resource.
— ENM application resources - once web resources grant access to a user (the
user is logged in) then applications are checked to verify if the user is
authorized to use them and what actions an be performed.
— Network Elements - users can connect from ENM to nodes supporting ECIM.
More details are available in the section Access Control for Nodes Supporting
ECIM.
Security Administrator manages Access Control by mapping different roles,

aliases and target groups to users. More details about Access Administration are
available in the section Identity and Access Administration.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 1

Identity and Access Administration

All users in ENM must be assigned at least one role. Each role comes with the
predefined set of access rights controlling users allowances throughout the
system.
Roles are always assigned to a user together with target group, but functionality
is only limited to COM roles and COM role aliases.
More information about ENM Roles is available in the Role Management on page
9 and its sub-sections. More information about ENM Users is available in the
section User Management on page 4.
ENM application users are distinct from LITP users:
— ENM application users interface to the ENM over Web based user interface or
via REST based northbound interface.
— LITP users have access to the system at the operating system level. These
are machine to machine type users such as litpmgr or puppet and also
includes the generic root user used for system operations and administration.
ENM application users and LITP users have separate authentication domains.
The same userid for a user cannot exist in both domains.
There is one overlap case and that is the case of the field technician. An ENM user
with only the role of FIELD_TECHNICIAN has no entitlements to use ENM
applications but is able to SFTP to a restricted part of the ENM to obtain node
provisioning data. SFTP is a service provided by the operating system, made
accessible through ENM application user management.
A field technician is able to log in via the ENM login page and manage their
password in the same manner as an ENM application user.
It is not permitted to assign a user as a field technician with an account that has
the same username as defined in the LITP domain in the file /etc/password.
1.1 Identity and Access Administration

Identity and Access Administration is a set of capabilities for managing users and
their privileges. User privileges are the rights to access and manage certain
network resources and can be achieved through the concept of roles and target
groups. The Security Administrator is responsible for managing users, roles, role
aliases, and target groups. Use case diagram shows general operations that a
Security Administrator can perform.
2 2/1543-AOM 901 151-1 Uen C | 2018-07-25

General Security Administrator operations
Create Target List Target Delete Target

Groups Groups Groups
Create Roles Create Users
Target Group
Management
Create Aliases
Activate Users
List Roles
Deactivate
Users
Role Management User Management
List Aliases
Security Administrator List Users
Modify Roles
Modify Users
Delete Roles
Delete Aliases Delete Users
Figure 1 General Security Administrator Operations
Management of users and identities can be performed in two ways:

— Through graphical User Interface (UI) that is available from the ENM
Launcher page. The following security applications are available: User
Management, Role Management, and Target Group Management.
Each application contains an Online Help that describes in detail the steps
required to perform various security tasks.
— Through published programmatic interface exposed over Northbound

Interface (NBI) where integration with an external user management system
is needed. For more information, refer to ENM Identity and Access
Management Programmers Guide, 19817-cna 403 3016 Uen.
IdAM consists of:

— Role Management
— Target Groups Management
— User Management
— Access Control for Nodes Supporting ECIM
2/1543-AOM 901 151-1 Uen C | 2018-07-25 3

— Target Based Access Control
— User Data Provisioning Principles
— Managing System Configuration and Utilities
— Authentication with External Identity Provider
1.1.1 User Management
User Management application allows handling of users, their certificates and

passwords. The mapping of roles, target groups and users is also performed in
this application.
User Management is a functionality that focuses on providing the user related
management to the security solution. User Management allows management of
users, passwords, allocation of Roles, and Target Groups. ENM provides industry-
standard password management in terms of complexity and control (reset, force
password change and similar). Available operations for Security Administrator:
— Creation of Users
— Listing of All Users
— Retrieving User Profile Summary
— Assign User Roles and Target Groups
— Deleting Users
— Changing User Password
— Revoking User Certificate
— Editing existing Users
— Duplicating a User
— Filtering Users
— Retrieving User Credentials
— Managing Password Ageing per User
1.1.1.1 User Name Policy
When creating or updating the username, adhere to the following username

complexity policies:
— The username can contain small and capital letters.
4 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— The username cannot match a username already created in the system,

username must be unique.
— The username cannot be defined using the following invalid names:
".", "..", "root", "bin", "daemon", "adm", "lp", "sync", "shutdown", "halt", "mail",
"news", "uucp", "operator", "games", "gopher", "ftp", "nobody", "rpm", "vcsa",
"dbus", "ntp", "canna", "nscd", "rpc", "postfix", "mailman", "named", "amanda",
"postgres", "exim", "sshd", "rpcuser", "nsfnobody", "pvm", "apache", "xfs",
"gdm", "htt", "mysql", "webalizer", "mailnull", "smmsp", "squid", "ldap",
"netdump", "pcap", "radiusd", "radvd", "quagga", "wnn", "dovecot", "litp-
admin", "saslauth", "nfsnobody", "ovirtagent", "cloud-user", "tcpdump",
"haproxy", "enmadm", "jboss_user", "nslcd", "ssouser".
— Only the following character set is permitted when defining user names: a-z,
A-Z, 0-9, _, -, .
1.1.1.2 Create a New Security Administrator
ENM provides a predefined administrator account, used to create the first

Security Administrator user account.
Once new Security Administrator user account is created, it is recommended to

disable the predefined administrator account.
In some cases it can be necessary to re-enable the predefined administrator

account.
To see assigned roles in the User Management UI, click the User Profile menu in
the top right corner, to expand the menu and select View User Profile.
As a user with the SECURITY_ADMIN role, do the following:
Steps
1. Launch ENM and add security exception for ENM.

For more information about adding security exception, see Manage the
FireFox Browser Security Warning on First Logon on page 139.
2. Create a new user or update an existing user.
3. Assign the SECURITY_ADMIN role to the a user. For more information about
ENM roles, see Role Management on page 9.
1.1.1.3 Create a User Account
If a user is deleted and re-created in fast sequence there can be some temporary
troubles using such user with AMOS, EM, or Scripting VMs. It is recommended to
wait at least three minutes between the two operations.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 5

As a user with SECURITY_ADMIN role, do the following:
Steps
1. Create a user account.
2. Provide the ENM PKI Root CA Certificate to be installed in a new Client

Browser. See Import ENM PKI Root CA Certificate into Firefox Browser on
page 137 and Import ENM PKI Root CA Certificate into Chrome Browser on
page 138.
This is required to configure the browser to use a secure connection. Once a
secure connection is used, the untrusted content is no longer displayed.
This step is mandatory for FireFox version ESR 45.1.1 (or later), as without
certificate it is not possible to access ENM.
1.1.1.4 Password Ageing per User
On Create/Edit user accounts it is possible to customize the feature that causes

password expiration after a pre-set time for the specified user.
The following options are available:
Steps
— Choose between Customize Password Ageing or Use System Settings

parameters
— In case of CustomizePassword Ageing , choose between never expiring or

specify a validity period
1. Number of days of password is valid
It defines the number of days of password validity.

2. Number of days to password expiration warning
It defines the number of days before expiration to start receiving

warnings.
1.1.1.5 Allow Users to Generate Credentials
In the event of a user with security administrator privileges loses the access to
the launcher and user management, it is possible to execute a shell script to
change the status of the default user "administrator" to enabled.
A detailed description of administrator account is available in section Predefined

User Accounts on page 7 . For further information, see Enable Default
Administrator User section in ENM Security Management Troubleshooting Guide,
1/159 01-aom 901 151-4 Uen.
6 2/1543-AOM 901 151-1 Uen C | 2018-07-25

To generate credentials, user must have created an "Entity". For more information
about entities see the section Public Key Infrastructure of the document
<cite>ENM Public Key Infrastructure System Administration Guide</cite>,
2/1543-aom 901 151-3.
As a user with the SECURITY_ADMIN role, perform the following:
Steps
1. Create a Certificate Profile.
2. Create an Entity Profile.
3. Create an Entity.
4. Provide information with entity password (set in Entity.xml) to a user.
The user uses this password to authenticate as an entity user during

certificate generation.
For further information, see the section Public Ley Infrastructure System
Administrative Tasks of the document ENM Public Key Infrastructure System
Administrator Guide, 2/1543-aom 901 151-3 Uen.
1.1.1.6 User Management Settings Available over NBI only
It is possible to define session settings (Maximum session time, Idle session time)
per user. Such configuration overwrites the common settings from System
Security Configuration.
NBI interface to configure sessions per user allows to configure longer sessions
than System Security Configuration (the same configuration for all users).
See the User Management Interface section in ENM Identity and Access
Management Programmers Guide, 19817-cna 403 3016 Uen for information on
how to configure session settings per user.
1.1.1.7 Predefined User Accounts
A default security administrator user account called "administrator" is created

during ENM installation. The administrator account is assigned to the
ADMINISTRATOR role as the SECURITY_ADMIN role and enables the
administrator user to have unrestricted access to the system.
Note: The administrator account is associated with ADMINISTRATOR role and

SECURITY_ADMIN role.
The administrator user must be used to create user specific accounts with the
SECURITY_ADMIN role, once other accounts with the SECURITY_ADMIN role are
created, the "administrator" account is disabled. The administrator account
2/1543-AOM 901 151-1 Uen C | 2018-07-25 7

cannot be deleted; if the system has authorization issues, the administrator user
can be resumed for debugging purposes.
The default security administrator has the following characteristics:
— user name: administrator
— password: <Administrator_Password>
Note: The password of the default security administrator account is

provisioned at customer site according to the Site Engineering
Document (SED).
1.1.1.8 User Management for ENM System Monitor
The administrator manages levels of access to the system by creating and editing
user accounts and assigning user roles to those accounts.
Roles and Users in ESM:
Table 1
S.No User Password Role Description
1 esmadmin ericssonadmin Super User Role This user has full access
to the system, including
User Management.
2 esmuser esmpass ESM_ReadOnly This user does not have
permits to make
changes to the system.
For example he can't
create any alert or any
other new user.
2 esmalertadmin n1md4tr3l4m53 ESM_AlertManager This user allows
creation, deletion, and
alteration of alerts. This
user can't create any
other new user.
Note: It is recommended to change the default password after first login. See
Changing Default Password for ESM Users section in ENM System
Monitor User Guide1/1553-cna 403 3115 Uen for more information.
Steps
1. Select Administration > Security > Users from the drop-down menu in ENM
System Monitor (ESM).
8 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Figure 2 ESM Administration
2. Select the user to edit, or use the New button to add a new user.
3. Fill the fields marked with an asterisk.
4. Assign an appropriate role by moving entries from Available Roles into

Assigned Roles.
Figure 3 ESM - Create New User
5. Press Save to store your changes, or Cancel to discard them.
Results
A new user account with access to the specified resources on the system is
created.
1.1.2 Role Management
Role Based Access Control (RBAC) is a way to restrict access to different

resources for authenticated users.
The permissions to perform certain operations are assigned to specific roles. Each
role comes with the set of access rights controlling users privileges throughout
the system. Users are assigned different roles, and through those role
assignments acquire the permissions to perform particular functions. Since users
2/1543-AOM 901 151-1 Uen C | 2018-07-25 9

are not assigned permissions directly, management of individual user rights

becomes a matter of simply assigning appropriate roles to the users account.
Role management helps in managing authorization, which enables the Security
Administrator to specify the resources that users are allowed to access.
ENM has a concept of roles which define what a user can do in the system by an
ENM application. There are system roles and application-specific roles which
apply to a single application. There are role aliases which group various roles. It
is also possible to create custom roles to define more specific access rights. A user
can be assigned any combination of the system, application-specific, and custom
roles.
Role Management is described in details in:
— Online help of Role Management application
— Security Programmers Guide
All users in ENM must be assigned to at least one of the following roles:
— ENM System Roles:

— System-wide roles
— Application-specific roles
— Network Element Roles:

— COM Roles (privileges on the nodes supporting ECIM)
— COM Role Aliases (groups of COM roles)
— Custom Roles
System-wide Roles
System-wide roles are:
— ADMINISTRATOR
— OPERATOR
— SECURITY_ADMIN
— FIELD_TECHNICIAN
System wide roles are named using capital letters only, for instance:
ADMINISTRATOR.
A Security Administrator is an ENM user which is assigned the

SECURITY_ADMIN role. For more information on available roles, see System-
Wide Roles on page 12.
10 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Security Administrator can:
— Create new roles (COM Role, COM Role Alias, or Custom Role). In case of
COM Role Alias at least one COM Role needs to be selected, in case of
Custom Role also capabilities can be chosen.
— Edit roles (COM Role, COM Role Alias, or Custom Role).
— Compare roles to see their Status, Description and Different actions.
— Display Role Summary to check Description, Role Type, and Status of a given
role.
— Delete roles. Roles that cannot be deleted are: ENM System Roles, roles with
assigned users and COM Roles assigned to one or more COM Role Aliases or
Custom Role.
Application-specific Roles
Application-specific roles have following naming convention:
[ApplicationName]_Administrator or [Application_Name]_Operator. A user
assigned the role of [ApplicationName]_Administrator has the same access rights
as a user that is assigned the role of ADMINISTRATOR except the scope is
limited to that single application instead of all applications. Similarly the
[Application_Name]_Operator has access to the same functionality within an
application as the OPERATOR. For more information on Application-defined
roles, see Application Specific Roles on page 14.
Application-specific roles indicate application and role, for instance:

Amos_Administrator, Amos_Operator.
Network Element Roles

Network Element Roles are the roles available for different nodes in the network.
COM Roles represent privileges on the nodes supporting ECIM. COM role aliases
are a set of COM roles, which groups these roles for easier assignment to user. For
more information on ECIM Access, see Access Control for Nodes Supporting
ECIM on page 131. For more information on predefined COM Roles, see
Predefined COM Roles on page 111.
Custom Roles
Custom roles are roles consisting of a combination of roles and capabilities.
Custom roles allow creation of a fine-grained set of application access rights in
form of resource-action pairs. More information about Custom Roles can be
found in Custom Roles on page 113.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 11

POSIX-based Roles
ENM Roles provide access to ENM System through User Interface (UI) or
Northbound Interface (NBI). There are roles that also allow user to access ENM
by Secure Shell (SSH) connection. For more information on these roles, see
POSIX-Based Roles on page 111.
Predefined and User-defined Roles

ENM comes with a set of predefined roles. This applies to ENM System Roles and
to Network Element Roles. Role and capabilities can be chosen.
Security Administrator can create new COM Roles and COM Role Aliases, where
the aliases are a group of COM Roles. Create new Roles (COM Role, COM Role
Alias or Custom Role). In case of COM
Security Administrator can also create new roles, referred to as Custom Roles.
Custom role is a collection of specific roles and capabilities, not grouping existing
predefined roles.
Role naming policy for User-defined roles:
— The role must start with an alphanumeric character and must end with a
number or a letter.
— Only alpha (upper and lower case), numeric, underscore, dash, dot characters
are allowed.
Role names must comply with the naming policy otherwise they are not created
and an error message is displayed.
1.1.2.1 ENM Roles
1.1.2.1.1 System-Wide Roles
Table 2
Role Name Description

SECURITY_A Users assigned the role of SECURITY_ADMIN are able to manage users, their
DMIN passwords, certificates, assign users to roles and target groups. The
SECURITY_ADMIN role gives full access to the security applications:
—PKI Entity Management (PKIEM)
—PKI Profile Management (PKIPM)
—Role Management (RM)
—System Security Configuration (SSC)
12 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Role Name Description

—Target Group Management (TGM)
—User Management (UM)
—Node Security Configuration (NCS)
—Command Line Interface(CLI) to execute the credm, pkiadm, secadm

commands
—Collection Management, Network Explorer, Topology Browser to execute the

TBAC use cases.
A Security Administrator is an ENM user which is assigned the

SECURITY_ADMIN role.
ADMINISTRA Users assigned the role of ADMINISTRATOR have unrestricted access to
TOR applications and commands within the application, except:
—Security operations related to user management are excepted as security
operations require the SECURITY_ADMIN role.
—Access to WinFIOL is excepted to WinFIOL roles only.

OPERATOR Users assigned the role of OPERATOR have access to a subset of the ENM
application functionality afforded to the ADMINISTRATOR users. General
guidance is that if an action can be called affecting it requires the
ADMINISTRATOR role. The exact breakdown of entitlements is application-
specific.
FIELD_TECH Users assigned the role of FIELD_TECHNICIAN do not have any specific
NICIAN authorizations for ENM applications. A user with the FIELD_TECHNICIAN role is
able to SFTP to the ENM when performing nodal provisioning. Such a user is
connected to /ericsson/tor/smrs after logging in through SFTP. This means
that the users with FIELD_TECHNICIAN can SFTP and access data to the ENM
only under the /ericsson/tor/smrs directory. If a user has no authorizations
for ENM applications, the user ends up logging in to the ENM just to perform
password management. It is required that a user with the field technician role
changes the password after initial account creation or after the password is reset
by an administrator before attempting to SFTP to an ENM system.
A user assigned the role of ADMINISTRATOR has unrestricted access to all ENM
applications except to the USer Management, Role Management, and System
Security Configuration. Access to application is given only to users with
SECURITY_ADMIN role. Such users are given the right to manage fully the
security aspects of the ENM system. A user that has both roles has access to all
available ENM applications.
Users can be assigned to one or more roles. However it is redundant to assign a

user both OPERATOR and ADMINISTRATOR roles as ADMINISTRATOR has a
superset of OPERATOR authorizations.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 13

If a user with security administrator privileges loses access to the launcher and
user management applications, it is possible to execute a shell script to change
the status of the default user "administrator" to enabled.
Refer to the Enable Default Administrator User in the ENM Security Management
Troubleshooting Guide, 1/15901-aom 901 151-4 Uen.
1.1.2.1.2 Application Specific Roles
In general applications support at least one of the predefined roles: application

Operator (for instance Amos_Operator) and application Administrator (for
instance Amos_Administrator).
Most of the applications support creation of Custom Roles, by exposing
application-specific resources and operations. More information about Custom
Roles is available in Custom Roles on page 113. Available resources and
operations are described in each application section.
The application Operator and application Administrator roles afford the users the
same privileges as the system-wide OPERATOR and ADMINISTRATOR roles
except the scope is limited to the specific application.
A user that is assigned the application Operator role has a subset of privileges
compared to a user that is assigned the application Administrator role.
The application Administrator role affords the user unrestricted access to the
application.
General guidance is that if an action could be called impacting, it would require

the administrator role (system wide or application-specific).
If a user is already assigned the predefined OPERATOR role, it is redundant to

assign them the application-specific Operator role.
If a user is already assigned the predefined ADMINISTRATOR role, it is

redundant to assign them application specific Operator or Administrator roles.
1.1.2.1.2.1 Application Mapping to Application and Predefined Roles
The following table shows how individual use cases in applications map to
Application and Predefined Roles.
Table 3
Application Action / Command Administrator Operator Sec Administrator Application_Admin
/Operator roles
exist
ENM CLI cmedit create yes yes no yes
ENM CLI cmedit get yes yes no yes
ENM CLI cmedit set yes no no yes
ENM CLI cmedit delete yes no no yes
14 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
ENM CLI cmedit action yes no no yes
ENM CLI cmedit describe yes no no yes
BULK IMPORT cmedit import yes no no yes
BULK EXPORT cmedit export yes yes no yes
CM CONFIG cmconfig create yes no no yes
CM CONFIG cmconfig delete yes no no yes
CM CONFIG cmconfig history yes yes no yes
CM CONFIG cmconfig list yes yes no yes
CM CONFIG cmconfig copy yes no no yes
CM CONFIG cmconfig diff yes yes no yes
CM CONFIG cmconfig activate yes no no yes
CM NBI Read network yes yes no yes
configuration data
through REST NBI
Services
CM NBI Create a yes no no yes
configuration
through REST NBI
Service
CM NBI Copy the content of yes no no yes
a configuration to
another
configuration
through REST NBI
Services
CM NBI Activate a yes no no yes
configuration
through REST NBI
Services
CM NBI Delete a yes no no yes
configuration
through REST NBI
Services
CM NBI Get details for a yes yes no yes
Bulk Import or
Export job through
REST NBI Services.
Get a list of the
available filters
CM NBI Execute a Bulk yes no no yes
Import or Export
operation through
REST NBI Service
CM Event NBI Get CM events for yes yes no yes
network elements.
CM Event NBI Get CM events for yes yes no yes
network elements
with query
parameters
CM Event NBI Get all CM event yes yes no yes
filters.
CM Event NBI Create a new filter yes no no yes
for CM events.
CM Event NBI Delete a CM event yes no no yes
filter
SHM View software yes yes no yes
inventory
2/1543-AOM 901 151-1 Uen C | 2018-07-25 15


/Operator roles
exist
SHM View hardware yes yes no yes
inventory
SHM View licence yes yes no yes
inventory
SHM View backup yes yes no yes
inventory
SHM Import software yes yes no yes
packages in SMRS
file store
SHM Delete software yes no no yes
packages in SMRS
file store
SHM Create upgrade job yes no no yes
SHM Create backup job yes no no yes
SHM Create Restore yes no no yes
Backup job
SHM Delete Backup job yes no no yes
SHM Create install yes no no yes
licence job
SHM Import licence key yes yes no yes
batch file
SHM Delete licence key yes no no yes
file
SHM View License Key yes yes no yes
Files
SHM View software yes yes no yes
packages
SHM View jobs yes yes no yes
SHM View job logs yes yes no yes
SHM Export job logs yes yes no yes
SHM Pause, continue yes no no yes
jobs
SHM Cancel Jobs yes no no yes
SHM Delete software yes no no yes
packages in NFVO
SHM Create onboard job yes no no yes
NODE SECURITY all commands yes no no no
CONFIGURATION
NODE SECURITY credentials - create yes no no no
NODE SECURITY credentials - update yes no no no
NODE SECURITY credentials - read yes no no yes
NODE SECURITY credentials_plain_te yes no no no
xt - read
NODE SECURITY oam - execute yes no no no
NODE SECURITY oam - read yes yes no no
NODE SECURITY oam - delete yes no no no
NODE SECURITY SecurityLevel - set yes no no no
NODE SECURITY SecurityLevel - get yes yes no no
NODE SECURITY snmpv3 - create yes no no no
NODE SECURITY snmpv3 - update yes no no no
16 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
NODE SECURITY snmpv3 - read yes no no no
NODE SECURITY ldap - create yes no no no
NODE SECURITY ldap - update yes no no no
NODE SECURITY sshkey - create yes no no no
NODE SECURITY sshkey - update yes no no no
NODE SECURITY crlcheck - update yes no no no
NODE SECURITY crlcheck - read yes yes no no
NODE SECURITY on_demand_crl_do yes no no no
wnload - execute
NODE SECURITY ciphers - update yes no no yes
NODE SECURITY ciphers - read yes yes no yes
NODE SECURITY rtsel - execute yes no no yes
NODE SECURITY snmpv3_plain_text yes no no no
- read
NODE SECURITY capability - read yes yes no yes
NODE SECURITY ipsec - activate yes no no yes
NODE SECURITY ipsec - deactivate yes no no yes
NODE SECURITY ipsec - status yes yes no yes
NODE SECURITY https - execute yes no no yes
NODE SECURITY https - read yes yes no yes
NODE SECURITY ftpes - execute yes no no yes
NODE SECURITY ftpes - read yes yes no yes
AUTO all CLI commands yes yes no yes
PROVISIONING
PMIC All actions and Use yes yes no no
Cases
USER All actions and Use no no yes no
MANAGEMENT Cases
NETWORK Execute a search yes yes no yes
EXPLORER
NETWORK Add a Saved Search yes yes no yes
EXPLORER
NETWORK Add a Collection yes yes no yes
EXPLORER
NETWORK List All Collections yes yes no yes
EXPLORER
NETWORK List All Saved yes yes no yes
EXPLORER Searches
NETWORK List Private Saved yes yes no yes
EXPLORER Searches
NETWORK List Private yes yes no yes
EXPLORER Collections
NETWORK View a specific yes yes no yes
EXPLORER Collection
NETWORK View a specific yes yes no yes
EXPLORER Saved Search
NETWORK Delete Saved yes yes no yes
EXPLORER Search
NETWORK Delete Collection yes yes no yes
EXPLORER
2/1543-AOM 901 151-1 Uen C | 2018-07-25 17


/Operator roles
exist
NETWORK Rename a yes yes no yes
EXPLORER Collection
TOPOLOGY View and navigate yes yes no yes
BROWSER the Topology Tree
TOPOLOGY View the attributes yes yes no yes
BROWSER values of a network
element
TOPOLOGY Update the yes no no yes
BROWSER attributes of a
network element
FMX Manager: List yes yes no yes
Archived Modules
FMX Manager: Export yes yes no yes
Archived Modules
to file
FMX Manager: List yes yes no yes
Loaded Modules
Status
FMX Manager: Export yes yes no yes
Module Status to
file
FMX Manager: Upload a yes no no yes
Module
FMX Manager: Import yes no no yes
Module
FMX Manager: Load yes no no yes
Module
FMX Manager: Activate yes yes no yes
Module
FMX Manager: Activate yes yes no yes
Module for part of
the Network
FMX Manager: yes yes no yes
Deactivate Module
FMX Manager: Unload yes no no yes
Module
FMX Manager: Export a yes no no yes
module
FMX Manager: yes no no yes
Download a module
FMX Manager: Remove yes no no yes
Archived Module
from Archive.
FMX Parameters: View yes yes no yes
Rule Module
Parameters
FMX Parameters: Modify yes yes no yes
Rule Module
Parameters
FMX Parameters: Export yes yes no yes
Rule Module
Parameters to file
FMX Time Periods: List yes yes no yes
Time Periods
container
FMX Time Periods: yes yes no yes
Create Time Periods
container
18 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
FMX Time Periods: Save yes yes no yes
Time Periods
container
FMX Time Periods: Edit yes yes no yes
Time Periods
container
FMX Time Periods: Copy yes yes no yes
Time Periods
container
Delete Time Periods
container
FMX Time Periods: List yes yes no yes
Time Events in
Time Periods
container
Create new Time
Event in Time
Periods container
FMX Time Periods: Edit yes yes no yes
defined Time Event
in Time Periods
container
Delete defined Time
Event in Time
Periods container
FMX Statistics: View yes yes no yes
Rule Module
Statistics
FMX Statistics: Reset yes yes no yes
Rule Module
Statistics
FMX Statistics: Export yes yes no yes
Rule Module
Statistics to file
FMX Triggers: View yes yes no yes
Active Module
Triggers
FMX Triggers: Export yes yes no yes
Active Module
Triggers to file
FMX Trace: Start yes yes no yes
Subscription to Rule
Module Trace
FMX Trace: Terminate yes yes no yes
Module Trace
FMX Trace: Export Rule yes yes no yes
Module Trace to file
FMX Trace: Clear yes yes no yes
Module Trace
FMX Monitor: Display yes yes no yes
Running Rules per
time graph
FMX Monitor: Display yes yes no yes
Alarms Handled per
time graph
2/1543-AOM 901 151-1 Uen C | 2018-07-25 19


/Operator roles
exist
FMX Editor: Create new yes yes no yes
Rule Module.
Rule in Rule Module
Procedure in Rule
Module
File in Rule Module
FMX Editor: Delete Rule yes yes no yes
in Rule Module
FMX Editor: Delete yes yes no yes
Procedure in Rule
Module
FMX Editor: Delete File in yes yes no yes
Rule Module
FMX Editor: Edit Rule yes yes no yes
Module Parameters.
FMX Editor: Save Rule yes yes no yes
Module.
FMX Editor: Edit Saved yes yes no yes
Rule Module
FMX Editor: Check in yes yes no yes
Rule Module
FMX Editor: Archive Rule yes yes no yes
Module
FMX Editor: Check out yes yes no yes
Rule Module
FMX Editor: Set custom yes yes no yes
preferences for
block labels, font
and workspace
background
FMX Simulator: Create yes yes no yes
Event Sequence
FMX Simulator: Insert yes yes no yes
new Event in Event
Sequence
FMX Simulator: Edit yes yes no yes
defined Event in
Event Sequence
FMX Simulator: Move yes yes no yes
defined Event in
Event Sequence
FMX Simulator: Delete yes yes no yes
defined Event in
Event Sequence
new Wait in Event
Sequence
defined Wait in
Event Sequence
defined Wait in
Event Sequence
defined Wait in
Event Sequence
20 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
new Loop in Event
Sequence
defined Loop in
Event Sequence
defined Loop in
Event Sequence
defined Loop in
Event Sequence
FMX Simulator: Play yes yes no yes
Event Sequence
FMX Simulator: Pause yes yes no yes
running Event
Sequence
FMX Simulator: Stop yes yes no yes
running Event
Sequence
FMX Simulator: Continue yes yes no yes
playing paused
Event Sequence
FMX Simulator: Play yes yes no yes
next step in event
sequence
FMX Simulator: Add yes yes no yes
additional
attributes to event
definition
FMX Simulator: Save yes yes no yes
Event Sequence
FMX Simulator: Save As yes yes no yes
Event Sequence
FMX Simulator: Load yes yes no yes
Event Sequence
Saved Event
Sequence
Event Sequence
License control and List License Info yes yes no yes
monitoring
License control and Install License File yes yes no yes
monitoring
License control and Remove License yes yes no yes
monitoring
License control and Export License yes yes no yes
monitoring Usage
License control and Activate Emergency yes yes no yes
monitoring Unlock
License control and Set Parameters yes yes no yes
monitoring
License control and Get Parameters yes yes no yes
monitoring
AUTO ID Create profile yes no no yes
MANAGEMENT
2/1543-AOM 901 151-1 Uen C | 2018-07-25 21


/Operator roles
exist
AUTO ID Modify profile yes no no yes
MANAGEMENT
AUTO ID Delete profile yes no no yes
MANAGEMENT
AUTO ID Read profiles yes yes no yes
MANAGEMENT
AUTO ID System Setting yes no no yes
MANAGEMENT Update
AUTO ID Manual PCI Check yes yes no yes
MANAGEMENT and Calculate
AUTO ID Apply PCI Changes yes no no yes
MANAGEMENT
CM CONFIG cmedit IMPORT yes no no yes
FM Enabling yes no no yes
Supervision on
Network Elements
FM Disabling yes no no yes
Supervision on
Network Elements
FM Alarm yes no no yes
Synchronization on
Network Elements
FM Searching Alarm yes yes no yes
History
FM Create Alarm Route yes no no yes
Policies
FM Delete Alarm Route yes no no yes
Policies
FM Update Alarm yes no no yes
Route Policies
FM List the Alarm yes yes no yes
Route Policies
FM Acknowledging the yes yes no yes
Alarms
FM Un-Acknowledging yes yes no yes
the Alarms
FM Commenting the yes yes no yes
Alarms
FM Clearing the Alarms yes yes no yes
FM View Most yes yes no yes
Problematic Node
By Alarm Count
FM View Most yes yes no yes
Problematic Alarm
Type By Count
FM View Alarm yes yes no yes
Severity Summary
FM View Alarm Type yes yes no yes
Summary
FM Raise or create an yes no no yes
error event
FM Read an error event yes no no yes
FM Set Alarm Severity yes no no yes
FM Delete Alarm yes no no yes
Severity
22 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
FM List the Alarm yes yes no yes
Severity
Auto Provisioning Download node- yes yes no yes
related artifacts,
schemas, and
samples
Auto Provisioning Replace the yes yes no yes
hardware of a node
Auto Provisioning Resume node yes yes no yes
integration
Auto Provisioning Cancel node yes yes no yes
integration
Auto Provisioning Upload node yes yes no yes
artifact
Auto Provisioning View properties of yes yes no yes
project or node
Auto Provisioning View status of yes yes no yes
project or node
Auto Provisioning Order a project or a yes yes no yes
node
Auto Provisioning Delete a project or a yes yes no yes
node
Auto Provisioning Bind a node or yes yes no yes
batch of nodes
CLI Scripting CLI Commands no no no Scripting_Operator
ONLY
BNSI NBI Start a BNSI yes yes no yes
session
BNSI NBI Alarm and Event yes yes no yes
Synchronization on
one Network
Element
BNSI NBI Alarm and Event yes yes no yes
Synchronization on
whole Network
BNSI NBI Enabling and yes yes no yes
disabling filtering
BNSI NBI Acknowledging an yes no no yes
Alarm
BNSI NBI Terminating yes no no yes
(clearing) an Alarm
Template Manager Create Template yes no no yes
Template Manager Update Template yes no no yes
Template Manager Activate / yes no no yes
Deprecate
Template
Template Manager Delete Template yes no no yes
Template Manager View / List yes yes no yes
Templates
Connectivity Design Create Connectivity yes no no yes
Manager Design
Connectivity Design Update yes no no yes
Manager Connectivity Design
Connectivity Design Activate / yes no no yes
Manager Deprecate
Connectivity Design
2/1543-AOM 901 151-1 Uen C | 2018-07-25 23


/Operator roles
exist
Connectivity Design Delete Connectivity yes no no yes
Manager Design
Connectivity Design View / List yes yes no yes
Manager Connectivity Design
Connectivity Create Connectivity yes no no yes
Builder Instance
Connectivity Update yes no no yes
Builder Connectivity
Instance
Connectivity Deploy / Undeploy yes no no yes
Instance
Connectivity Delete Connectivity yes no no yes
Builder Instance
Connectivity View / List yes yes no yes
Instance
Network Discovery Create Discovery yes no no yes
Activity
Network Discovery Edit Discovery yes no no yes
Activity
Network Discovery Delete Discovery yes no no yes
Activity
Network Discovery View Discovery yes yes no yes
Activity
Network Discovery Start Discovery yes no no yes
Activity
Network Discovery Cancel Discovery yes no no yes
Activity
Network Discovery Create Connection yes no no yes
Profile
Network Discovery Edit Connection yes no no yes
Profile
Network Discovery Delete Connection yes no no yes
Profile
Network Discovery View Connection yes yes no yes
Profile
NODECLI Launch node CLI yes yes no yes
ENM Node Version View Release yes yes no yes
Support Independence
Candidates
ENM Node Version Prepare Support for yes no no yes
Support Node Versions
ENM Node Version Add Support for yes no no yes
Support Node Versions
ENM Node Version Full Sync Nodes on yes no no yes
Support the new Node
Version
ENM Node Version Clear Release yes no no yes
Results
ENM Node Version View Release yes yes no yes
Results
ENM Node Version View Validation yes yes no yes
Support Result
24 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
ENM Node Version Unprepare Support yes no no yes
Support for Node Versions
Netlog Retrieve list of yes no no yes
supported logs for
each node.
Netlog Collect any yes no no yes
supported logs for
nodes.
Netlog Retrieve the yes no no yes
progress of the log
collection ongoing
on Network Logs.
Netlog Request the export yes no no yes
of Node Logs
collected by ENM
into user-defined
storage.
VNF-LCM View active yes yes no yes
instances
VNF-LCM View completed yes yes no yes
instances
VNF-LCM Start a workflow yes yes no yes
instance
VNF-LCM Complete a yes yes no yes
workflow instance
NHC Healthcheck yes yes no only Nhc_Operator
execute
NHC Create node health yes no no yes
check (NHC) reports
NHC View node health yes yes no yes
check (NHC) reports
Cell Management Read cell no yes no no
GUI information and
cell-related data
Cell Management Update and export yes no no yes
GUI cell and cell related
data
Cell Management Execute any cell no yes no yes
NBI management
request in 'TEST'
mode.
Cell Management Execute any cell yes no no yes
NBI management
request in
'EXECUTE' mode.
Parameter To view and edit yes yes no yes
Management configuration
parameter data
Parameter To update yes no no yes
Management configuration
parameter data to
the network
SON Optimization To show the link on no yes no yes
Manager Portal ENM Launcher
page
Business Objects To show the link on no yes no yes
and Network ENM Launcher
Analytics page
2/1543-AOM 901 151-1 Uen C | 2018-07-25 25


/Operator roles
exist
Business To show the link on yes yes no yes
Intelligence Launch ENM Launcher
Pad page
Business Objects To show the link on yes yes no yes
Central ENM Launcher
Management page
Console
Information Design To show the link on yes yes no yes
Tool ENM Launcher
page
Network Analytics To show the link on yes yes no yes
Server Analyst ENM Launcher
page
Network Analytics To show the link on yes yes no yes
Server Web Player ENM Launcher
page
Universe Design To show the link on yes yes no yes
Tool ENM Launcher
page
Web Intelligence Web Intelligence yes yes no yes
Rich Client Rich Client
FM SNMP NBI Create, delete, yes no no yes
suspend, resume
SNMP subscriptions
FM SNMP NBI Read SNMP yes yes no yes
subscriptions
FM SNMP NBI Authorize SNMP not applicable not applicable not applicable no
manager to access
to SNMP agent Note: Authori
ze
SNMP
manag
er to
access
to
SNMP
agent
through
the
SNMP
protoco
l. Users
belongi
ng to
this role
are not
meant
for
ENM
access
but
only for
SNMP
authent
ication
purpos
es.
Uplink Spectrum Allow to process yes no no yes
Analyzer already collected
Uplink Spectrum
files
Uplink Spectrum Allow to start and yes no no yes
Analyzer stop Uplink
Spectrum file
collection
26 2/1543-AOM 901 151-1 Uen C | 2018-07-25


/Operator roles
exist
ADD NODE Create a Network yes no no yes
Element via UI
Bulk Configuration View and Create yes yes no yes
Bulk Import jobs via
the Import NBI
Ericsson Expert Show the link on no no no Only EEA_Operator
Analytics (EEA) ENM Launcher
page
Physical Link Provide acces to yes yes no yes
Management perform, read,
create, update,
delete, and query
operations on
Physical Link
Network Viewer Provide access to yes yes no yes
network resources
through a graphical
representation of
network elements
Configuration Read configuration yes yes no yes
Templates templates list
Configuration Create a new yes no no yes
Templates configuration
template
Configuration Delete a single yes no no yes
Templates configuration
templates or a set
of configuration
templates
OPS Execute/Launch no yes no yes
OPS GUI
1.1.2.1.2.2 Role Based Authorization for CREDM
This section describes the Role Based Application Control (RBAC) functionality of
Credential Manager (CREDM).
CREDM supports two application-specific roles:
— Credm_Administrator
Authorized for all actions on Credential Manager ENM CLI
— Credm_Operator
Authorized for list action on Credential Manager ENM CLI
Credm Resources and Operations available for Custom Roles creation
— credm
— read - List certificate data of services.
— execute - Reissue certificate of one or more services.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 27

Table 4
The table describes the resources, actions, and associated commands allowed for each predefined role.
Application Role Resource Operations Action/Command

CREDM-CLI Credm_Administrator credm read credm list
execute credm reissue
topologyCollectionServi read collection list
ce
Credm_Operator credm read credm list
topologyCollectionServi read collection list
ce
1.1.2.1.2.3 AMOS ENM Roles and Associated Moshell Commands
This section describes the roles for AMOS. Users must be authorized to run AMOS
by assigning them one of the AMOS roles in ENM.
AMOS supports two application specific roles:
— Amos_Administrator
Read, write and telnet access to AMOS
— Amos_Operator
Read and write access to AMOS
AMOS Resources and Operations available for Custom Roles creation
— amos_em
— read
— create
— patch
— execute
Table 5
The table describes the resources, actions, and associated commands
allowed for each predefined role.
Application Role Resource Operations Command Type

AMOS Amos_Administrator amos_em read read
create write
patch telnet
execute
gim_amos_user_mgmt read read
create write
patch telnet
execute
28 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Application Role Resource Operations Command Type

delete
Amos_Operator amos_em read read
create write
patch
gim_amos_user_mgmt read Command Type: read,
create write
patch
delete
1.1.2.1.2.3.1 AMOS ENM Roles
The AMOS_Administrator and AMOS_Operator can use the following read

commands:
acl | al | b2h | bo[r]/ba[swdp/br[wd]/bp | cab[slxradgtme] | ced | clt | col | conf |

cvget | d2h | d2ip | dcg | diff | edit | eget | emom | fixbrac | for | ftget | ftput |
ftree | func | get | gs | h2b | h2d | hc | hget | hi | hpget | htget | if | inv[hr] | ip2d |
kget | l- | l? | l+ | lacl | lc | ldiff | leget | lg | lh | lhget | lhpget | lk | llk | llu | lma |
lmget | lmid[c] | lmom | lmr | lpdiff | lpget | lpr | lpwd | lsget | lshget | lspget | lst |
lt | lu | ma | mget | mom | mon | mp | mr | parsemom | pdiff | pget | pgu | pme |
pmom | pmr | pmx | pol | print | prod | progkill | proglist | prox | pst | pw | rec |
reic | run | s- | s? | s+ | sget | shget | spget | sql | st | te | time | trun | u- | u! | u! |
u? | u+ | uer | ul | unalias | unset | upid | uservars | wait | ylt
The AMOS_Administrator and AMOS_Operator can use the following write

commands:
acc | acce | actc | bl | bls | cr | cre | cvmk | cvms | cvput | cvrm | cvset | deb | del |
eset | eset1 | facc | fdel | lacc | lacce | lbl | lbls | ldeb | ldel | leset | leset1 | lesetc |
lfacc | lfdel | lrdel | lrset | lset | lset1 | lsetc | lsetm | pbl | pdeb | rdel | remod |
remod2 | remodu | resub | rset | set | set1 | setc | setm
The AMOS_Administrator can use the following telnet commands:
fclean | fcleana | fcleane | fro | from | lfro | lfrom | sql+ | sql- | tg | tgc | tgd | tgr |
tgcr | tgdr
Known Limitations
No user is able to launch AMOS or Shell Terminal without POSIX attributes.
1.1.2.1.2.4 Element Manager Roles
This section describes the roles for the Element Manager.

Element Manager supports one role: Element_Manager_Operator.
Element_Manager_Operator is authorized for get actions on Element Manager.
Element Manager Resources and Operations available for Custom Roles creation
2/1543-AOM 901 151-1 Uen C | 2018-07-25 29

— element_manager
• read - Allows read only operations in Cabinet Viewer
• execute - Allows execution of write operations in Cabinet Viewer
These operations control the access level in Cabinet Viewer only. The Element
Manager always gets launched in write mode no matters what operation is used
while creating a custom role.
Table 6
The table describes the resources, actions, and associated commands allowed for each predefined role.
Role Resource Operations Action / Command

Element Manager Element_Manager_Oper element_manager read Launch Element
ator execute Manager and Cabinet
Viewer in write mode.
The custom role for Cabinet Viewer can be created using the read operation to
restrict users to perform write operations which includes restart, lock,
unlock.Application
Known Limitations
No user is able to launch Element Manager or Cabinet Viewer without POSIX
attributes.
1.1.2.1.2.5 Node Security Roles
This section describes the Role Based Application Control (RBAC) functionality
for Node Security.
Node Security supports two application specific roles:
— NodeSecurity_Administrator
Authorized for actions as an administrator in the Node Security

Configuration Service (read, create, update, execute)
— NodeSecurity_Operator
Authorized for actions as an operator in the Node Security Configuration

Service (read)
1.1.2.1.2.5.1 Node Security Resources and Operations available for Custom Roles creation
— snmpv3
create Allows to execute the following use cases: Create
SNMPv3 authnopriv or authpriv security parameters.
30 2/1543-AOM 901 151-1 Uen C | 2018-07-25

update Allows to execute the following use cases: Update

read Allows to execute the following use cases: Get

— ipsec
read Allows to execute the following use cases: get Node
IPSec status, get IPSec Certificate Enrollment State,
get IPSec Trusted Certificates on Node.
execute Allows to execute the following use cases: Issue/

Reissue IPSec Node Certificates, Distribute IPSec
Trusted Certificates, IPSec En/Dis.
delete Allows to execute the following use case: Remove

IPSec Trusted Certificate.
— credentials
create Allows to execute the following use case: create Node
Credentials.
get Allows to execute the following use case: get Node

Credentials.
update Allows to execute the following use case: update Node

Credentials.
— sshkey
create Allows to execute the following use case: create ssh-
keys for Node.
update Allows to execute the following use case: update ssh-

keys for Node.
— ldap
create Allows to execute the following use case: configure
LDAP on Node.
update Allows to execute the following use case: reconfigure

LDAP on Node.
— oam
read
execute Allows to execute the following use cases: Issue/

Reissue OAM Node Certificates, Distribute OAM
Trusted Certificates, OAM En/Dis.Allows to execute the
following use cases: get Node Security Level Status,
2/1543-AOM 901 151-1 Uen C | 2018-07-25 31

get OAM Certificate Enrollment State, get OAM

Trusted Certificates on Node.
delete Allows to execute the following use case: Remove

OAM Trusted Certificate.
— crlcheck
update Allows to execute the following use cases: get Node
SecurityAllows to execute the following use case:
update crlCheck status on Node.
read Allows to execute the following use case: read

crlCheck status on given Nodes.
— on_demand_crl_download
execute Allows to execute the following use case: start on
demand crl download action on Node.
— ciphers
update Allows to execute the following use case: update
ciphers on Node.
read Allows to execute the following use cases: read ciphers

on given Nodes.
— rtsel
execute Allows to execute the following use cases: Activate/
Deactivate real time security event logging(RTSEL)
feature on Node.
— snmpv3_plain_text
get Allows to execute the following use cases: get
SNMPv3 Auth Password and Priv Password in plain
text.
— capability
read Allows to execute the following uses case: read Node

Security Capabilities.
— ipsec cli
activate Allows to execute the following use case: activate
ipsec configuration on node.
deactivate Allows to execute the following use case: deactivate

ipsec configuration on node.
read Allows to execute the following use case: read current

ipsec status on given nodes.
32 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— https
read Allows to execute the following use case: read HTTPS
status on given Node.
execute Allows to execute the following use case: activate/

deactivate HTTPS on Node.
— ftpes
read Allows to execute the following use case: read FTPES
status on given Node.
execute Allows to execute the following use case: activate/

deactivate FTPES on Node.
Prerequisites:
— The user must have the cm_edit_operator role to access to the ENM CLI.
— The user must have the roles described in the section Application Mapping to
Application and Predefined Roles on page 14 to run the correspondent NODE
SECURITY commands.
— To access and operate on credentials resource with create/update

operations, the following resources:operations are also required:
Table 7
Resource Operations
gim_ecim_user_mgmt create
gim_ecim_user_mgmt update
gim_ecim_user_mgmt read
gim_ecim_user_mgmt delete
1.1.2.1.2.5.2 Actions that can be Performed by a User with ADMINISTRATOR Role Using the
ENM CLI
Table 8
NodeSecurity_Administrator credentials create create credentials: secadm
credentials create
NodeSecurity_Administrator credentials update update credentials: secadm
credentials update
NodeSecurity_Administrator credentials get get credentials: secadm
NodeSecurity_Operator credentials get
No predefined custom role credentials_plain_text get get credentials: secadm
credentials get -pt show
2/1543-AOM 901 151-1 Uen C | 2018-07-25 33


NodeSecurity_Administrator oam execute Security Level SettingEnable
Issue OAM Certificate: secadm
certificate issue -ct OAM
Reissue OAM Certificate:
secadm certificate reissue -ct
OAM
OAM Trust Distribution:
secadm trust distribute -ct
OAM
NodeSecurity_Administrator oam read Security Level Get Status
NodeSecurity_Operator Get OAM Cert Enrollment
Status: secadm get
certEnrollState -ct OAM
Get OAM Trusted Certificates:
secadm get
trustCertInstallState -ct OAM
NodeSecurity_Administrator oam delete Delete OAM Trust Certificate:
secadm trust remove -ca
<nome-ca> -sn
<serialNumber> -ct OAM
NodeSecurity_Administrator ipsec execute Security Level SettingEnable
Issue IPSEC Certificate:
secadm certificate issue -ct
IPSEC
Reissue IPSEC Certificate:
secadm certificate reissue -ct
IPSEC
IPSEC Trust Distribution:
secadm trust distribute -ct
IPSEC
NodeSecurity_Administrator ipsec read Security Level Get Status
NodeSecurity_Operator Get IPSEC Trusted Certificates:
secadm get
trustCertInstallState -ct
IPSECGet IPSEC Cert
Enrollment Status: secadm get
certEnrollState -ct IPSEC
NodeSecurity_Administrator ipsec delete Delete IPSEC Trust Certificate:
secadm trust remove -ca
<nome-ca> -sn
<serialNumber> -ct IPSEC
NodeSecurity_Administrator sshkey create Get IPSEC Cert Enrollment
Status: secadm get
certEnrollState -ctSSH-Key
Generate for Node: secadm
keygen create --algorithm-
type-size
NodeSecurity_Administrator sshkey update SSH-Key Update for Node:
secadm keygen update --
algorithm-type-size
NodeSecurity_Administrator ldap create LDAP Configure: secadm ldap
configure
NodeSecurity_Administrator ldap update LDAP Reconfigure: secadm
ldap reconfigure
NodeSecurity_Administrator snmpv3 create Configure authpriv SNMPV3
security level: secadm snmp
authpriv --auth_algo <> --
auth_password <> --priv_algo
<> --priv_password <> -n <>
NodeSecurity_Administrator snmpv3 update Configure authnopriv SNMPV3
security level: secadm snmp
authnopriv --auth_algo <> --
auth_password <> -n <>
NodeSecurity_Administrator snmpv3 read Get SNMPv3 authonopriv or
authpriv security parameters:
secadm snmp get -pt hide -n
<>
34 2/1543-AOM 901 151-1 Uen C | 2018-07-25


No predefined custom role snmpv3_plain_text read get SNMPv3 Auth Password
and Priv Password in plain
text: secadm snmp get -pt
show -n <>
NodeSecurity_Administrator crlcheck update Enable CRL check : secadm
enable crlcheck -ct OAM -n
<node-name>
secadm enable crlcheck -ct
IPSEC -n <node-name>
Disable CRL check : secadm
disable crlcheck -ct OAM -n
<node-name>
secadm disable crlcheck -ct
IPSEC -n <node-name>
NodeSecurity_Administrator crlcheck read Get CRL check status: secadm
NodeSecurity_Operator read crlcheck -ct OAM -n
<node-name>
secadm read crlcheck -ct IPSEC
-n <node-name>
NodeSecurity_Administrator on_demand_crl_download execute execute CRL download :
secadm crl download -n
<node-name>
NodeSecurity_Administrator ciphers update Set Ciphers:
secadm set ciphers --protocol
SSH/SFTP --encryptalgos
<encyption-algos> --
keyexchangealgos
<keyexchange-algos> --
macalgos <mac-algos> --
nodelist <node-name>
secadm set ciphers --protocol
SSL/HTTPS/TLS --cipherfilter
<cipherfilter-string> --nodelist
<node-name>
NodeSecurity_Administrator ciphers read Get Ciphers:
NodeSecurity_Operator secadm get ciphers --protocol
SSH/SFTP --nodelist <node-
name>
secadm get ciphers --protocol
SSL/HTTPS/TLS --nodelist
<node-name>
NodeSecurity_Administrator rtsel execute RTSEL Activate/Deactivate:
secadm rtsel activate --xmlfile
file:<input_xml_filename>
secadm rtsel deactivate --
nodelist <node-name>
NodeSecurity_Administrator capability read get capabilities
NodeSecurity_Operator secadm capability get
NodeSecurity_Administrator ipsec activate Activate IPSec : secadm ipsec
--xmlfile file:<file_name>
NodeSecurity_Administrator ipsec deactivate Deactivate IPSec : secadm
ipsec --xmlfile file:<file_name>
NodeSecurity_Administrator ipsec read Read IPSec : secadm ipsec --
NodeSecurity_Operator status --nodefile
file:<file_name>
NodeSecurity_Administrator https execute HTTPS activate/deactivate:
secadm https activate -n

<node_name>
secadm https deactivate
-n <node_name>
NodeSecurity_Administrator https read Get HTTPS status:

NodeSecurity_Operator
2/1543-AOM 901 151-1 Uen C | 2018-07-25 35

secadm https getstatus -

n <node_name>
NodeSecurity_Administrator ftpes execute FTPES activate/deactive:
secadm ftpes activate -n

<node_name>
secadm ftpes deactivate
-n <node_name>
NodeSecurity_Administrator ftpes read Get FTPES status:

NodeSecurity_Operator
secadm ftpes getstatus -
n <node_name>
1.1.2.1.2.6 Role Based Authorization for Fault Management
Fault Management (FM).
FM supports three application specific roles:
— FM_Administrator
— FM_Operator
— FM_Event_Administrator
Fault Management Resources and Operations available for Custom Roles

creation
— alarm_export
query Query for Open/History alarms data to export the
same.
— alarm_overview
query Query for Open alarms data to show the overview.
— alarm_policies
create Create Alarm Route Policies.
query List the Alarm Route Policies.
update Update Alarm Route Policies.
delete Delete Alarm Route Policies.
— alarms_search
query Query for Open or History alarms data.
36 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— nodes
execute Enabling/Disabling Supervision on Network Elements
and To initiate Alarm Synchronization.
query Query the SupervisionState and CurrentServiceState.
update Update the values of HeartBeat Timeout, Automatic

Synchronization and other attributes under
FmAlarmSupervision and FmFunction childs.
— open_alarms
execute Perform ACK/UNACK and CLEAR operation on open
alarms.
update Updating the Comments on the alarms.
query Query for Open alarms data.
— error_event
create create or raise an error event.
read read an error event.
— translationmap_conversionrule
update Update TranslationMap for nodes based on
probability.
Modify or Delete the alarm severity in translation map

file.
read Query the TranslationMap for nodes.
Query the translation map for alarm severity.
Prerequisite
It is necessary to specify the Cmedit_operator role along with FM_Operator and
FM_Administrator when creating the user in ENM. This allows the user to execute
fmedit/alarm/cmedit commands in ENM CLI or to get the node information.
1.1.2.1.2.6.1 Fault Management Roles
Table 9
2/1543-AOM 901 151-1 Uen C | 2018-07-25 37

Resources, actions, and associated commands allowed for each role
Role Resource Operations Action/Command

FM_Administrator open_alarms execute Perform Acknowledge/
Unacknowledge and Clear
operation on open alarms
alarm ack
alarm unack
alarm clear
update Update the Comment on the
alarms
alarm comment
query Query for Open alarms
alarm get
nodes execute Enable/Disable Supervision on
Network Elements and to
Initiate Alarm Synchronization
alarm enable
alarm disable
alarm sync
query Query the SupervisionState
and CurrentServiceState
alarm status
update Update the values of
HeartBeat Timeout, Automatic
Synchronization
alarm enable
alarm disable
alarms_search query Query for History alarms
alarm hyst
alarm_export query Query for Open/History alarms
to export
alarm_policies create Create Alarm Route
fmedit create
query List the Alarm Routes
fmedit get
update Update Alarm Routes
fmedit set
delete Delete Alarm Routes
fmedit delete
alarm_overview query Query for Open alarms to show
the overview
translationmap_conversionrule read Query the TranslationMap for
Nodes.
fmedit get
List Alarm Severity set for a
node
update Update TranslationMap for
nodes based on probability.
fmedit set
Modify the alarm severity in
translation map file.
fmedit set
delete Query the TranslationMap for
Nodes.
fmedit get
38 2/1543-AOM 901 151-1 Uen C | 2018-07-25


FM_Operator open_alarms execute Perform Acknowledge/
Unacknowledge and Clear
operation on open alarms
alarm ack
alarm unack
alarm clear
update Update the Comment on the
alarms
alarm comment
query Query for Open alarms
alarm get
alarms_search query Query for History alarms
alarm hyst
alarm_export query Query for Open/History alarms
to export
alarm_policies query List the Alarm Routes
fmedit get
alarm_overview query Query for Open alarms to show
the overview
translationmap_conversionrule read Query the TranslationMap for
nodes.
fmedit get
List Alarm Severity set for a
node
FM_Event_Administrator error_event create create or raise an error event
read read an error event
1.1.2.1.2.7 Role Based Authorization for Security-PKI
This section describes the roles for the Public Key Infrastructure (PKI)
application.
PKI system supports one predefined system role and four application specific
roles.
System Role: It is one of the ENM RBAC predefined system role.
— SECURITY_ADMIN
Authorized to manage all security features.
Application Specific Roles
— PKI_ADMINISTRATOR
Authorized to perform operations on Profile Management, Configuration

Management, Entity Management, and Certificate Management
— PKI_OPERATOR
2/1543-AOM 901 151-1 Uen C | 2018-07-25 39

Authorized to perform read profiles. Permits to perform operations on

Configuration Management, Entity Management, and Certificate
Management
— PKI_EE_ADMINISTRATOR
Authorized to perform CRUD operations on End Entities, read operations on

Profiles, algorithms, entity certificates and CRLs.Also permits to issue
(generate), reissue, revoke, publish, unpublish End Entity certificates
— PKI_EE_OPERATOR
Authorized to perform read operations on profiles, End Entities, End Entity

certificates, CRLs, and also download CRLs
— SecGW_Operator
Authorized to generate the certificate for the Security Gateway with

provided csr and downloads a zip file which contains Security Gateway
certificate, its chain, and Trusted CA certificates
PKI Resources and Operations available for Custom Roles creation
— caEntity-cert-mgmt
create Allows to generate CRL and CAEntity certificate.
update Allows to reissue, revoke, publish, unpublish CAEntity

certificates and also allows to publish, unpublish CRLs.
— caEntity_mgmt
create Allows to create CA entities.
update Allows to update CA entities.
delete Allows to delete CA entities.
— entity-cert-mgmt
create Allows to generate Entity certificate.
update Allows to reissue, revoke, publish and unpublish Entity

certificates.
— entity_mgmt
create Allows to create entities.
update Allows to update entities.
delete Allows to delete entities.
— extCA_mgmt
40 2/1543-AOM 901 151-1 Uen C | 2018-07-25

create Allows to create external CA.
update Allows to update external CA.
delete Allows to delete external CA.
— profile_mgmt
create Allows to create profiles.
update Allows to update profiles.
delete Allows to delete profiles.
— read_algorithms
read Allows to retrieve algorithms.
— read_caCerts
read Allows to read CAEntity certificates.
— read_caEntities
read Allows to read CAEntities.
— read_caCerts
Allows to list CRLs and download CRL.
— read_entities
read Allows to read Entities
— read_entityCerts
read Allows to read Entity certificates.
— read_extCA
read Allows to read External CA.
— read_profiles
read Allows to read profiles
— update_algorithms
update Allows to update algorithms.
1.1.2.1.2.7.1 Security PKI Roles
Table 10
2/1543-AOM 901 151-1 Uen C | 2018-07-25 41

Resources, actions, and associated commands allowed for each predefined role

PKI_EE_Operator read_profiles read list profiles
pkiadm pfm -l
query export profiles
pkiadm pfm -ex
read_entities read list categories
pkiadm cfg category -l
read_entityCerts read List Entity Certificate
pkiadm ctm EECert -l
Export Entity Cert
pkiadm ctm EECert -
expcert
List Entity Trust
pkiadm tsm -l
read_crls read list crl
pkiadm crm -l
PKI_EE_Administrator read_algorithms read list algorithms
pkiadm cfg algo -l
read_profiles read list profiles
pkiadm pfm -l
pkiadm pfm -ex
entity_mgmt create create category
pkiadm cfg category -c
create end entity
pkiadm etm -c
create bulk end entity
pkiadm etm -cb
update update category
pkiadm cfg category -u
update end entity
pkiadm etm -u
delete delete category
pkiadm cfg category -d
delete end entity
pkiadm etm -d
Export Entity Cert
pkiadm ctm EECert -
expcert
List Entity Trust
pkiadm tsm -l
42 2/1543-AOM 901 151-1 Uen C | 2018-07-25


entity_cert_mgmt create generate End Entity
Certificate
pkiadm ctm EECert -gen
update Renew/Rekey Entity
Certificate
pkiadm ctm EECert -ri
Publish Entity Trust
pkiadm tsm -pub
UnPublish Entity Trust
pkiadm tsm -up
Revoke Entity
Certificates
pkiadm rem EE -rev
pkiadm crm -l
PKI_Operator update_algorithms update Enable/Disable
algorithms
pkiadm cfg algo -e
read_algorithms read List Algorithms
pkiadm cfg algo -l
pkiadm pfm -l
pkiadm pfm -ex
entity_mgmt create create entity category
create end entity
pkiadm etm -c
pkiadm etm -cb
update update entity category
update end entity
pkiadm etm -u
delete delete entity category
delete end entity
pkiadm etm -d
read_caEntities read List Entities
pkiadm etm -l
caEntity_mgmt create create Entity
pkiadm etm -c
create bulk CA entity
pkiadm etm -cb
2/1543-AOM 901 151-1 Uen C | 2018-07-25 43


update update CA entity
pkiadm etm -u
delete delete CA entity
pkiadm etm -d
read_caCerts read List CA certificate
pkiadm ctm CACert -l
Export CA Certificate
pkiadm ctm CACert -
expcert
List CA Trust
pkiadm tsm -l
caEntity_cert_mgmt create Generate CA Certificate
pkiadm ctm CACert -gen
update Renew CA Certificate
pkiadm ctm CACert -ri
publish CA Trust
pkiadm tsm -pub
UnPublish CA Trust
pkiadm tsm -up
Generate CRL
pkiadm crm -g
Publish CRL
pkiadm crm -pub
UnPublish CRL
pkiadm crm -up
Revoke CA Certificate
pkiadm rem CA -rev
Export Entity Certificate
pkiadm ctm EECert -
expcert
List Entity Trust
pkiadm tsm -l
entity_cert_mgmt create generate End Entity
Certificate
update Renew Entity Certificate
Rekey Entity Certificate
pkiadm tsm -pub
pkiadm tsm -up
44 2/1543-AOM 901 151-1 Uen C | 2018-07-25


Revoke Entity
Certificates
pkiadm rem EE -rev
pkiadm crm -l
read_extCA read List External CA Entity
pkiadm extcalist
PKI_Administrator update_algorithms update Enable/Disable
algorithms
pkiadm cfg algo -e
read_algorithms read List Algorithms
pkiadm cfg algo -l
pkiadm pfm -l
pkiadm pfm -ex
profile_mgmt create Create/Import Profile
pkiadm pfm -c
update Update Profile
pkiadm pfm -u
delete Delete Profile
pkiadm pfm -d
entity_mgmt create create entity category
create end entity
pkiadm etm -c
pkiadm etm -cb
update update entity category
update end entity
pkiadm etm -u
delete delete entity category
delete end entity
pkiadm etm -d
read_caEntities read List Entities
pkiadm etm -l
caEntity_mgmt create create entity
pkiadm etm -c
create bulk CA entity
pkiadm etm -cb
update update CA entity
2/1543-AOM 901 151-1 Uen C | 2018-07-25 45


pkiadm etm -u
delete delete CA entity
pkiadm etm -d
read_caCerts read List CA certificate
pkiadm ctm CACert -l
Export CA Certificate
pkiadm ctm CACert -
expcert
List CA Trust
pkiadm tsm -l
caEntity_cert_mgmt create Generate CA Certificate
pkiadm ctm CACert -gen
update Renew CA Certificate
pkiadm ctm CACert -ri
publish CA Trust
pkiadm tsm -pub
UnPublish CA Trust
pkiadm tsm -up
Generate CRL
pkiadm crm -g
Publish CRL
pkiadm crm -pub
UnPublish CRL
pkiadm crm -up
Revoke CA Certificate
pkiadm rem CA -rev
Export Entity Certificate
pkiadm ctm EECert -
expcert
List Entity Trust
pkiadm tsm -l
entity_cert_mgmt create generate Certificate
update Renew/Rekey Entity
Certificate
pkiadm tsm -pub
pkiadm tsm -up
Revoke Entity
Certificates
pkiadm rem EE -rev
46 2/1543-AOM 901 151-1 Uen C | 2018-07-25


pkiadm crm -l
read_extCA read List External CA Entity
pkiadm extcalist
extCA_mgmt create Create External CA
Entity
pkiadm extcaimport
update Update External CA
Entity
pkiadm extcaupdatecrl
delete Remove External CA
Entity
pkiadm extcaremove
SecGW_Operator secgw_cert_mgmt create generate Security
Gateway certificate
pkiadm ctm SecGW --
generate
Table 11
PKI_EE_Operator topologyCollectionService read collection list
PKI_EE_Administrator topologyCollectionService read collection list
PKI_Operator topologyCollectionService read collection list
PKI_Administrator topologyCollectionService read collection list
1.1.2.1.2.8 Role Based Authorization for Release Independence Manager
the Release Independence (RI) Manager application.
RI application supports two application specific roles:
— NodeVersionSupport_Operator
Authorized to perform read-only action on RI, including the ability to read

RI-related logs.
— NodeVersionSupport_Administrator
Authorized for all actions on RI (read, execute, delete), including the ability
to read RI-related logs.
Note that if Release Independence Manager is not running in "Express Mode",

also the System Administrator role is needed to execute the "Add Support for
Node Versions".
Release Independence Manager Resources and Operations available for Custom

Roles creation
2/1543-AOM 901 151-1 Uen C | 2018-07-25 47

— node_version_support
read Allows to read information from Node Version Support
service, such as viewing Available Node Versions
ready for support being added, viewing Model
Validation and Node Version results.
execute Allows to execute actions on the Node Version Support

service, such as preparing and unpreparing support for
unsupported Node Versions and Full Synchronize
Nodes on the new Node Versions.
delete Allows to clear Node Versions results when status

equal to complete.
1.1.2.1.2.8.1 Release Independence Manager Roles
Table 12
The UI prevents not allowed actions by disabling UI components according to the role.

System Administrator node_version_support execute Add Support for Node Versions
NodeVersionSupport_Administ node_version_support read View Release Independence
rator execute Candidates
delete Prepare Support for Node
Versions
Full Sync Nodes on the new
Node Version
View Model Validation Results
View Release Independence
Results
View/Download New Software
Version Node Model
Clear Release Independence
Results
NodeVersionSupport_Operator node_version_support read View Release Independence
Candidates
View Model Validation Results
View Release Independence
Results
View/Download New Software
Version Node Model
View Supported Node Versions
1.1.2.1.2.9 Role Based Authorization for Node Health Check
Node Health Check Application (NHC).
NHC supports two predefined application specific roles:
48 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— Nhc_Operator: by default, has privileges of Cmedit_Operator role. No

additional roles required to be assigned while creating a user with
Nhc_operator privileges to execute the NHC use cases.
using cm edit command of ENM CLI.
healthcheck
Unrestricted access to perform execute, read, create, update, and delete

actions on Node Health Check service from CLI.
node_healthcheck
Allows to read action on managed objects in the NHC services from NHC UI.
— Nhc_Administrator: by default, has privileges of Cmedit_administrator role.

No additional roles required to be assigned while creating a user with
Nhc_Administrator privileges to execute the NHC use cases using cm edit
command of ENM CLI.
node_healthcheck
Allows to create, execute, update, and delete actions on managed objects in

the NHC services.
NHC Resources and Operations available for Custom Roles creation:
— node_healthcheck
create Allows to create NHC reports.
execute Allows executing and viewing NHC reports.
delete Allows for deletion of NHC reports.
update Allows Continue and Canceling of an NHC report..
read View NHC reports.
Prerequisite:
To access and operate on shm resource (for example,
cppinventorysynch_service), the following resources:actions are also required.
Table 13
Resource Operation
searchExecutor read
topologySearchService read
topologyCollectionsService deprecated read
create
2/1543-AOM 901 151-1 Uen C | 2018-07-25 49

Resource Operation
delete
All operations are deprecated
Collections_Public read
create
delete
Collections_Private read
create
delete
SavedSearch_Public read
create
delete
SavedSearch_Private read
create
delete
CollectionsOthers_Public read
SavedSearchOthers_Public read
modelInformationService read
persistentobjectservice read
1.1.2.1.2.9.1 Node Health Check Roles
Table 14

Nhc_Operator NA NA nhc rep run
NA nhc ac --list
nhc ac --download
nhc rep --status
nhc rep --jobid
<jobId> --download
NA nhc ac --upload
NA nhc ac --upload -o
NA nhc ac --delete
NA nhc compare run
NA nhc compare --
download
nhc compare --status
Nhc_Operator NA NA cmedit read
topologyCollectionServic read collection list
e
Nhc_Operator node_healthcheck read Allows to View NHC
reports
Nhc_Administrator node_healthcheck execute Allows to execute and
view NHC reports
create Allows to Create NHC
reports
update Allows Continue and
Canceling of a NHC
report
delete Allows for deletion of
NHC reports
50 2/1543-AOM 901 151-1 Uen C | 2018-07-25


query Allows to view NHC
report related Details
1.1.2.1.2.10 Role Based Application Control for Performance Management Initiation and
Collection
Performance Management Initiation and Collection (PMIC).
PMIC supports three predefined application specific roles:
— PM_Operator
unrestricted access to the application and only user to be able to activate or

deactivate PREDEF scanners for a node
— PM_Read_Operator
restricted READ access to the application
— PM_Topology_Operator
restricted READ access to the application with Network Explorer application

access
PMIC Resources and Operations available for Custom Roles creation
— subscription
create Allows to create any user defined Subscription to
enable Performance Monitoring on the Network.
update Allows to update any Subscription.
delete Allows to delete any user defined Subscription.
read Allows to read information about the Subscriptions.
execute Allows to activate/deactivate any Subscription.
— uetrace
create Allows to create a UE Trace Subscription to enable
Performance Monitoring on the Network.
update Allows to update a UE Trace Subscription.
delete Allows to delete a UE Trace Subscription.
execute Allows to activate/deactivate a UE Trace Subscription.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 51

— statistical
create Allows to create a Statistical Subscription, MO
Instance and Cell Instance Subscription to enable
update Allows to update a Statistical Subscription, MO

Instance and Cell Instance Subscription.
delete Allows to delete a Statistical Subscription, MO

Instance and Cell Instance Subscription.
execute Allows to activate or deactivate a Statistical

Subscription, MO Instance and Cell Instance
Subscription.
— celltrace_ebs-l
create Allows to create a CellTrace/EBS-L Subscription to
enable Performance Monitoring on the Network.
update Allows to update a CellTrace/EBS-L Subscription and

Continuous Cell Trace Subscription.
delete Allows to delete a CellTrace/EBS-L Subscription.
execute Allows to activate/deactivate a CellTrace/EBS-L

Subscription and Continuous Cell Trace Subscription.
— ctr
create
update Allows to update a Cell Traffic Recording Subscription

(CTR).
delete Allows to delete a Cell Traffic Recording Subscription

(CTR).
execute Allows to activate/deactivate a Cell Traffic Recording

Subscription (CTR).Allows to create a Cell Traffic
Recording Subscription (CTR) to enable Performance
Monitoring on the Network.
— Allows to create a Cell Traffic Recording Subscription (CTR) toebm_ebs-m

create Allows to create a EBM/EBS-M Subscription to enable
update Allows to update a EBM/EBS-M Subscription.
delete Allows to delete a EBM/EBS-M Subscription.
52 2/1543-AOM 901 151-1 Uen C | 2018-07-25

execute Allows to activate/deactivate a EBM/EBS-M

Subscription.
— uetr
create Allows to create a UETR Subscription to enable
update Allows to update a UETR Subscription.
delete Allows to delete a UETR Subscription.
execute Allows to activate/deactivate a UETR Subscription.
— ctum
update Allows to update a CTUM Subscription.
execute Allows to activate/deactivate a CTUM Subscription.
— gpeh
create Allows to create a GPEH Subscription to enable
update Allows to update a GPEH Subscription.
delete Allows to delete a GPEH Subscription.
execute Allows to activate/deactivate a GPEH Subscription.
Prerequisite
The PM_Topology_Operator role must be used together with any PMIC custom
role while creating an ENM user.
1.1.2.1.2.11 Role Based Authorization for SHM
This section describes the Custom-Defined Roles for Software Hardware

Manager (SHM) application.
SHM supports two predefined application specific roles:
— SHM_Administrator
Permits create, execute, update and delete actions on managed objects in

the SHM services.
— SHM_Operator
Permits read action on managed objects in the SHM services.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 53

SHM_Operator and SHM_Administrator roles offer the users the same privileges
as the predefined OPERATOR and ADMINISTRATOR roles except the scope is
limited to the SHM application.
Details about the operations allowed for SHM_Administrator and SHM_Operator

can be found in section Application Specific Roles on page 14.
SHM_Administrator role, by default, has privileges of Cmedit_administrator role.

No additional roles required to be assigned while creating user with
SHM_Administrator privileges to execute the shm use cases using cm edit
command of ENM CLI.
SHM_operator role, by default, has privileges of Cmedit_Operator role. No

additional roles required to be assigned while creating user with SHM_operator
privileges to execute the shm use cases using cm edit command of ENM CLI.
SHM Resources and Operations available for Custom Roles creation
— cppinventorysynch_service
create Allows to create jobs such as Upgrade, Backup,
License, Restore, Delete Backup.
execute Allows to View Job Related Details (Job Progress/Job

logs),Inventory Details (software/hardware/license/
backup), Import and View Software Packages, License
Key Files and Export Job Logs.
delete Allows to deletion of Jobs,Software Packages,License

Key Files.
update Allows Continue and Canceling of a Job.
Prerequisite:
To access and operate on shm resource (for example,
cppinventorysynch_service), the following resources:actions are also required.
Table 15
Resource Operation
searchExecutor read
create
delete
create
delete
create
54 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Resource Operation
delete
create
delete
create
delete
1.1.2.1.2.11.1 SHM Roles
Table 16

SHM_Administrator cppinventorysynch_service execute View software inventory
SHM_Administrator cppinventorysynch_service execute View hardware inventory
SHM_Administrator cppinventorysynch_service execute View license inventory
SHM_Administrator cppinventorysynch_service execute View backup inventory
SHM_Administrator cppinventorysynch_service execute Import software packages
SHM_Administrator cppinventorysynch_service delete Delete software packages
SHM_Administrator cppinventorysynch_service create Create upgrade job
SHM_Administrator cppinventorysynch_service create Create backup job
SHM_Administrator cppinventorysynch_service create Create Restore Backup job
SHM_Administrator cppinventorysynch_service delete Delete Backup job
SHM_Administrator cppinventorysynch_service create Create install license job
SHM_Administrator cppinventorysynch_service execute Import license key batch file
SHM_Administrator cppinventorysynch_service delete Delete license key file
SHM_Administrator cppinventorysynch_service execute View License Key Files
SHM_Administrator cppinventorysynch_service execute View software packages
SHM_Administrator cppinventorysynch_service update Pause, continue jobs
SHM_Administrator cppinventorysynch_service execute View jobs
SHM_Administrator cppinventorysynch_service execute View job logs
SHM_Administrator cppinventorysynch_service execute Export job logs
SHM_Administrator cppinventorysynch_service update Cancel jobs
SHM_Administrator cppinventorysynch_service create Create onboard job
SHM_Operator cppinventorysynch_service execute View software inventory
SHM_Operator cppinventorysynch_service execute View hardware inventory
SHM_Operator cppinventorysynch_service execute View license inventory
SHM_Operator cppinventorysynch_service execute View backup inventory
SHM_Operator cppinventorysynch_service execute Import software packages
SHM_Operator cppinventorysynch_service execute View software packages
2/1543-AOM 901 151-1 Uen C | 2018-07-25 55


SHM_Operator cppinventorysynch_service execute Import license key batch file
SHM_Operator cppinventorysynch_service execute View License Key Files
SHM_Operator cppinventorysynch_service execute View jobs
SHM_Operator cppinventorysynch_service execute View job logs
SHM_Operator cppinventorysynch_service execute Export job logs
1.1.2.1.2.12 Role Based Authorization for CM REST
CM REST.
CM REST supports two predefined application specific roles:
— CM_REST_Administrator
Authorize Administrator for all actions on CM REST Interface
— CM_REST_Operator
CM_REST_Operator and CM_REST_Administrator roles give to the users the

same privileges as the predefined OPERATOR and ADMINISTRATOR roles,
though the scope is limited to the CM application reached by REST interface.
Resources currently available for CM application reached by REST interface are

cm_bulk_rest_nbi, cm_config_rest_nbi, and cell-management-nbi.
Access through CLI is not part of CM REST interface; CLI-specific resources and
roles are available separately and can be found in Role Based Authorization for
ENM CLI on page 71.
To obtain the privileges for cmedit service, cmconfig service, bulkImport service
and bulk export service also, specify the Cmedit_Operator (for read) or
Cmedit_Administrator (for create, read, update, delete) when creating the user in
ENM.
Details about the operations allowed for CM_Administrator and CM_Operator

can be found in Application Specific Roles on page 14.
CM Resources and Operations available for Custom Roles creation:
— cm_bulk_rest_nbi
read Get information about bulk import export job through
REST NBI services.
create Execute bulk import export operation through REST

NBI services.
— cm_config_rest_nbi
56 2/1543-AOM 901 151-1 Uen C | 2018-07-25

read Read network configuration data through REST NBI

services.
create Create network configuration data through REST NBI

services.
update Update network configuration data through REST NBI

services.
execute Perform activate operation on network configuration

data through REST NBI services.
delete Delete network configuration data through REST NBI

services.
— cell-management-nbi
read Allows to view the AdministrativeState of cells.
update Allows to change the AdministrativeState of cells.
1.1.2.1.2.12.1 CM REST Roles
Table 17

CM_REST_Administrator cm_config_rest_nbi read Read network configuration
create data.
update Create a configuration through
execute REST NBI services.
delete Copy the content of a
configuration to another
configuration through NBI
services.
Activate a configuration
through REST NBI services.
Delete a configuration through
REST NBI services.
cm_bulk_rest_nbi read Get details for a bulk import or
create export job through REST NBI
services. Get a list of the
available filters.
Execute a bulk import or export
operation through REST NBI
services
CM_REST_Operator cm_config_rest_nbi read Read network configuration
cm_bulk_rest_nbi read data.
Get details for a bulk import or
export job through REST NBI
services. Get a list of the
available filters.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 57

1.1.2.1.2.13 Role Based Application Control for Network Health Monitor
Network Health Monitor (NHM).
NHM consists of four applications:
— Network Health Monitor
— Network Health Analysis
— Node Monitor
— KPI Management
NHM supports two application specific roles:
— NHM_Administrator
Unrestricted access to Network Health Monitor, Network Health Analysis,

Node Monitor and KPI Management
— NHM_Operator
Unrestricted access to Network Health Monitor, Network Health Analysis and

Node Monitor.
Restricted read-only access to KPI Management.
NHM Resources and Operations available for Custom Roles creation:
— nhm
read Allows monitoring of selected nodes and viewing of
KPI information.
execute Allows activation and deactivation of selected KPIs.
update Update selected custom defined KPIs.
create Create custom defined KPIs.
query Query the application for node and KPI data.
delete Delete selected custom defined KPIs.
— kpi-service
read Allows querying of KPI service for calculated KPI
values.
58 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Prerequisite:
Ensure to select either AMOS_Administrator or AMOS_Operator along with
NHM_Administrator or NHM_Operator when creating a user in the ENM system.
This allows the user to access AMOS directly from the Node Monitor application.
To allow the user to perform operations on the Administrative State of Cells (for
example, “Lock/Unlock/Soft lock”) from the Network Health Analysis application,
select Cell_Management_Administrator role. If this requirement is not met, the
operations are not available.
To access and operate on nhm resource, the following resources:actions are also
required:
Table 18
Resource Operation
open_alarms execute
update
query
alarms_search query
alarm_overview query
alarm_export query
searchExecutor read
nodes query
create
delete
create
delete
update
create
delete
update
create
delete
update
create
delete
update
2/1543-AOM 901 151-1 Uen C | 2018-07-25 59

1.1.2.1.2.13.1 Operations controlled by RBAC in NHM
Table 19
Operation Application Resource used to control Description
access
create KPI Management nhm Allows creation of a KPI
definition
update KPI Management nhm Allows updating of a KPI
definition
delete KPI Management nhm Allows deletion of a user
defined inactive KPI
read KPI Management nhm Read a single KPI definition,
get a single KPI definition's
attributes
query KPI Management nhm Get all KPI definitions
execute KPI Management nhm Allows activating/deactivating
a KPI
read KPI Service (part of the NHM kpi_service Read the values calculated for
service) a KPI, get KPI values for worst
performing nodes, get KPI
values for nodes in breach. Also
used by NHM monitoring Apps
to get basic info about KPIs.
1.1.2.1.2.13.2 Network Health Monitor Roles
Table 20
Resources, actions, and associated commands that are allowed for each role

NHM_Operator nhm read Reading of all applications
query Querying of all applications
kpi_service read Read the values calculated for
a KPI, get KPI values for worst
NHM_Administrator nhm create Create user defined KPIs
update Update KPIs
read Reading of all applications
execute Activate / Deactivate and Edit
delete KPI's
query Delete user defined inactive
KPIs
Querying of all applications
kpi_service read Read the values calculated for
a KPI, get KPI values for worst
60 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.14 Role Based Authorization for Network Explorer
Network Explorer.
Network Explorer supports two predefined application specific roles:
— Network_Explorer_Administrator
— Network_Explorer_Operator
Network_Explorer_Operator and Network_Explorer_Administrator roles give to

the users the same privileges as the predefined OPERATOR and
ADMINISTRATOR roles, though the scope is limited to the Network Explorer
application.
Details about the operations allowed for Network_Explorer_Administrator and

Network_Explorer_Operator can be found under Application Specific Roles on
page 14.
Network Explorer Resources and Operations available for Custom Roles creation
— topologySearchService
Read Perform searches in Network Explorer. Requires
resource 'searchExecutor' to perform searches.
— Collection_Public
read View owned Public Collections.
create Create Public Collections.
update Update owned Public Collections.
delete Delete owned Public Collections.
— Collection_Private
read View owned Private Collections.
create Create Private Collections.
update Update owned Private Collections.
delete Delete owned Private Collections.
— SavedSearch_Public
read View owned Public Saved Searches.
create Create Public Saved Searches.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 61

update Update owned Public Saved Searches.
delete Delete owned Public Saved Searches.
— SavedSearch_Private
read View owned Private Saved Searches.
create Create Private Saved Searches.
update Update owned Private Saved Searches.
delete Delete owned Private Saved Searches.
— CollectionOthers_Public
read View not owned Public Saved Collections.
— SaveSearchOthers_Public
read View not owned Public Saved Searches.
— modelInformationService
read Read Models and associated attributes in
CriteriaBuilder.
— searchExecutor
read Perform searches in Network Explorer. Requires
resource 'topologySearchService' to display search
results.
— nested_collection
read Allows the user to read nested collections.
create Allows the user to create nested collections.
update Allows the user to update nested collections.
delete Allows the user to delete nested collections.
— system_created_object
create Allows the user to create objects in Network Explorer

which is marcked as System Created.
delete Allows the user to delete system created objects in

Network Explorer.
62 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Table 21 Resources, actions, and associated commands allowed for each role
Network_Explorer_Administrat modelInformationService read Read Models and associated
or attributes in CriteriaBuilder
searchExecutor read Perform searches in Network
Explorer. Requires resource
'topologySearchService' to
display search results
topologySearchService read Perform searches in Network
'searchExecutor' to perform
searches
persistentobjectservice read View managed object
instances in Topology Browser
rootAssociations read Get NetworkElement
associated to root managed
object instances
Collections_Public read View owned Public Collections.
Expotr owned Public
Collections.
Collections_Private read View owned Private
Collections.
Export owned Private
Collections.
Collections_Public create Create Public Collections
Collections_Private create Create Private Collections
Collections_Public delete Delete owned Public
Collections
Collections_Private delete Delete owned Private
Collections
Collections_Public update Update owned Public
Collections
Collections_Private update Update owned Private
Collections
SavedSearch_Public read View owned Public Saved
Searches
SavedSearch_Private read View owned Private Saved
Searches
SavedSearch_Public create Create Public Saved Searches
SavedSearch_Private create Create Private Saved Searches
SavedSearch_Public delete Delete owned Public Saved
Searches
SavedSearch_Private delete Delete owned Private Saved
Searches
SavedSearch_Public update Update owned Public Saved
Searches
SavedSearch_Private update Update owned Private Saved
Searches
SavedSearchOthers_Private delete Delete not owned Private
Saved Searches
CollectionsOthers_Private delete Delete not owned Private
Collections
2/1543-AOM 901 151-1 Uen C | 2018-07-25 63


SavedSearchOthers_Private update Update not owned Private
Saved Searches
CollectionsOthers_Private update Update not owned Private
Collections
SavedSearchOthers_Private read Read not owned Private Saved
Searches
CollectionsOthers_Private read Read not owned Private
Collections.
Export not owned Private
Collections
SavedSearchOthers_Public delete Delete not owned Public Saved
Searches
CollectionsOthers_Public delete Delete not owned Public
Collections
SavedSearchOthers_Public update Update not owned Public
Saved Searches
CollectionsOthers_Public update Update not owned Public
Collections
SavedSearchOthers_Public read Read not owned Public Saved
Searches
CollectionsOthers_Public read Read not owned Public
Collections.
Export not owned Public
Collections
Network_Explorer_Operator searchExecutor read Perform searches in Network
searches
modelInformationService read Read Models and associated
attributes in CriteriaBuilder
persistentobjectservice read View managed object
instances in Topology Browser
rootAssociations read Get Network Element
associated to root managed
object instances
Collections_Public read View owned Public Collections.
Export owned Public
Collections
Collections_Private read View owned Private
Collections.
Export owned Private
Collections
Collections_Public create Create Public Collections
Collections_Private create Create Private Collections
Collections_Public delete Delete owned Public
Collections
Collections_Private delete Delete owned Private
Collections
Collections_Public update Update owned Public
Collections
Collections_Private update Update owned Private
Collections
64 2/1543-AOM 901 151-1 Uen C | 2018-07-25


SavedSearch_Public read View owned Public Saved
Searches
SavedSearch_Private read View owned Private Saved
Searches
SavedSearch_Public create Create Public Saved Searches
SavedSearch_Private create Create Private Saved Searches
SavedSearch_Public delete Delete owned Public Saved
Searches
SavedSearch_Private delete Delete owned Private Saved
Searches
SavedSearch_Public update Update owned Public Saved
Searches
SavedSearch_Private update Update owned Private Saved
Searches
SavedSearchOthers_Public read Read not owned Public Saved
Searches
CollectionsOthers_Public read Read not owned Public
Collections.
Export not owned Public
Collections
1.1.2.1.2.15 Role Based Authorization for Topology Browser
This section describes the RBAC functionality for Topology Browser.

Topology Browser supports two predefined application specific roles:
— Topology_Browser_Administrator
Authorized for read and update actions on PersistentObjectService.
— Topology_Browser_Operator
Authorized for read actions on PersistentObjectService.
Topology Browser Resources and Operations available for Custom Roles creation
Table 22
Resource Operations
rootAssociations read
persistentobjectservice update
2/1543-AOM 901 151-1 Uen C | 2018-07-25 65

1.1.2.1.2.15.1 Topology Browser Roles
Table 23

Topology_Browser_Administra nested_collection read Allows the user to read nested
tor collections
create Allows the user to create
nested collections
delete Allows the user to delete
nexted collections
update Allows the user to update
nested collections
persistentobjectservice read View and navigate any
Network Topology Tree
update Update the attributes of a
network object
modelInformationService read Read a model and its attributes
with values
rootAssociations read Allows the user to read
associations between
NetworkElements and
ManagedObjects
Topology_Browser_Operator nested_collection read Allows the user to read nested
collections
persistentobjectservice read View and navigate any
Network Topology Tree
rootAssociations read Allows the user to read
NetworkElements and
ManagedObjects
modelInformationService read Read a model and its attributes
with values
1.1.2.1.2.16 Role Based Authorization for License Manager
This section describes the RBAC functionality for License Manager.

License Manager supports one predefined application specific role:
— Lcm_Administrator - Authorized for all actions (create, read, update, delete,

execute, query) on LCM.
Lcm_Administrator role gives to the users the same privileges as the predefined
ADMINISTRATOR roles, except the scope is limited to the specific application.
License Manager Resources and Operations available for Custom Roles creation
Not supported.
66 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.16.1 License Manager Roles
Table 24
Role Resource Operations Actions/Command
Lcm_Administrator NA NA list installed feature and
capacity licenses
list current usage
install a license file
remove an installed license
export current usage
export historical usage
activate an Emergency Unlock
license
set threshold for alarm
notification of license expiry
set threshold for alarm
notification of capacity usage
get threshold information for a
specified license
get threshold information for
all installed licenses
get information about licenses
with Grace Periods
get information about
Emergency Unlock licenses
get information about Capacity
Enforcement
Role Resource Operations Actions/Command

Lcm_Administrator topologyCollectionService read collection list
1.1.2.1.2.17 Role Based Authorization for CM CONFIG
CM CONFIG.
CM CONFIG supports two predefined application specific roles:
— Cmedit_Administrator
Authorized for all actions on CM Config (read, create, execute, update,

delete).
— Cmedit_Operator
Authorized for read action on CM Config
Cmedit_Operator and Cmedit_Administrator roles give the users the same

privileges as the predefined OPERATOR and ADMINISTRATOR roles, though the
scope is limited to the cmedit service, cmconfig service, bulk import service and
bulk export service.
Cmconfig Resources and Operations available for Custom Roles creation
2/1543-AOM 901 151-1 Uen C | 2018-07-25 67

— config
create Create or copy a network configuration.
delete Delete an existing configuration.
read Read the attributes of a configuration.
update Update the attributes in a configuration.
1.1.2.1.2.17.1 CM CONFIG Roles
Table 25

Cmedit_Administrator config update config activate
create config copy
create config create
delete config delete
read config diff, config history,
config list
Cmedit_Operator config read config diff, config history,
config list
1.1.2.1.2.18 Role Based Authorization for BULK EXPORT
BULK EXPORT.
BULK EXPORT supports two predefined application specific roles:
Authorised for read actions on Bulk Export
— Cmedit_Operator
Authorised for read actions on Bulk Export
Cmedit_Operator and Cmedit_Administrator roles give to the users the same

privileges as the predefined OPERATOR and ADMINISTRATOR roles, though the
scope is limited to the cmedit service, cmconfig service, bulk import service and
bulk export service.
Bulk Export Resources and Operations available for Custom Roles creation
— cmedit
read Retrieve information from the network database and
export it to a file.
68 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.18.1 BULK EXPORT Roles


Cmedit_Administrator cmedit read cmedit export
Cmedit_Operator cmedit read cmedit export
1.1.2.1.2.19 Role Based Authorization for ENM System Monitor
ENM System Monitor (ESM).
ESM supports one predefined application specific role:
— System_Monitor
Authorized for launch ESM from ENM Launcher page.
ESM supports three predefined application specific roles:
— ESMAdmin
Authorized for all actions in ESM (create a new user, role, alerts).
— ESM_AlertManager
Authorized for all actions on Alerts (create, update, delete, and view).
— ESM_ReadOnly
Authorized for read only access to the user (the user does not have permits to
make changes to the system).
1.1.2.1.2.19.1 ENM System Monitor Roles
Table 26
Role Resource Allowed Actions Action/Command

System_Monitor ENM_monitor read Allows to launch ESM from
ENM Launcher page
ESMAdmin NA NA View details of the resources,
platforms, alerts, and
everything which has been
managed by ESM.
Create a new users, roles,
alerts.
Update a user and role.
Delete a created user, alert, and
role.
ESM_AlertManager NA NA View details of the alerts that
has been raised.
Create a new alert on any
resource.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 69

Role Resource Allowed Actions Action/Command

Update or edit the created
alert.
Delete the alert before it is
triggered or after triggering.
ESM_ReadOnly NA NA View Inventory, Resources,
Platforms, Alerts.
1.1.2.1.2.20 Role Based Authorization for CM EVENTS NBI
CM EVENTS.
CM EVENTS supports two predefined application specific roles:
— CM_EVENTSNBI_Administrator
— CM_EVENTSNBI_Operator
CM_EVENTSNBI_Operator and CM_EVENTSNBI_Administrator roles users the

same privileges as the predefined OPERATOR and ADMINISTRATOR roles,
though the scope is limited to the cm-events-nbi resource.
Details about the operations allowed for CM_EVENTSNBI_Administrator and

CM_EVENTSNBI_Operator can be found under Application Specific Roles on
page 14.
CM EVENTS NBI Resources and Operations available for Custom Roles creation
— cm-events-nbi
read Get events/filters for cm events nbi.
create Create filters for cm events nbi.
delete Delete filters for cm events nbi.
1.1.2.1.2.20.1 CM EVENTS NBI Roles


CM_EVENTSNBI_Administrato cm-events-nbi read Get CM events for network
r read elements.
read Get CM events for network
create elements with query
delete parameters
Get all CM event filters.
Create a new filter for CM
events.
Delete a CM event filter.
CM_EVENTSNBI_Operator cm-events-nbi read Get CM events for network
read elements.
read Get CM events for network
elements with query
parameters
Get all CM event filters.
70 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.21 Role Based Authorization for BULK IMPORT
BULK IMPORT.
BULK IMPORT supports one predefined application specific role:
Authorized for the following actions on Bulk Import (create)
The Cmedit_Administrator role give the users the same privileges as the
predefined ADMINISTRATOR role, though the scope is limited to the cmedit
service, cmconfig service, bulk Import service and bulk export service.
Details about the operations allowed for Cmedit_Administrator can be found in

the section Application Specific Roles on page 14.
Bulk Import Resources and Operations available for Custom Roles creation
— cmedit
create Modify network cm data based on a import file and
retrieve information on the status and details of
import jobs.
1.1.2.1.2.21.1 BULK IMPORT Roles
Table 27

Cmedit_Administrator cmedit create cmedit import
Cmedit_Administrator cmedit create cmedit import --status
Cmedit_Administrator cmedit create cmedit import --status --detail
1.1.2.1.2.22 Role Based Authorization for ENM CLI
ENM CLI.
ENM CLI supports two predefined application specific roles:
Authorized for all commands in CM Editor (create, read, update, delete).
— Cmedit_Operator
Authorized for read commands in CM Editor (read)
2/1543-AOM 901 151-1 Uen C | 2018-07-25 71

Cmedit Resources and Operations available for network configuration
— cmedit
get Read Network Configuration Data
describe Read Network Configuration Data
action Perform modelled actions on Network Configuration

Data
set Update Network Configuration Data
delete Delete Network Configuration Data
create Create Network Configuration Data
1.1.2.1.2.22.1 ENM CLI Roles
Table 28

Cmedit_Administrator cmedit create cmedit create
read cmedit get
read cmedit describe
update cmedit set
update cmedit action
delete cmedit delete
topologyCollectionService read collection list
Cmedit_Operator cmedit read cmedit get
read cmedit describe
topologyCollectionService read collection list
1.1.2.1.2.23 Role Based Authorization for Automatic Alarm Handling (FMX)
Automatic Alarm Handling (FMX).
FMX supports two application specific roles:
— FMX_Administrator
— FMX_Operator
Both roles allow basic module management operation.
FMX Resources and Operations available for Custom Roles creation
— fmxModuleManagement
72 2/1543-AOM 901 151-1 Uen C | 2018-07-25

execute Perform Activate/Deactivate operations in Module

Management, change running Module Parameters and
all operations in Event Simulator
query Query for Modules archived/exported/loaded and

their status
create Perform Import/Export/Load operations on Modules
read View Monitor graphs and subscribe to Rule Trace
update Create/Edit rules using Rule Editor
delete Perform Unload operation on Modules
Prerequisites
It is necessary to specify the Element_Manager_Operator role along with
FMX_Administrator role when creating the user in ENM. This allows the user to
export FMX Rule Editor display into the visualization tool and use sticky sessions.
1.1.2.1.2.23.1 Automatic Alarm Handling (FMX) Roles
Table 29

Module Management FMX_Administrator fmxModuleManagemen create Module Management:
t
— Perform Import/
Export/Load
operations on
Modules
delete Module Management:
— Perform Unload
operation on Modules
— Remove Archived
Module from Archive.
read Module Monitor:
— View Monitor graphs
Rule Module Statistics:
— View Rule Module

Statistics
Rule Module Trace:
— Subscribe to Rule
Trace
Time Periods
— List Time Period files
2/1543-AOM 901 151-1 Uen C | 2018-07-25 73


— List Event Time to
Time Period files
query Module Management:
— Query Loaded
Modules status in
Module Management
— Query Archived
Modules status in
Module Management
Rule Module
Parameters:
— Query current Rule

Module Parameters
execute Module Management:
— Perform Activate/
Deactivate operations
in Module
Management
Rule Module
Parameters:
— Modify running
Module Parameters
Event Simulator:
—Create Sequence,
—Insert/Edit/Move/
Delete Event, Wait or
Loop in Event
Sequence
—Play, Pause, Stop,

Continue, Play Next in
Event Sequence
—Add Additional
Attributes to event
definition in Event
Sequence
—Load/Save Event
Sequence
—Edit Saved Event

Sequence
Time Periods
— Add, edit, delete

Event Time to Time
Period files
— Add, delete Time

Period files
— Export Time Period

files
— Import Time Period

files
Rule Editor FMX_Administrator fmxModuleManagemen update Rule Editor:
t
— Create Rule Module
74 2/1543-AOM 901 151-1 Uen C | 2018-07-25


— Create Rule/
Procedure/File in
Rule Module
— Delete Rule/
Procedure/File in
Rule Module
— Edit Rule Parameters

in Rule Module
— Save Rule Module
— Edit Saved Rule

Module
— Check in, Check out,

Archive Rules Module
Module Management FMX_Operator fmxModuleManagemen create N/A
t
read Module Monitor:
— View Monitor graphs
Rule Module Statistics:
— View Rule Module

Statistics
Rule Module Trace:
— Subscribe to Rule
Trace
Time Periods
— List Time Period files
— List Event Time to

Time Period files
query Module Management:
— Query Loaded
Modules status in
Module Management
— Query Archived
Modules status in
Module Management
Rule Module
Parameters:

Module Parameters
Rule Module Triggers:

Module Triggers
execute Module Management:
— Perform Activate/
Deactivate operations
in Module
Management
Rule Module
Parameters:
— Modify running
Module Parameters
2/1543-AOM 901 151-1 Uen C | 2018-07-25 75


Event Simulator:
— Create Sequence,
— Insert/Edit/Move/
Delete Event, Wait or
Loop in Event
Sequence
— Play, Pause, Stop,

Continue, Play Next in
Event Sequence
— Add Additional
Attributes to event
definition in Event
Sequence
— Load/Save Event
Sequence
— Edit Saved Event

Sequence
Time Periods
— Add, edit, delete

Event Time to Time
Period files
— Add, delete Time

Period files
— Export Time Period

files
— Import Time Period

files
1.1.2.1.2.24 Role Based Authorization for ENM Automatic ID Management
ENM Automatic ID Management.
ENM Automatic ID Management supports two predefined application specific
roles:
— AutoId_Administrator
Authorized for all actions on Automatic ID Management.
— AutoId_Operator
Authorized for read-only access on Automatic ID Management.
Automatic ID Management Resources and Operations available for Custom

Roles creation
— autocellid_services
create Create Automatic ID Management Profiles (except
Closed Loop), Settings and Schedules.
76 2/1543-AOM 901 151-1 Uen C | 2018-07-25

read Read Automatic ID Management Profiles, Settings,

Conflict Results, Calculate Results and Schedules.
update Update Automatic ID Management Profiles, Perform

PCI Check, Calculate, Fix PCI Conflicts on the
Network, Settings and Schedules.
delete Delete Automatic ID Management Profiles, Settings

and Schedules.
Prerequisites
To access and operate on Automatic ID Management resource (for example,
autocellid_services), the following resources actions are also required:
Table 30
Resources Operation
searchExecutor read
topologyCollectionsService read, create, delete
Note: For any custom role related with "autocellid_services" resource and
create, update or delete operations, it is also required
"autocellid_services" resource read operation as prerequisite.
1.1.2.1.2.24.1 ENM Automatic ID Management Roles
Table 31

AutoId_Administrator autocellid_services create Create Profile
update Modify profile
delete Delete profile
read Read Profiles

update System Setting Update
read Manual PCI Check and
Calculate
update Manual PCI Check and
Calculate
update Apply PCI Changes
AutoId_Operator autocellid_services read Read Profiles
read Manual PCI Check and
Calculate
2/1543-AOM 901 151-1 Uen C | 2018-07-25 77

1.1.2.1.2.25 Role Based Authorization for Netlog
Netlog.
Netlog supports one application specific role:
— NetworkLog_Administrator
Netlog Resources and Operations available for Custom Roles creation
The table describes the actions required for the resource "netlogService" for the
role "NetworkLog_Administrator".
Table 32
S.No Task Action
1 Describe the list of supported Logs for query
each node.
2 Upload supported logs from nodes. execute
3 Retrieve the status of Network Log query
collections.
4 Request the export of Node Logs collected export
by ENM into user defined storage.
5 Delete Node Logs from ENM SFS delete
Prerequisites
It is necessary to specify the Cmedit_operator role along with
NetworkLog_Administrator role when creating the user in ENM. This allows the
user to execute netlog commands in ENM CLI to query or execute the logs
available for nodes.
1.1.2.1.2.25.1 Netlog Roles
Table 33

NetworkLog_Administrator netlogService Retrieve list of supported logs
query or for each node (or) Retrieve
the progress of the log
collection ongoing on Network
Logs.
execute Collect supported logs for
nodes.
export Request the export of Node
Logs collected by ENM into
user defined storage.
delete Delete Node Logs from ENM
SFS.
78 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.26 Role Based Authorization for VNF-LCM
This section describes the Custom-Defined Roles for VNF Life Cycle
Manager(VNF-LCM) application.
VNF-LCM supports two predefined application specific roles:
— VNFLCM_Operator
Permits access to read and execute VNF-LCM
— VNFLCM_Administrator
Permits access to read and execute VNF-LCM {more actions to be added in

future}
VNFLCM_Operator and VNFLCM_Administrator roles offer the users the same

privileges as the predefined OPERATOR and ADMINISTRATOR roles, except the
scope is limited to the VNF-LCM application.
To learn more about operations allowed for VNFLCM_Administrator and

VNFLCM_Operator refer to Application Specific Roles on page 14.
VNFLCM Resources and Operations available for Custom Roles creation
— vnflcm
read Launch VNF-LCM GUI, view workflow and instance
details.
execute Launch VNF-LCM GUI, start and complete an instance

of workflow.
Prerequisite:
To access and operate on vnflcm resource (for example, vnflcm), the following
resources:actions are also required.
Table 34
Resource Operation
vnflcm read
execute
1.1.2.1.2.26.1 VNF-LCM Roles
Table 35
2/1543-AOM 901 151-1 Uen C | 2018-07-25 79


VNFLCM_Administrator vnflcm execute Start workflow instance
VNFLCM_Administrator vnflcm execute Complete workflow instance
VNFLCM_Administrator vnflcm read View active instance
VNFLCM_Administrator vnflcm read View completed instance
VNFLCM_Operator vnflcm execute Start workflow instance
VNFLCM_Operator vnflcm execute Complete workflow instance
VNFLCM_Operator vnflcm read View active instance
VNFLCM_Operator vnflcm read View completed instance
1.1.2.1.2.27 Role Based Authorization for PM REST
PM FLS.
FLS supports the predefined application specific role:
— PM_NBI_Operator.
Authorize Operator for read access on PM FLS REST Interface
PM_NBI_Operator roles give the users the same privileges query FLS for
obtaining the file related metadata, and the scope is limited to the PM FLS
application reached by REST interface.
To obtain the privileges for querying FLS for file metadata service, specify the
PM_NBI_OPERATOR (for read) when creating the user in ENM.
Access through CLI is not part of PM FLS REST interface. CLI-specific resources
and roles are available separately and can be found in Role Based Authorization
for ENM CLI on page 71.
1.1.2.1.2.27.1 PM REST Roles
Table 36
Resources, actions, and associated commands allowed for the role

PM_NBI_Operator pm_rest_nbi read Query FLS to obtain file
metadata based on the
parameters provided in the
query.
80 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.28 Role Based Authorization for Cell Management GUI
This section describes the Custom-Defined Roles for Cell Management GUI
application.
Cell Management GUI supports two predefined application specific roles as of
now:
— Cell_Management_Operator
Lists the Cell information and cell related data
— Cell_Management_Administrator
Lists the Cell information and cell related data. Allows to update the
AdministrativeState of cells.
— Cell_Management_View - deprecated
Lists the Cell information and cell related data
Cell_Management_Operator and Cell_Management_View role offer the user the

same privileges as the predefined OPERATOR role except the scope is limited to
the Cell Management GUI application.
Cell_Management_Administrator role includes all the rights

Cell_management_Operator role offers and additionally allows to update the
AdministrativeState of cells.
Details about the operations allowed for Cell_Management_Operator can be

found in section Application Specific Roles on page 14.
Cell Management GUI Resource and Operation available for Custom Roles
creation
— cell-management-gui
read Allows read access to cell information and cell related
data.
update Allows to update the AdministrativeState of cells.
Prerequisite:
To access and operate on cell management gui resource (for example, cell-
management-gui), the following resources:actions are also required.
Table 37
Resource Operation
searchExecutor read
2/1543-AOM 901 151-1 Uen C | 2018-07-25 81

Resource Operation
topologyCollectionsService read
create
delete
rootAssociations read
1.1.2.1.2.28.1 Cell Management GUI Roles
Table 38

Cell_Management_Operator cell-management-gui read Reads cell information and cell
related data.
Cell_Management_View - cell-management-gui read Reads cell information and cell
deprecated related data.
Cell_Management_Administrat cell-management-gui read, update Reads cell information and cell
or related data. Allows to update
the AdministrativeState of
cells.
1.1.2.1.2.29 Role Based Authorization for Parameter Management
Parameter Management.
Parameter Management supports two predefined application specific roles:
— Parameter_Management_Administrator
Permits execute, update actions on Parameter Management
— Parameter_Management_Operator
Permits execute actions on Parameter Management
Parameter_Management_Operator and Parameter_Management_Administrator

roles offer the users the same privileges as the predefined OPERATOR and
ADMINISTRATOR roles except the scope is limited to the Parameter
Management application.
Details about the operations allowed for Parameter_Management_Administrator

and Parameter_Management_Operator can be found in section Application
Specific Roles.
Parameter Management Resources and Operations available for Custom Roles

creation
82 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— parametermanagement
execute To view and edit configuration parameter data
update To update configuration parameter data to the

network
Prerequisites
To access and operate on parameter management resource (for example,
parametermanagement), the following resources:actions are also required.
Table 39
Resource Operation
searchExecutor read
create
delete
update
Collection_Public read
create
delete
update
create
delete
update
create
delete
update
create
update
delete
persistentobjectservice read,update
1.1.2.1.2.29.1 Parameter Management Roles
Table 40

Parameter_Management_Adm searchExecutor read Perform searches in Network
inistrator Explorer. Requires resource
display search results.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 83


topologyCollectionsService read View Collection and Saved
create Searches
update Create Collection and Saved
delete Searches
Update Collection and Saved
Searches
Delete Collection and Saved
Searches
Collections_Public read View public Collection
create Create public Collection
update Update public Collection
delete Delete public Collection
Collections_Private read View private Collection
create Create private Collection
update Update private Collection
delete Delete private Collection
CollectionsOthers_Public read Read others public collection
SavedSearch_Public read View public SavedSearch
create Create public SavedSearch
update Update public SavedSearch
delete Delete public SavedSearch
SavedSearch_Private read View private SavedSearch
create Create private SavedSearch
update Update private SavedSearch
delete Delete private SavedSearch
SavedSearchOthers_Public read Read others public
SavedSearch
searches
attributes in NetworkExplorer,
TopologyBrowser and
persistentobjectservice read Allows to read and navigate
update persistent objects in Parameter
Management.
Update models and associated
attributes in Parameter
Management.
parametermanagement execute To view and edit configuration
update parameter data
To update configuration
parameter data to the network
Parameter_Management_Oper searchExecutor read Perform searches in Network
ator Explorer. Requires resource
topologyCollectionsService read View Collection and Saved
create Searches
update Create Collection and Saved
delete Searches
Update Collection and Saved
Searches
Delete Collection and Saved
Searches
Collections_Public read View public Collection
create Create public Collection
update Update public Collection
delete Delete public Collection
Collections_Private read View private Collection
create Create private Collection
84 2/1543-AOM 901 151-1 Uen C | 2018-07-25


update Update private Collection
delete Delete private Collection
CollectionsOthers_Public read Read others public collection
SavedSearch_Public read View public SavedSearch
create Create public SavedSearch
update Update public SavedSearch
delete Delete public SavedSearch
SavedSearch_Private read View private SavedSearch
create Create private SavedSearch
update Update private SavedSearch
delete Delete private SavedSearch
SavedSearchOthers_Public read Read others public
SavedSearch
searches
attributes in NetworkExplorer,
TopologyBrowser and
persistentobjectservice read Allows to read and navigate
persistent objects in Parameter
Management.
parametermanagement execute To view and edit configuration
parameter data
1.1.2.1.2.30 Role Based Authorization for Analytic Session Record (ASR)
Analytic Session Record.
ASR supports three predefined application specific roles:
— ASR_Administrator
Authorized for all actions on Analytic Session Record (ASR)
— ASR-L_Administrator
Authorized for all actions on Analytic Session Record for LTE (ASR-L)
— ASR-L_Schema_Operator
Authorized to read AVRO Schema of Analytic Session Record for LTE (ASR-
L)
1.1.2.1.2.30.1 Analytic Session Record (ASR) Roles
Table 41
2/1543-AOM 901 151-1 Uen C | 2018-07-25 85


ASR_Administrator asr read View details of any ASR
update configuration
execute Update any ASR configuration
Activate or deactivate any ASR
configuration
topologyCollectionsService read Read, create or delete network
create element collections
delete
topologySearchService read Associate network elements
rootAssociations with ASR configuraiton
searchExecutor
modelInformationService
ASR-L_Administrator asr_l read View details of ASR-L
update configuration
execute Update ASR-L configuration
Activate or deactivate ASR-L
configuration
topologyCollectionsService read Read, create or delete network
create element collections
delete
topologySearchService read Associate network elements
rootAssociations with ASR configuraiton
searchExecutor
modelInformationService
ASR-L_Schema_Operator asr_l_schema read Read AVRO schema of ASR-L
configuration
1.1.2.1.2.31 Role Based Authorization for SON Optimization Manager Portal
SON Optimization Manager Portal.
SON Optimization Manager Portal application supports the following application
specific roles:
— SON_OM_Administrator
Allows Administrator access to SON Optimization Manager.
— SON_General_Operator
Allows General access to SON Optimization Manager.
— SON_SDG_Operator
Allows access to SON Data Gateway Service in SON Optimization Manager.
— SON_SIS_Operator
Allows access to SON Implementation Server Service in SON Optimization

Manager.
— SON_SAS_Operator
Allows access to SON Application Server Service Optimization Manager.
86 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— SON_ACOM_Operator
Allows access to Automated Cell Outage Management Service in SON

Optimization Manager.
SON Optimization Manager Portal Resources and Operations available for

Custom Roles creation:
— manage_regions
read Allows access to Manage Regions in SON
— sdg_manage_instances
read Allows access to Manage SON DATA Gateway
Connections in SON Optimization Manager.
— sdg_configure_flavor
read Allows access to Configure SON DATA Gateway
Collection Task in SON Optimization Manager.
— sdg_toggle_flavor
read Allows access to Toggle SON DATA Gateway
Collection Task in SON Optimization Manager.
— sdg_start_task
read Allows access to Start SON DATA Gateway Collection
Task in SON Optimization Manager.
— sdg_stop_task
read Allows access to Stop SON DATA Gateway Collection
Task in SON Optimization Manager.
— sdg_set_mysql
read Allows access to Set SON DATA Gateway MySQL Host
in SON Optimization Manager.
— sdg_reset_database
read Allows access to Reset SON DATA Gateway
Database(s) in SON Optimization Manager.
— sdg_repair_database
read Allows access to Repair SON DATA Gateway
Database(s) in SON Optimization Manager.
— sis_manage_instances
read Allows access to Manage SON Implementation Service
2/1543-AOM 901 151-1 Uen C | 2018-07-25 87

— sis_manage_profiles
read Allows access to Manage SON Implementation Service
Profiles in SON Optimization Manager.
— sis_schedule_task
read Allows access to Schedule SON Implementation
Service Implementation Task in SON Optimization
Manager.
— sis_remove_task
read Allows access to Remove SON Implementation Service
Implementation Task in SON Optimization Manager.
— sis_set_mysql
read Allows access to Set SON Implementation Service
MySQL Host in SON Optimization Manager.
— sis_set_shared_data_path
read Allows access to Set SON Implementation Service
Shared Data Path in SON Optimization Manager.
— sas_user
read Allows access to SON Application Service User in SON
— sas_manage_instances
read Allows access to Manage SON Application Service
— sas_toggle_use_case
read Allows access to Toggle SON Application Service Use
Case in SON Optimization Manager.
— sas_configure_use_case
read Allows access to Configure SON Application Service
Use Case in SON Optimization Manager.
— sas_start_use_case
read Allows access to Start SON Application Service Use
Case in SON Optimization Manager.
— sas_manage_exceptions
read Allows access to Manage SON Application Service
Exceptions in SON Optimization Manager.
— sas_set_mysql
88 2/1543-AOM 901 151-1 Uen C | 2018-07-25

read Allows access to Set SON Application Service MySQL

Host in SON Optimization Manager.
— acom_user
read Allows access to ACOM User in SON Optimization
Manager.
— acom_manage_instances
read Allows access to Manage ACOM Connections in SON
— acom_toggle_use_case
read Allows access to Toggle ACOM Use Cases in SON
— acom_configure_use_case
read Allows access to Configure ACOM Use Case in SON
— acom_start_use_case
read Allows access to Start ACOM Use Case in SON
1.1.2.1.2.31.1 SON Optimization Manager Portal Role


SON_OM_Administrator manage_regions read Show link to access Manage
Regions in SON Optimization
Manager Portal
sdg_manage_instances read Show link to access Manage
SON Data Gateway
Connections in SON
Optimization Manager Portal
sdg_configure_flavor read Show link to access Configure
SON Data Gateway Collection
Task in SON Optimization
Manager Portal
sdg_toggle_flavor read Show link to access Toggle
Manager Portal
sdg_start_task read Show link to access Start
Collection Task in SON
sdg_stop_task read Show link to access Stop SON
Data Gateway Collection Task
in SON Optimization Manager
Portal
sdg_set_mysql read Show link to access Set SON
Data Gateway MySQL Host in
SON Optimization Manager
Portal
sdg_reset_database read Show link to access Reset SON
Data Gateway Database(s) in
2/1543-AOM 901 151-1 Uen C | 2018-07-25 89


Portal
sdg_repair_database read Show link to access Repair SON
Portal
sis_manage_instances read Show link to access Manage
SIS Connections in SON
sis_manage_profiles read Show link to access Manage
SON Implementation Service
Profiles in SON Optimization
Manager Portal
sis_schedule_task read Show link to access Schedule
Implementation Task in SON
sis_remove_task read Show link to access Remove
sis_set_mysql read Show link to access Set SON
Implementation Service
MySQL Host in SON
sis_set_shared_data_path read Show link to access Set SON
Implementation Service Shared
Data Path in SON Optimization
Manager Portal
sas_user read Show link to access SON
Application Service User in
Portal
sas_manage_instances read Show link to access Manage
SON Application Service
Connections in SON
sas_toggle_use_case read Show link to access Toggle Use
Case in SON Application
Service Optimization Manager
Portal
sas_configure_use_case read Show link to access Configure
Application Service Use Case in
Portal
sas_start_use_case read Show link to access Start SON
Portal
sas_manage_exceptions read Show link to access Manage
Exceptions in SON
sas_set_mysql read Show link to access Set SON
Application Service MySQL
Host in SON Optimization
Manager Portal
acom_user read Show link to access ACOM User
Portal
acom_manage_instances read Show link to access Manage
ACOM Connections in SON
90 2/1543-AOM 901 151-1 Uen C | 2018-07-25


acom_toggle_use_case read Show link to access Toggle
ACOM Use Cases in SON
acom_configure_use_case read Show link to access Configure
ACOM Use Case in SON
acom_start_use_case read Show link to access Start
SON_General_Operator manage_regions read Show link to access Manage
Regions in SON Optimization
Manager Portal
SON_SDG_Operator sdg_manage_instances read Show link to access Manage
SON Data Gateway
Connections in SON
sdg_configure_flavor read Show link to access Configure
Manager Portal
sdg_toggle_flavor read Show link to access Toggle
Manager Portal
sdg_start_task read Show link to access Start SON
Portal
sdg_stop_task read Show link to access Stop SON
Portal
sdg_set_mysql read Show link to access Set SON
Data Gateway MySQL Host in
Portal
sdg_reset_database read Show link to access Reset SON
Portal
sdg_repair_database read Show link to access Repair SON
Portal
SON_SIS_Operator sis_manage_instances read Show link to access Manage
Connections in SON
sis_manage_profiles read Show link to access Manage
Manager Portal
sis_schedule_task read Show link to access Schedule
sis_remove_task read Show link to access Remove
sis_set_mysql read Show link to access Set SON
Implementation Service
MySQL Host in SON
2/1543-AOM 901 151-1 Uen C | 2018-07-25 91


sis_set_shared_data_path read Show link to access Set SON
Implementation Service Shared
Data Path in SON Optimization
Manager Portal
SON_SAS_Operator sas_user read Show link to access SON
Application Service User in
Portal
sas_manage_instances read Show link to access Manage
Connections in SON
sas_toggle_use_case read Show link to access Toggle
SON Application Service Use
Case in SON Optimization
Manager Portal
sas_configure_use_case read Show link to access Configure
SON Application Service Use
Manager Portal
sas_start_use_case read Show link to access Start SON
Portal
sas_manage_exceptions read Show link to access Manage
Exceptions in SON
sas_set_mysql read Show link to access Set SON
Application Service MySQL
Manager Portal
SON_ACOM_Operator acom_user read Show link to access ACOM User
Portal
acom_manage_instances read Show link to access Manage
ACOM Connections in SON
acom_toggle_use_case read Show link to access Toggle
ACOM Use Cases in SON
acom_configure_use_case read Show link to access Configure
acom_start_use_case read Show link to access Start
1.1.2.1.2.32 Role Based Authorization for BO NETAN standalone UI
BO NETAN standalone UI.
bonetanstandalonui supports application specific role:
— BO_NETAN_Operator
Authorized for read action in bonetanstandaloneui
bonetanstandaloneui Resources and Operations available for Custom Roles

creation
92 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— bo-netan-access
read shows link for bonetanstandalonui on ENM Launcher.
1.1.2.1.2.32.1 BO NETAN standalone UI Role
Table 42

BO_NETAN_Operator bo-netan-access read read
1.1.2.1.2.33 Role Based Authorization for Business Intelligence Launch Pad
Business Intelligence Launch Pad.
Business Intelligence Launch Pad supports two predefined application specific
roles:
— BO_Administrator
Allows administrator access to Business Objects client tools and web
applications.
— BO_Report_Operator
Allows access to BI Launch Pad and Web Intelligence Rich Client Tool.
Business Intelligence Launch Pad Resources and Operations available for

Custom Roles creation
— bo-admin-access
read shows link for Business Intelligence Launch Pad on
ENM Launcher.
— bo-report-operator-access
read shows link for Business Intelligence Launch Pad on
ENM Launcher.
1.1.2.1.2.33.1 Business Intelligence Launch Pad Role
Table 43

BO_Administrator bo-admin-access read Show link for Business
Intelligence Launch Pad
2/1543-AOM 901 151-1 Uen C | 2018-07-25 93


BO_Report_Operator bo-report-operator-access read Show link for Business
Intelligence Launch Pad
1.1.2.1.2.34 Role Based Authorization for Business Objects Central Management Console
Business Objects Central Management Console.
Business Objects Central Management Console supports one predefined
application specific role:
applications.
Business Objects Central Management Console Resources and Operations

available for Custom Roles creation
— bo-admin-access
read shows link for Business Objects Central Management
Console on ENM Launcher.
1.1.2.1.2.34.1 Business Objects Central Management Console Role
Table 44

BO_Administrator bo-admin-access read Show link for Business Objects
Central Management Console
1.1.2.1.2.35 Role Based Authorization for Information Design Tool
Information Design Tool.
Information Design Tool supports two predefined application specific roles:
applications.
Allows access to Universe Design Tool and Information Design Tool.
Information Design Tool Resources and Operations available for Custom Roles
creation
94 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— bo-admin-access
read shows link for Information Design Tool on ENM
Launcher.
— bo-universe-access
read shows link for Information Design Tool on ENM
Launcher.
1.1.2.1.2.35.1 Information Design Tool Role
Table 45

BO_Administrator bo-admin-access read Show link for Information
Design Tool
BO_Universe_Operator bo-universe-access read Show link for Information
Design Tool
1.1.2.1.2.36 Role Based Authorization for Network Analytics Server Analyst
Network Analytics Server Analyst.
Network Analytics Server Analyst supports two predefined application specific
roles:
— NetworkAnalytics_Administrator
Allows administrator access to Network Analytics Server Analyst and
Network Analytics Server Web Player service.
— NetworkAnalytics_BusinessAnalyst_Operator
Is for users that are required to create and edit Analyses and Information
Packages using the Network Analytics Server Analyst tool, and to also create
and view Analysis through the Network Analytics Server Web Player.
Network Analytics Server Analyst Resources and Operations available for

— netan-server-admin-access
read shows link for Network Analytics Server Analyst on
ENM Launcher.
— netan-business-analyst-access
read shows link for Network Analytics Server Analyst on
ENM Launcher.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 95

1.1.2.1.2.36.1 Network Analytics Server Analyst Role


NetworkAnalytics_Administrat netan-server-admin-access read Show link for Network
or Analytics Server Analyst
NetworkAnalytics_BusinessAn netan-business-analyst-access read Show link for Network
alyst_Operator Analytics Server Analyst
1.1.2.1.2.37 Role Based Authorization for Network Analytics Server Web Player
Network Analytics Server Web Player.
Network Analytics Server Web Player supports four predefined application
specific roles:
Allows administrator access to Network Analytics Server Analyst and
Network Analytics Server Web Player service.
Is for users that are required to create and edit Analyses and Information
Packages using the Network Analytics Server Analyst tool, and to also create
and view Analysis via the Network Analytics Server Web Player.
— NetworkAnalytics_BusinessAuthor_Operator
Is for users that are required to create and edit the Analyses on the Network
Analytics Server Web Player.
— NetworkAnalytics_Consumer_Operator
Is for users that are required to consume/view Analyses on the Network

Analytics Server Web Player. This role is read-only, users cannot create
Analysis.
Network Analytics Server Web Player Resources and Operations available for
— netan-server-admin-access
read shows link for Network Analytics Server Web Player
on ENM Launcher.
— netan-business-analyst-access
on ENM Launcher.
— netan-business-author-access
96 2/1543-AOM 901 151-1 Uen C | 2018-07-25


on ENM Launcher.
— netan-consumer-access
on ENM Launcher.
1.1.2.1.2.37.1 Network Analytics Server Web Player Role


NetworkAnalytics_Administrat netan-server-admin-access read Show link for Network
or Analytics Server Web Player
NetworkAnalytics_BusinessAn netan-business-analyst-access read Show link for Network
alyst_Operator Analytics Server Web Player
NetworkAnalytics_BusinessAut netan-business-author-access read Show link for Network
hor_Operator Analytics Server Web Player
NetworkAnalytics_Consumer_ netan-consumer-access read Show link for Network
Operator Analytics Server Web Player
1.1.2.1.2.38 Role Based Authorization for Universe Design Tool
Universe Design Tool.
Universe Design Tool supports two predefined application specific roles:
applications.
Allows access to Universe Design Tool and Information Design Tool.
Universe Design Tool Resources and Operations available for Custom Roles
creation
— bo-admin-access
read shows link for Universe Design Tool on ENM Launcher.
— bo-universe-access
read shows link for Universe Design Tool on ENM Launcher.
1.1.2.1.2.38.1 Universe Design Tool Role
Table 46
2/1543-AOM 901 151-1 Uen C | 2018-07-25 97


BO_Administrator bo-admin-access read Show link for Universe Design
Tool
BO_Universe_Operator bo-universe-access read Show link for Universe Design
Tool
1.1.2.1.2.39 Role Based Authorization for Web Intelligence Rich Client
Web Intelligence Rich Client.
Web Intelligence Rich Client supports two predefined application specific roles:
applications.
Allows access to BI Launch Pad and Web Intelligence Rich Client Tool.
Web Intelligence Rich Client Resources and Operations available for Custom
Roles creation
— bo-admin-access
read shows link for Web Intelligence Rich Client on ENM
Launcher.
— bo-report-operator-access
read shows link for Web Intelligence Rich Client on ENM
Launcher.
1.1.2.1.2.39.1 Web Intelligence Rich Client Role
Table 47

BO_Administrator bo-admin-access read Show link for Web Intelligence
Rich Client
BO_Report_Operator bo-report-operator-access read Show link for Web Intelligence
Rich Client
98 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.40 Role Based Authorization for FM SNMP NBI
Netlog
FM SNMP NBI application supports three predefined application specific roles:
— NbiFmSnmpConfig_Operator
— NbiFmSnmpConfig_Administrator
— NbiFmSnpmManager
FM SNMP NBI Resources and Operations available for Custom Roles creation
The table describes the actions required for the resource

"nbi_fm_snmp_subscribe" for the role "NbiFmSnmpConfig_Administrator".
S.No Task Action

1 Create, delete SNMP subscriptions execute
2 Read SNMP subscriptions read

"nbi_fm_snmp_subscribe" for the role "NbiFmSnmpConfig_Operator".
S.No Task Action

1 Read SNMP subscriptions read

"nbi_fm_snmp_manager" for the role "NbiFmSnmpManager".
S.No Task Action

1 Authorize SNMP manager to access to execute
SNMP agent
1.1.2.1.2.40.1 FM SNMP NBI Role
Table 48

NbiFmSnmpConfig_Administra nbi_fm_snmp_subscribe execute create, delete SNMP
tor subscriptions
read read SNMP subscriptions
NbiFmSnmpConfig_Operator nbi_fm_snmp_subscribe read read SNMP subscriptions
NbiFmSnmpManager nbi_fn_snmp_manager execute Authorize SNMP manager to
access to SNMP agent via the
SNMP protocol.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 99


Users belonging to this role are
no meant for ENM access but
only for SNMP authentication
purposes
1.1.2.1.2.41 Role Based Authorization for Uplink Spectrum Analyzer
Uplink Spectrum Analyzer (ULSA).
ULSA application supports two predefined application specific roles:
— ULSA_Operator
Authorized to perform read-only tasks in ULSA.
— ULSA_Administrator
Authorized to perform all tasks in ULSA.
Note: ULSA_Administrator role, by default, has privileges of

Cmedit_administrator role. No additional roles are to be assigned while
creating users with ULSA_Administrator privileges to execute ULSA
start/stop collection use cases using ENM CLI. Log Viewer read access is
also permitted.
ULSA Resources and Operations available for Custom Roles creation
— ulsa
read allows processing of already collected ULSA files.
execute allows processing of collected files and stanrt and stop

of file collection.
Prerequisites
To start and stop file collection using ENM CLI the following actions are also
required:
Table 49
Resources Action
cm_editor create
read
update
execute
delete
logViewer_access read
100 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.41.1 Uplink Spectrum Analyzer Role
Table 50

Uplink Spectrum ULSA_Operator ulsa read Allow to process already
Analyzer collected Uplink
Spectrum files.
Log Viewer ULSA_Operator logViewer-access read Allow read access to Log
Viewer.
Uplink Spectrum ULSA_Administrator ulsa read Allow to process already
Analyzer collected Uplink
Spectrum files.
execute Allow to start and stop
Uplink Spectrum file
collection.
CM-CLI ULSA_Administrator cm_editor read Read Network
Configuration Data.
create Create Network
Configuration Data.
execute Perform modelled
actions on Network
Configuration Data.
update Modify Network
Configuration Data.
delete Delete Network
Configuration Data.
Log Viewer ULSA_Administrator logViewer_access read Allow read access to Log
Viewer.
1.1.2.1.2.42 Role Based Authorization for Add Node
Add Node.
Add Node supports one predefined application specific role:
— AddNode_Administrator
Authorized for create a new Network Element via UI
1.1.2.1.2.42.1 Add Node Role


AddNode_Administrator add_node write Create a Network Element via
UI
2/1543-AOM 901 151-1 Uen C | 2018-07-25 101

1.1.2.1.2.43 Role Based Authorization for Ericsson Expert Analytics (EEA)
EEA.
EEA supports one predefined application specific role:
— EEA_Operator
Authorized for show link for EEA launch on ENM Launcher.
EEA Resources and Operations available for Custom Roles creation
— eea
read shows link for EEA launch on ENM Launcher.
1.1.2.1.2.43.1 Ericsson Expert Analytics Role
Table 51

EEA_Operator eea read Show link for EEA launch
1.1.2.1.2.44 Role Based Authorization for Autonomic Incident Management
Autonomic Incident Management (AIM).
AIM supports two predefined application specific roles:
— AIM_Operator
Authorized for actions as an operator in Autonomic Incident Management

(Read).
— AIM_Administrator
Authorized for actions as an administrator in Autonomic Incident

Management (Read,Update).
Prerequisite:
To setup AIM, user must have the AIM_Administrator role or a custom role with
the following capabilities:
102 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Table 52
Application Resource Operation
Autonomic Incident Management AIM update
Kpi Service kpi_service read
TopologyBrowser persistenobjectservice read
TopologyBrowser rootAssociations read

NetworkExplorer topologySearchService read
NetworkExplorer searchExecutor read
Cell Management cell-management-gui read
1.1.2.1.2.44.1 Autonomic Incident Management Role
Table 53

AIM_Administrator AIM read Allow monitoring of AIM
update Allow user to update Network
and KPI scoping for AIM
AIM_Operator AIM read Allow monitoring of AIM
1.1.2.1.2.45 Role Based Authorization for Node CLI Launch
Node CLI Launch.
Node CLI Launch supports two predefined application specific roles:
— NodeCLI_Administrator
Authorized for all actions in Node CLI, such as launch, close, and export the
content in CLI to text file.
— NodeCLI_Operator
Authorized for all actions in Node CLI, such as launch, close and export the
content in CLI to text file.
1.1.2.1.2.45.1 Node CLI Role
Table 54

NodeCLI_Administrator nodecli_usertype_admin launch Launch Node CLI
2/1543-AOM 901 151-1 Uen C | 2018-07-25 103


close Close Node CLI
export Export CLI content to text file
NodeCLI_Operator nodecli_usertype_control launch Launch Node CLI
close Close Node CLI
export Export CLI content to text file
1.1.2.1.2.46 Role Based Authorization for Target Group Management (TGM)
Target Group Management (TGM).
TGM supports one predefined application specific role:
— Target_Group_Administrator
Allows administrator access to Target Group Management.
1.1.2.1.2.46.1 Target Group Management Role
Table 55

Target_Group_Administrator target_group_mgmt create Create a target group
patch Change description for target
group and targets assignment
in target group
delete Delete a target group
read List target group details and
targets for target group
query List all target groups
target_handlers_manager query Request nodes data from DPS
1.1.2.1.2.47 Role Based Authorization for CM Bulk Import
CM Bulk Import.
CM Bulk Import application supports two predefined application specific roles:
— CM_Bulk_UI_Import_Operator
Authorized for actions as an operator in CM Bulk Import (Read).
— CM_Bulk_UI_Import_Administrator
Authorized for actions as an administrator in CM Bulk Import (Read, Create,

Delete).
104 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.1.2.1.2.47.1 CM Bulk Import Role
Table 56

CM_Bulk_UI_Import_Administr cm_bulk_import_ui read Allows user to view import jobs
ator using the Import NBI
create Allows user to create import
jobs using the Import NBI
delete Allows user to delete import
cm_config_rest_nbi read Allows user to view import jobs
using the Import NBI
create Allows user to create import
jobs using the import NBI
delete Allows user to delete import
Collections_Public read Allows user to read public
collections
create Allows user to create public
collections
update Allows user to update public
collections
delete Allows user to delete public
collections
Collections_Private read Allows user to read private
collections
create Allows user to create private
collections
update Allows user to update private
collections
delete Allows user to delete private
collections
CollectionsOthers_Public read Allows user to read other public
collections
CM_Bulk_UI_Import_Operator cm_bulk_import_ui read Allows user to view import jobs
cm_config_rest_nbi read Allows user to view import jobs
1.1.2.1.2.48 Role Based Authorization for Adaptations
for customer adaptations. On installation a customer adaptation can be assigned
an appropriate adaptation role.
Several predefined roles are supported for customer adaptations, for different
types of users:
— Adaptation Installer Roles
— Adaptation User Roles
2/1543-AOM 901 151-1 Uen C | 2018-07-25 105

1.1.2.1.2.48.1 Adaptation Installer Role
Adaptation Installer role is used to support RBAC for installing a customer

adaptation ENM.
The Adaptation Installer role is intended to be used by the Ericsson services
engineer who is installing the adaptation and the purpose is to remove the need
to grant root access to the installation engineer. All the other roles/capabilities
are used by the operators to enable normal management activities.
Note: Adaptation installation can require root privileges. As adaptation

support matures the actions requiring root privileges are reduced and
the Adaptation Installer role is used instead.
Table 57

Adaptation_installer_Administr adaptation_installer execute Allowed all actions (including
ator install and remove) for custom
adaptation actions and scripts
1.1.2.1.2.48.2 Adaptation User Roles
Customer Adaptation role is used to support RBAC for customer adaptations and
ensures RBAC separation for individual customer adaptation functions.
It includes:
— function specific customer adaptations: to support specific adaptation
functionality. In some cases also support for an integrated 3PP NE. This
mirrors standard ENM functionality (and related roles/capabilities), for
example, adaptation_element_manager.
— generic customer adaptation roles: to support RBAC where a specific

functional adaptation role is not available, for example,
adaptation_solution_1 … adaptation_solution_5.
Note: A functional adaptation role/capability does not indicate that related

customer adaptations are available. Roles and capabilities are
predefined and are ready when needed.
Table 58

Adaptation_cm_nb_integration adaptation_cm_nb_integration execute Allows access to adaptation for
_Administrator CM NB integration
106 2/1543-AOM 901 151-1 Uen C | 2018-07-25


Adaptation_element_manager adaptation_element_manager execute Authorized for actions on
_Operator Element Manager which is
available as an adaptation
Adaptation_fm_nb_integration adaptation_fm_nb_integration execute Allows access to adaptation for
_Administrator FM NB integration
Adaptation_heathcheck_Admi adaptation_healthcheck execute Allows the access to Node
nistrator Healthcheck as an adaptation
Adaptation_inventorysynch_A adaptation_inventorysynch execute Allows access to adaptation
dministrator inventory synch
Adaptation_launch_help_Oper adaptation_launch_help execute Allows access to adaptation
ator launch help
Adaptation_nodecli_Operator adaptation_nodecli execute Execute access to
adaptation_nodecli
Adaptation_pm_nb_integratio adaptation_pm_nb_integration execute Allows the access to
n_Administrator adaptation pm nb integration.
Adaptation_Solution_1_Operat adaptation_solution_1 execute Execute access for
or adaptation_solution_1
Adaptation_subscription_Oper adaptation_subscription execute Allows access to adaptation
ator PM subscription actions for
Performance Monitoring on the
Network
Adaptation_trouble_ticketing_ adaptation_trouble_ticketing execute Allows access to sync with an
Operator external trouble ticketing
system
1.1.2.1.2.49 Role Based Authorization for Physical Link Management
Physical Link Management.
Physical Link Management supports two predefined application specific roles:
— LinkManagement_Administrator
Authorized for all actions on Physical Link Management (read, create,

update, delete, query)
— LinkManagement_Operator
Authorized for perform read and query actions actions on Physical Link
Management
2/1543-AOM 901 151-1 Uen C | 2018-07-25 107

Prerequisite:
To access and operate on Link Management, the following resources:actions are
also required.
Table 59
Application Resource Operation
TopologyBrowser persistentobjectservice read
NetworkExplorer searchExecutor read
NetworkExplorer topologySearchService read
NetworkExplorer topologyCollectionsService read
create
update
delete
Command Line Interface (CLI) cm_editor read
1.1.2.1.2.49.1 Physical Link Management Role
Table 60

LinkManagement_Administrat link_management read View the link details.
or
create Create/import links.
update Update the link name and
description.
delete Delete the links.
query Query the link details to view
and export.
LinkManagement_Operator link_management read View the links details.
query Query the link details to view
and export.
1.1.2.1.2.50 Role Based Authorization for Network Viewer
Network Viewer application.
Network Viewer supports two predefined application specific roles:
— NetworkViewer_Administrator
Authorized to select nodes on tree view to visualize them on map view.
Authorized to locate a Network Element on topology in a tree view or in a

map view.
Authorized to see alarms summary of a Network Element in a map view.
108 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Authorized to create and delete a Network Element in a tree view or in a map

view.
Authorized to modify the geographical coordinates of a Network Element in

a tree view or in a map view.
Authorized to run Element Manager of a Network Element in a tree view or in

a map view.
Authorized to run Node CLI of a Network Element in a tree view or in a map

view.
— NetworkViewer_Operator
Authorized to select nodes on tree view to visualize them on map view.
Authorized to locate a Network Element on topology in a tree view or in a

map view.
Authorized to see alarms summary of a Network Element in a map view.
Authorized to run Node CLI of a Network Element in a tree view or in a map

view.
Prerequisite:
No prerequisites.
1.1.2.1.2.50.1 Network Viewer Roles
Table 61

NetworkViewer_Administrator networkviewer update Provide access to visualize and
to modify network resources.
NetworkViewer_Operator networkviewer read Provide access to visualize
network resources.
1.1.2.1.2.51 Role Based Authorization for Configuration Templates
Configuration Templates application.
Configuration Templates application supports two predefined application specific
roles:
— ConfigurationTemplates_Administrator
2/1543-AOM 901 151-1 Uen C | 2018-07-25 109

Authorized for actions as an administrator in Configuration Templates (Read,

Create, Delete).
— ConfigurationTemplates_Operator
Authorized for actions as an operator in Configuration Templates (Read).
Prerequisite:
No prerequisites.
1.1.2.1.2.51.1 Configuration Templates Roles
Table 62

ADMINISTRATOR configurationtemplates read View templates list
create Create new template
delete Delete templates
ConfigurationTemplates_Admi configurationtemplates read View templates list
nistrator
create Create new template
delete Delete templates
ConfigurationTemplates_Oper configurationtemplates read View templates list
ator
1.1.2.1.2.52 Role Based Authorization for Operations Procedure Support
for Operations Procedure Support (OPS) .
OPS application supports one predefined application specific role:
— OPS_Operator
Allows access to OPS application.
Prerequisite:
No prerequisites.
1.1.2.1.2.52.1 Operations Procedure Support Roles
Table 63
110 2/1543-AOM 901 151-1 Uen C | 2018-07-25


OPS_Operator ops_enm execute Execute/Launch OPS GUI
1.1.2.1.3 POSIX-Based Roles
All ENM roles provide access to ENM applications. Some roles however provide
access not only via UI (User Interface) or NBI (North Bound Interface), but also
via SSH (Secure Shell) connection. These roles are called POSIX-based roles.
POSIX (Portable Operating System Interface for uniX) is a set of standard
operating system interfaces based on the UNIX operating system.
Predefined POSIX-based roles are:
— Administrator
— Operator
— Predefined COM Roles
— Amos_Administrator
— Amos_Operator
— Element_Manager_Operator
— Scripting_Operator
— WinFIOL_Operator
— FIELD_TECHNICIAN
It is also possible to create custom roles supporting POSIX for AMOS application.
See Custom Roles on page 113 and AMOS ENM Roles and Associated Moshell
Commands on page 28 sections for details.
1.1.2.2 Node Roles
1.1.2.2.1 Predefined COM Roles
Table 64
Role name Description
SystemAdministrator Provides full control over Managed Element model fragments related to System
Functions, Equipment, and Transport, excluding the fragment related to Security
Management.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 111

Role name Description

SystemSecurityAdministrator Provides full control over the fragment of a Managed Element model related to
Security Management.
SystemReadOnly Provides read-only access to Managed Element model fragments related to
System Functions, Equipment, and Transport, excluding the fragments related to
Security Management.
ENodeB_Application_Administrator Provides full control over eNodeB in DU Radio Node specific fragments of
Managed Element model, including TN, FM, LM, PM, Log, and parts of equipment.
ENodeB_Application_SecurityAdministrator Provides full control over eNodeB in DU Radio Node specific security features.
ENodeB_Application_User Provides read-only access to eNodeB in DU Radio Node specific fragments of
Managed Element model, including TN, FM, LM, PM, Log, and parts of equipment.
Support_Application_Administrator Provides full control over Climate and Power Supply specific fragments of
Managed Element model, including FM, PM, Log, and parts of equipment.
Support_Application_User Provides read-only access to Climate and Power Supply specific fragments of
Managed Element model, including FM, Log, PM, and parts of equipment.
RBS_Application_Operator Provides read access to the entire MOM containment tree, except security
management MOs. An application operator can also trigger MO actions.
EricssonSupport Provides no access to any functional MO, only able to run specific PLM commands
and Ericsson tools.
NodeB_Application_User Provides read-only access to NodeB specific fragments of Managed Element
model,including TN, FM, LM, PM, Log, and parts of equipment.
NodeB_Application_Administrator Provides full control over NodeB specific fragments of Managed Element
model,including TN, FM, LM, PM, Log, and parts of equipment.
Bts_Application_Administrator Provides full control over GSM-based fragments.
BscApplicationAdministrator Provides full control over all MO BscFunction=1 data. Corresponding MML printout
commands are allowed to be executed.
Transport_Application_Administrator General role able to configure Transport branch.
Transport_Application_SecurityAdministrator Security role for operating on PacketCapture MO.
GNodeB_Application_Administrator Provides full control over GNodeB specific fragments of Managed Element model,
including TN, FM, LM, PM, Log and parts of equipment.
GNodeB_Application_SecurityAdministrator Provides full control over GNodeB specific security features.
GNodeB_Application_User Provides read-only access to GNodeB specific fragments of Managed Element
model, including TN, FM, LM, PM, Log and parts of equipment.
NetconfPlatformAdministrator Role for Netconf Platform Security Administrator.
All these roles are defined for COM/ECIM and VTFRadioNode nodes and the
privileges for these roles are defined on the node itself.
For advanced troubleshooting of the node issue, Ericsson supported user roles
needs to be created as per the Node CPI guidelines.
1.1.2.3 User Defined Roles
Role Management allows the user to create roles of the following types:
COM roles represent privileges on Nodes supporting ECIM.
COM role aliases

a set of COM roles, grouping of roles facilitates easier
management.
Custom roles roles consisting of a combination of ENM application

privileges and/or COM roles.
112 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Customer roles enable fine-grained security restrictions

based on particular use cases.
ENM system roles are predefined, the user cannot define system-wide roles. For
details on these roles, see the sections System-Wide Roles on page 12 ,
Predefined COM Roles on page 111, and Application Specific Roles on page 14.
For more information about Custom Roles see the section Custom Roles on page
113.
1.1.2.3.1 Custom Roles
In ENM there are System-wide roles which are available regardless of which
ENM applications are deployed. There are also Application Specific Roles which
define specific roles that are delivered with each ENM application and Network
Element Roles which define specific roles that are defined for different Network
Elements. A user can be assigned to any combination of these roles. When these
roles are not sufficient there is also a possibility to define Custom Roles.
ENM applications can expose its resources and actions that can be executed on
them. The Custom Roles framework allows a customer to define their own roles
based on these resources and actions. The Custom Roles are finer grained than
the default application specific roles or default roles. These new custom roles can
be created, saved and associated with a user. Custom roles are capable of
containing entries with any combination of COM and ENM application use cases.
Example 1
The SHM_Operator role has the ability to perform the tasks:
— View software inventory
— View hardware inventory
— View license inventory
It can be desirable to further subdivide these tasks and to create a role that
allows a user to view the software inventory without privilege to view the license
or hardware inventories. Further functionality from other applications can be also
included in the same Custom Role.
It can be a valid scenario where two custom roles contain the same application
specific roles. For example, a customer can be taking a new feature at a later
point which would require the modification of only one of the custom roles.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 113

1.1.2.3.1.1 Adaptation Roles
An adaptation role is a type of custom role with adaptation capabilities.

As for custom roles, adaptation roles allow creation of a fine-grained set of
application access rights in the form of resource-action pairs to support access
control for customer adaptations.
A customer adaptation is additional customer specific functionality developed for

a customer by Ericsson Services.
1.1.2.3.1.2 Capabilities
CU or other Services can create customer specific solution and add specific access
control. Below capabilities can be used to have access control to the customer
specific solutions. The capabilities provides RBAC support for customer
adaptations. The adaptation provider or installer (Ericsson Services) determines
the appropriate capability to use.
Table 65 Capabilities available for editing Custom Role

Application Resource Operation Description
CREDM-CLI credm read List certificate data of services.
CREDM-CLI credm execute Re-issue certificate of one or
more services.
Desktop Session Management session_mgmt create Allows access to desktop
session management
application.
ESN Schema Registry esn_schema_registry read Get Schemas from ESN
Schema Registry.
Auto Provisioning ap read Allows execution of the status
and view autoprovisioning
commands.
Auto Provisioning ap execute Allows execution of the bind,
cancel, delete, download, order,
replace, resume, and upload
autoprovisioning commands.
Analytic Session Record asr read Allows to read information
about any ASR configuration.
Analytic Session Record asr update Allows to update any ASR
configuration.
Analytic Session Record asr execute Allows to activate/deactivate
any ASR configuration.
Analytic Session Record asr_l read Allows to read information
about the ASR-L configuration.
Analytic Session Record asr_l update Allows to update the ASR-L
configuration.
Analytic Session Record asr_l execute Allows to activate/deactivate
the ASR-L configuration.
Analytic Session Record asr_l_schema read Allows to read AVRO schema
of ASR-L configuration
CM Events NBI cm-events-nbi read Get events/filters for cm events
nbi.
CM Events NBI cm-events-nbi create Create filters for cm events nbi.
CM Events NBI cm-events-nbi delete Delete filters for cm events nbi.
114 2/1543-AOM 901 151-1 Uen C | 2018-07-25


BNSI fm_services read Start BNSI NBI communication
session.
BNSI fm_services query Synchronize alarms action
commands.
BNSI fm_services update Enabling/Disabling filter
control.
BNSI fm_services execute Acknowledge/Terminate alarm
action commands.
Node Security credentials create Allows to execute the following
use cases: create Node
Credentials.
Node Security credentials update Allows to execute the following
use cases: update Node
Credentials.
Node Security credentials read Allows to execute the following
use cases: read Node
Credentials.
Node Security ipsec read Allows to execute the following
use cases: get Node IPSec
status, get IPSec Certificate
Enrollment State, get IPSec
Trusted Certificates on Node.
Node Security ipsec execute Allows to execute the following
use cases: Issue/Reissue IPSec
Node Certificates, Distribute
IPSec Trusted Certificates,
IPSec En/Dis.
Node Security ipsec delete Allows to execute the following
use cases: Remove IPSec
Trusted Certificate.
Node Security ldap create Allows to execute the following
use cases: configure LDAP on
Node.
Node Security ldap update Allows to execute the following
use cases: reconfigure LDAP on
Node.
Node Security oam read Allows to execute the following
use cases: get Node Security
LEvel Status, get OAM
Certificate Enrollment State,
get OAM Trusted Certificates
on Node.
Node Security oam execute Allows to execute the following
use cases: Issue/Reissue OAM
Node Certificates, Distribute
OAM Trusted Certificates, OAM
En/Dis.
Node Security oam delete Allows to execute the following
use cases: Remove OAM
Trusted Certificate.
Node Security snmpv3 create Allows to execute the following
use cases: Create SNMPv3
authnopriv or authpriv security
parameters.
Node Security snmpv3 update Allows to execute the following
use cases: Update SNMPv3
parameters.
Node Security snmpv3 read Allows to execute the following
use cases: Get SNMPv3
parameters.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 115


Node Security sshkey create Allows to execute the following
use cases: create ssh-keys for
Node.
Node Security sshkey update Allows to execute the following
use cases: update ssh-keys for
Node.
Node Security credentials_plain_text read Allows to execute the following
use cases: read Node
Credentials in plain text.
Node Security crlcheck update Allows to execute the following
use cases: update crlCheck
status on Node.
Node Security crlcheck read Allows to execute the following
use cases: read crlCheck status
on given Nodes.
Node Security on_demand_crl_download execute Allows to execute the following
use cases: start on demand crl
download action on Node.
Node Security ciphers update Allows to update the following
use cases: start set ciphers
action on Node.
Node Security ciphers read Allows to execute the following
use cases: read ciphers on
given Nodes.
Node Security rtsel execute Allows to execute the following
use cases: Activate/Deactivate
real time security event
logging(RTSEL) feature on
Node.
Node Security snmpv3_plain_text read Allows to execute the following
use cases: Read SNMPv3
parameters.
Node Security https read Allows to execute the following
HTTPS on Node.
Node Security https execute Allows to execute the following
use cases: read HTTPS status
on given Node.
Note: Activate and

Deactivate HTTPS
can be done only
by CLI command.
Using Topology
Browser HTTPS
toggle button do
not change
HTTPS/HTTP
properly.
Node Security security_enrollment_download execute Allows to execute the following
use cases: start security
enrollment file download
action for Node.
Node Security capability read Allows to execute the following
use cases: read Node Security
Capabilities.
Node Security ftpes read Allows to execute the following
use cases: read FTPES status
on given node.
Node Security ftpes execute Allows to execute the following
FTPES on node.
Node CLI nodecli_usertype_admin execute Launch Node CLI with
admin_user.
116 2/1543-AOM 901 151-1 Uen C | 2018-07-25


Node CLI nodecli_usertype_control execute Launch Node CLI with
control_user.
Node CLI nodecli_usertype_view execute Launch NodeVNFL CLI with
view_user.
Scripting CLI scripting scripting_cli_scripting execute Allows execution of Python
scripts on scripting cluster.
PM Initiation and Collection subscription create Allows to create any user
defined Subscription to enable
Network.
PM Initiation and Collection subscription update Allows to update any
Subscription.
PM Initiation and Collection subscription delete Allows to delete any user
defined Subscription.
PM Initiation and Collection subscription read Allows to read information
about the Subscriptions.
PM Initiation and Collection subscription execute Allows to activate/deactivate
any Subscription.
PM Initiation and Collection statistical create Allows to create a Statistical
Subscription, MO Instance and
Cell Instance Subscription to
enable Performance
Monitoring on
the Network.
PM Initiation and Collection statistical update Allows to update a Statistical
Cell Instance Subscription.
PM Initiation and Collection statistical delete Allows to delete a Statistical
Cell Instance Subscription.
PM Initiation and Collection statistical execute Allows to activate/deactivate a
Statistical Subscription, MO
Instance and Cell Instance
Subscription.
PM Initiation and Collection res create Allows to create a
RES Subscription to enable
Performance Monitoring on
the Network.
PM Initiation and Collection res update Allows to update a RES
Subscription.
PM Initiation and Collection res delete Allows to delete a RES
Subscription.
PM Initiation and Collection res execute Allows to activate/deactivate a
RES Subscription.
PM Initiation and Collection celltrace_ebs-l create Allows to create a CellTrace/
EBS-L Subscription to enable
Network.
PM Initiation and Collection celltrace_ebs-l update Allows to update a CellTrace/
EBS-L Subscription and
Continuous Cell Trace
Subscription.
PM Initiation and Collection celltrace_ebs-l delete Allows to delete a CellTrace/
EBS-L Subscription.
PM Initiation and Collection celltrace_ebs-l execute Allows to activate/deactivate a
CellTrace/EBS-L Subscription
and Continuous Cell Trace
Subscription.
PM Initiation and Collection ctr create Allows to create a Cell Traffic
Recording Subscription (CTR)
2/1543-AOM 901 151-1 Uen C | 2018-07-25 117


to enable Performance
Monitoring on the Network.
PM Initiation and Collection ctr update Allows to update a Cell Traffic
Recording Subscription (CTR).
PM Initiation and Collection ctr delete Allows to delete a Cell Traffic
Recording Subscription (CTR).
PM Initiation and Collection ctr execute Allows to activate/deactivate a
Cell Traffic Recording
Subscription (CTR).
PM Initiation and Collection ebm_ebs-m create Allows to create a EBM/EBS-M
Subscription to enable
Network.
PM Initiation and Collection ebm_ebs-m update Allows to update a EBM/EBS-
M Subscription.
PM Initiation and Collection ebm_ebs-m delete Allows to delete a EBM/EBS-M
Subscription.
PM Initiation and Collection ebm_ebs-m execute Allows to activate/deactivate a
EBM/EBS-M Subscription.
PM Initiation and Collection uetrace create Allows to create a UETrace
Network.
PM Initiation and Collection uetrace update Allows to update a UETrace
Subscription.
PM Initiation and Collection uetrace delete Allows to delete a UETrace
Subscription.
PM Initiation and Collection uetrace execute Allows to activate/deactivate a
UETrace Subscription.
PM Initiation and Collection uetr create Allows to create a UETR
Network.
PM Initiation and Collection uetr update Allows to update a UETR
Subscription.
PM Initiation and Collection uetr delete Allows to delete a UETR
Subscription.
PM Initiation and Collection uetr execute Allows to activate/deactivate a
UETR Subscription.
PM Initiation and Collection ctum update Allows to update a CTUM
Subscription.
PM Initiation and Collection ctum execute Allows to activate/deactivate a
CTUM Subscription.
PM Initiation and Collection gpeh create Allows to create a GPEH
Network.
PM Initiation and Collection gpeh update Allows to update a GPEH
Subscription.
PM Initiation and Collection gpeh delete Allows to delete a GPEH
Subscription.
PM Initiation and Collection gpeh execute Allows to activate/deactivate a
GPEH Subscription.
AMOS amos_em read Allows execution of the MO
READ (get) commands.
AMOS amos_em create Allows execution of the MO
WRITE (set) commands.
AMOS amos_em patch Allows execution of the MO
WRITE (fset) commands.
118 2/1543-AOM 901 151-1 Uen C | 2018-07-25


AMOS amos_em execute Allows execution of the
TELNET (fro) commands.
GIM-ECIM gim_ecim_user_mgmt read Allows execution of the get
GIM ECIM user.
GIM-ECIM gim_ecim_user_mgmt create Allows execution of the create
GIM ECIM user.
GIM-ECIM gim_ecim_user_mgmt update Allows execution of the update
GIM ECIM user.
GIM-ECIM gim_ecim_user_mgmt delete Allows execution of the delete
GIM ECIM user.
Element Manager element_manager read Allows read only operations in
Cabinet Viewer and all the
operations in Element
Manager.
Element Manager element_manager execute Allows execution of write
operations in Cabinet Viewer
and all the operations in
Element Manager.
Kpi Service kpi_service read Allows querying of KPI service
for calculated KPI values.
VNFLCM vnflcm read Launch VNFLCM GUI, view
workflow and instance details.
VNFLCM vnflcm execute Launch VNFLCM GUI, start and
complete an instance of
workflow.
FLS NBI file-lookup-service read Get metadata for PM files.
NetworkExplorer modelInformationService read Read Models and associated
attributes in NetworkExplorer
and TopologyBrowser.
NetworkExplorer searchExecutor read Perform searches in Network
NetworkExplorer topologySearchService read Perform searches in Network
searches.
NetworkExplorer Collections_Public read Read public collection. This
resource could be also
exported on file
NetworkExplorer Collections_Public create Create public collection
NetworkExplorer Collections_Public update Update public collection
NetworkExplorer Collections_Public delete Delete public collection
NetworkExplorer Collections_Private read Read private collection. This

resource could be also
exported on file
NetworkExplorer Collections_Private create Create private collection
NetworkExplorer Collections_Private update Update private collection

NetworkExplorer Collections_Private delete Delete private collection
NetworkExplorer SavedSearch_Public read Read public saved search
NetworkExplorer SavedSearch_Public create Create public saved search
NetworkExplorer SavedSearch_Public update Update public saved search
NetworkExplorer SavedSearch_Public delete Delete public saved search
NetworkExplorer SavedSearch_Private read Read private saved search
NetworkExplorer SavedSearch_Private create Create private saved search
2/1543-AOM 901 151-1 Uen C | 2018-07-25 119


NetworkExplorer SavedSearch_Private update Update private saved search
NetworkExplorer SavedSearch_Private delete Delete private saved search
NetworkExplorer CollectionOthers_Public read Read others public collection.
This resource could be also
exported on file
NetworkExplorer CollectionOthers_Public update Update others public collection
NetworkExplorer CollectionOthers_Public delete Delete other public collection
NetworkExplorer SavedSearchOthers_Public read Read others public saved
search
NetworkExplorer SavedSearchOthers_Public update Update others public saved
search
NetworkExplorer SavedSearchOthers_Public delete Delete others public saved
search
NetworkExplorer SavedSearchOthers_Private read Read others private saved
search
NetworkExplorer SavedSearchOthers_Private update Update others private saved
search
NetworkExplorer SavedSearchOthers_Private delete Delete others private saved
search
NetworkExplorer CollectionOthers_Private read Read others private collection.
This resource could be also
exported on file
NetworkExplorer CollectionOthers_Private update Update others private
collection
NetworkExplorer CollectionOthers_Private delete Delete others private collection
NetworkExplorer nested_collection read Allows the user to read nested
collections
NetworkExplorer nested_collection create Allows the user to create
nested collections
NetworkExplorer nested_collection delete Allows the user to delete
nested collections
NetworkExplorer nested_collection update Allows the user to update
nested collections
NetworkExplorer system_created_object create Allows the user to create
objects in Network Explorer
which will be marked as
System Created
NetworkExplorer system_created_object delete Allows the user to delete
system created objects in
Network Explorer
NetworkExplorer topologyCollectionsService create Deprecated by new
Collections/SavedSearch
capabilities - Create Collection
and Saved Searches.
NetworkExplorer topologyCollectionsService delete Deprecated by new
capabilities - Delete Collection
and Saved Searches.
NetworkExplorer topologyCollectionsService update Deprecated by new
capabilities - Update Collection
and Saved Searches.
NetworkExplorer topologyCollectionsService read Deprecated by new
capabilities - View Collection
and Saved Searches.
TopologyBrowser persistentobjectservice read Allows to read and navigate
persistent objects in
120 2/1543-AOM 901 151-1 Uen C | 2018-07-25


TopologyBrowser and
NetworkExplorer.
TopologyBrowser persistentobjectservice update Update models and associated
attributes in TopologyBrowser
and NetworkExplorer.
TopologyBrowser rootAssociations read Allows user to read
NetworkElements and
ManagedObjects.
Node Version Support node_version_support execute Allows to execute actions on
the Node Version Support
service, such as activating
support for new network
nodes.
Node Version Support node_version_support delete Allows to delete Node Version
Support service results.
Node Version Support node_version_support read Allows to read information
from Node Version Support
service.
Scripting Cron Service scripting_cron_service execute Allows users to use CRON
scheduling on Scripting nodes.
NeConnectionService neconnection_credentials_nor read Get credentials for UserType
maluser normalUser
NeConnectionService neconnection_credentials_secu read Get credentials for UserType
reuser secureUser
NeConnectionService neconnection_credentials_root read Get credentials for UserType
user rootUser
Scripting Access CLI scripting_cli_access execute Allows access to scripting
cluster via ssh.
Cell Management NBI cell-management-nbi read Execute any cell management
request in 'TEST' mode.
Cell Management NBI cell-management-nbi create Execute any cell management
request in 'EXECUTE' mode..
SHM cppinventorysynch_service create Allows to create jobs such as
Upgrade, Backup, License,
Restore,DeleteBackup.
SHM cppinventorysynch_service execute Allows to View Job Related
Details(Job Progress/Job
logs),Inventory
Details(software/hardware/
license/backup),Import and
View Software
Packages,License Key Files and
Export Job Logs.
SHM cppinventorysynch_service delete Allows to deletion of
Jobs,Software
Packages,License Key Files.
SHM cppinventorysynch_service update Allows Continue and Canceling
of a Job.
NSLCM nslcm execute Launch NSLCM GUI and
execute actions on a
deployment.
Single Logon Service sls-credentialmanagement delete Allows to revoke credential for
any user.
Network Health Monitor nhm read Allows monitoring of selected
nodes and viewing of KPI
information.
Network Health Monitor nhm execute Allows activation and
deactivation of selected KPIs.
Network Health Monitor nhm update Update selected custom
defined KPIs.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 121


Network Health Monitor nhm create Create custom defined KPIs.
Network Health Monitor nhm query Query the application for node
and KPI data.
Network Health Monitor nhm delete Delete selected custom defined
KPIs.
Node Healthcheck healthcheck execute Execute jobs and view reports.
Node Healthcheck node_healthcheck create Allow to create NHC reports.
Node Healthcheck node_healthcheck read Allow to view NHC reports.
Node Healthcheck node_healthcheck update Allow Continue and Canceling
of a NHC report.
Node Healthcheck node_healthcheck execute Allow to execute and view NHC
reports.
Node Healthcheck node_healthcheck delete Allow for deletion NHC reports.
Node Healthcheck node_healthcheck query Allow to View NHC report
related Details.
FMX fmxModuleManagement execute Perform Activate/Deactivate
operations on Modules and
change running Module
Parameters.
FMX fmxModuleManagement create Perform Import/Load
operations on Modules.
FMX fmxModuleManagement delete Perform Unload operation on
Modules.
FMX fmxModuleManagement update Create/Edit rules using Rule
Editor.
FMX fmxModuleManagement read View Monitor graphs and
subscribe to Rule Trace.
FMX fmxModuleManagement query Query for Modules archived/
exported/loaded and their
status.
Automatic ID Management autocellid_services create Create Automatic ID
Management Profiles (except
Closed Loop), Settings and
Schedules.
Automatic ID Management autocellid_services read Read Automatic ID
Management Profiles, Settings,
Conflict Results, Calculate
Results and Schedules.
Automatic ID Management autocellid_services update Update Automatic ID
Management Profiles, Perform
PCI Check, PCI Calculate, Fix
PCI Conflicts on the Network,
Settings and Schedules.
Automatic ID Management autocellid_services delete Delete Automatic ID
Management Profiles, Settings
and Schedules.
CM-CLI cm_editor read Read Network Configuration
Data.
CM-CLI cm_editor create Create Network Configuration
Data.
CM-CLI cm_editor execute Perform modelled actions on
Network Configuration Data.
CM-CLI cm_editor update Update Network Configuration
Data.
CM-CLI cm_editor delete Delete Network Configuration
Data.
122 2/1543-AOM 901 151-1 Uen C | 2018-07-25


CM-CLI cm_config read Capability to use Config Diff,
List, History and Undo
commands.
CM-CLI cm_config create Capability to use Config Create
command.
CM-CLI cm_config execute Capability to use Config
Activate command.
CM-CLI cm_config update Capability to use Config Copy
command.
CM-CLI cm_config delete Capability to use Config Delete
command.
CM-CLI bulk_import execute Capability to use Bulk Import
command.
CM-CLI lcm read Capability to get license
information and list installed
licenses.
CM-CLI lcm create Capability to install licenses.
CM-CLI lcm execute Capability to activate
Emergency Unlock.
CM-CLI lcm update Capability to set license
thresholds.
CM-CLI lcm delete Capability to remove a license.
CM-CLI lcm query Capability to export license
usage.
Scripting NBI Decoding scripting_nbi_decoder execute Allows running NBI decoder on
scripting cluster.
Scripting LTE Celltrace scripting_decoder_lte_celltrace execute Allows running LTE Celltrace
Decoding decoder on scripting cluster.
Scripting LTE UE Trace scripting_decoder_lte_uetrace execute Allows running LTE UE Trace
Decoding decoder on scripting cluster.
Scripting MME CTUM Decoding scripting_decoder_mme_ctum execute Allows running MME CTUM
decoder on scripting cluster.
Scripting MME EBM Decoding scripting_decoder_mme_ebm execute Allows running MME EBM
Scripting MME UE Trace scripting_decoder_mme_uetrac execute Allows running MME UE Trace
Decoding e decoder on scripting cluster.
Scripting RNC CTR Decoding scripting_decoder_rnc_ctr execute Allows running RNC CTR
Scripting RNC GPEH Decoding scripting_decoder_rnc_gpeh execute Allows running RNC GPEH
Scripting RNC UETR Decoding scripting_decoder_rnc_uetr execute Allows running RNC UETR
TND-Discovery NodeDiscovery create Allows the following use cases:
create discovery connection
profile, create discovery
activity.
TND-Discovery NodeDiscovery update Allows the following use cases:
update discovery connection
profile, update discovery
activity.
TND-Discovery NodeDiscovery delete Allows the following use cases:
delete discovery connection
profile, delete discovery
activity.
TND-Discovery NodeDiscovery read Allows the following use cases:
view discovery connection
profiles, view discovery
activities and details.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 123


TND-Discovery NodeDiscovery execute Allows the following use cases:
start/stop the discovery
activity.
WinFIOL winfiol_enm execute Launch WinFIOL CLI or
WinFIOL GUI.
Security-PKI caEntity_cert_mgmt create Allows to generate CRL and
CAEntity certificate.
Security-PKI caEntity_cert_mgmt update Allows to reissue, revoke,
publish, unpublish CAEntity
certificates and also allows to
publish, unpublish CRLs.
Security-PKI entity_mgmt create Allows to create entities.
Security-PKI entity_mgmt update Allows to update entities.
Security-PKI entity_mgmt delete Allows to delete entities.
Security-PKI entity_cert_mgmt create Allows to generate the entity
certificates.
Security-PKI entity_cert_mgmt update Allows to renew, rekey and
revoke the entity certificates.
Security-PKI caEntity_mgmt create Allows to create CA entities.
Security-PKI caEntity_mgmt update Allows to update CA entities.
Security-PKI caEntity_mgmt delete Allows to delete CA entities.
Security-PKI read_algorithms read Allows to retrieve algorithms.
Security-PKI read_caEntities read Allows to read CAEntities.
Security-PKI read_caCerts read Allows to list CRLs and
download CRL.
Security-PKI read_entities read Allows to read Entities.
Security-PKI read_entityCerts read Allows to read Entity
certificates.
Security-PKI read_crls read Allows to read CRLs.
Security-PKI read_extCA read Allows to read External CA.
Security-PKI read_profiles read Allows to read profiles.
Security-PKI update_algorithms update Allows to update algorithms.
Security-PKI profile_mgmt create Allows to create profiles.
Security-PKI profile_mgmt update Allows to update profiles.
Security-PKI profile_mgmt delete Allows to delete profiles.
Security-PKI extCA_mgmt create Allows to create external CA.
Security-PKI extCA_mgmt update Allows to update external CA.
Security-PKI extCA_mgmt delete Allows to delete external CA.
Security-PKI secgw_cert_mgmt create Allows to generate certificate
for security gateway.
NetworkLog netlogService query Retrieve list of supported logs
or for each node (or) Retrieve
the progress of the log
collection ongoing on Network
Logs.
NetworkLog netlogService execute Collect supported logs for
nodes.
NetworkLog netlogService read Request the export of Node
Logs collected by ENM into
user defined storage.
NetworkLog netlogService delete Delete Node Logs from ENM
SFS.
124 2/1543-AOM 901 151-1 Uen C | 2018-07-25


CM NBI cm_config_rest_nbi read Read network configuration
data through REST NBI
services.
CM NBI cm_config_rest_nbi create Create network configuration
services.
CM NBI cm_config_rest_nbi update Update network configuration
services.
CM NBI cm_config_rest_nbi execute Perform activate operation on
network configuration data
CM NBI cm_config_rest_nbi delete Delete network configuration
services.
CM NBI cm_bulk_rest_nbi read Get information about bulk
import export job through
REST NBI services.
CM NBI cm_bulk_rest_nbi create Execute bulk import export
operation through REST NBI
services.
CM NBI cm_bulk_rest_nbi delete Delete bulk import export data
Log Viewer logViewer_access read Allows read access to Log
Viewer.
FM alarm_export query Query for Open/History alarms
data to export the same.
FM alarm_overview query Query for Open alarms data to
show the overview.
FM alarms_search query Query for Open or History
alarms data.
FM alarm_policies create Create Alarm Route Policies.
FM alarm_policies query List the Alarm Route Policies.
FM alarm_policies update Update Alarm Route Policies.
FM alarm_policies delete Delete Alarm Route Policies.
FM open_alarms execute Perform ACK/UNACK and
CLEAR operation on open
alarms.
FM open_alarms update Updating the Comments on the
alarms.
FM open_alarms query Query for Open alarms data.
FM nodes execute Enabling/Disabling
Supervision on Network
Elements and To initiate Alarm
Synchronization.
FM nodes query Query the SupervisionState
and CurrentServiceState.
FM nodes update Update the values of
Synchronization and other
attributes under
FmAlarmSupervision and
FmFunction childs.
FM error_event create Enabling/Disabling
Elements and to initiate Alarm
Synchronization.
FM error_event read Query the SupervisionState
2/1543-AOM 901 151-1 Uen C | 2018-07-25 125


FM translationmap_conversionrule update Update TranslationMap for
nodes based on probability.
FM translationmap_conversionrule read Query the TranslationMap for
nodes.
Cell Management GUI cell-management-gui read Get the list of cell information
and cell related parameters.
Cell Management GUI cell-management-gui update Update the
AdministrativeState of a cell.
Parameter Management parametermanagement execute To view and edit configuration
parameter data
Parameter Management parametermanagement update To update configuration
parameter data to the network
SON Optimization Manager manage_regions read Allows access to Manage
Portal Regions in SON Optimization
Manager Portal
SON Optimization Manager sdg_manage_instances read Allows access to Manage SON
Portal Data Gateway Connections in
Portal
SON Optimization Manager sdg_configure_flavor read Allows access to Configure
Portal SON Data Gateway Collection
Manager Portal
SON Optimization Manager sdg_toggle_flavor read Allows access to Toggle SON
Portal Data Gateway Collection Task
Portal
SON Optimization Manager sdg_start_task read Allows access to Start SON
Portal
SON Optimization Manager sdg_stop_task read Allows access to Stop SON
Portal
SON Optimization Manager sdg_set_mysql read Allows access to Set SON Data
Portal Gateway MySQL Host in SON
SON Optimization Manager sdg_reset_database read Allows access to Reset SON
Portal Data Gateway Database(s) in
Portal
SON Optimization Manager sdg_repair_database read Allows access to Repair SON
Portal Data Gateway Database(s) in
Portal
SON Optimization Manager sis_manage_instances read Allows access to Manage SON
Portal Implementation Service
Connections in SON
SON Optimization Manager sis_manage_profiles read Allows access to Manage SON
Manager Portal
SON Optimization Manager sis_schedule_task read Allows access to Schedule SON
SON Optimization Manager sis_remove_task read Allows access to Remove SON
126 2/1543-AOM 901 151-1 Uen C | 2018-07-25


SON Optimization Manager sis_set_mysql read Allows access to Set SON
MySQL Host in SON
SON Optimization Manager sis_set_shared_data_path read Allows access to Set SON
Shared Data Path in SON
SON Optimization Manager sas_user read Allows access to SON
Portal Application Service User in
Portal
SON Optimization Manager sas_manage_instances read Allows access to Manage SON
Portal Application Service SON
Connections in SON
SON Optimization Manager sas_toggle_use_case read Allows access to Toggle SON
Portal Application Service Use Case in
Portal
SON Optimization Manager sas_configure_use_case read Allows access to Configure
Portal SON Application Service Use
Manager Portal
SON Optimization Manager sas_start_use_case read Allows access to Start SON
Portal Application Service Use Case in
Portal
SON Optimization Manager sas_manage_exceptions read Allows access to Manage SON
Portal Application Service Exceptions
Portal
SON Optimization Manager sas_set_mysql read Allows access to Set SON
Portal Application Service MySQL
Manager Portal
SON Optimization Manager acom_user read Allows access to ACOM User in
Portal SON Optimization Manager
Portal
SON Optimization Manager acom_manage_instances read Allows access to Manage
Portal ACOM Connections in SON
SON Optimization Manager acom_toggle_use_case read Allows access to Toggle ACOM
Portal Use Cases in SON Optimization
Manager Portal
SON Optimization Manager acom_configure_use_case read Allows access to Configure
Portal ACOM Use Case in SON
SON Optimization Manager acom_start_use_case read Allows access to Start ACOM
Portal Use Case in SON Optimization
Manager Portal
FM SNMP NBI nbi_fm_snmp_subscribe read List FM SNMP NBI
subscriptions
FM SNMP NBI nbi_fm_snmp_subscribe execute Create and delete FM SNMP
NBI subscriptions
FM SNMP NBI nbi_fm_snmp_manager execute Operate as a FM NBI SNMP
manager
ADD-NODE add_node write Create a Network Element
Uplink Spectrum Analyzer ulsa read Allows to process already
collected Uplink Spectrum files.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 127


Uplink Spectrum Analyzer ulsa execute Allows to start/stop Uplink
Spectrum file collection.
Business Objects and Network netan-server-admin-access read Allows access to Network
Analytics Analytics Server Analyst and
Network Analytics Server Web
Player service.
Business Objects and Network netan-business-analyst-access read Allows access to Network
Analytics Analytics Server Analyst and
Network Analytics Server Web
Player service.
Business Objects and Network netan-business-author-access read Allows access to Network
Analytics Analytics Server Web Player.
Business Objects and Network netan-consumer-access read Allows access to Network
Analytics Analytics Server Web Player.
Business Objects and Network bo-admin-access read Allows administrator access to
Analytics Business Objects client tools
and web applications.
Business Objects and Network bo-report-operator-access read Allows access to BI Launch
Analytics Pad and Web Intelligence Rich
Client Tool.
Business Objects and Network bo-universe-access read Allows access to Universe
Analytics Design Tool and Information
Design Tool.
Bulk Configuration cm_bulk_import_ui read Allows viewing of import job(s)
in the Bulk Configuration UI
Bulk Configuration cm_bulk_import_ui create Allows creating of import job(s)
from the Bulk Configuration UI
Bulk configuration cm_bulk_import_ui delete Allows deleting of import job(s)
in the Bulk Configuration UI
EEA eea read Launch Ericsson Expert
Analytics (EEA) UI
Autonomic Incident AIM read Allows monitoring of
Management Autonomic Incident
Management
Autonomic Incident AIM update Allows user to Update Network
Management and KPI scoping for Autonomic
Incident Management.
Target Group Management target_group_mgmt read List target group details and
targets for target group.
Target Group Management target_group_mgmt create Create a target group.
Target Group Management target_group_mgmt patch Change description for target
group and targets assignment
in target group.
Target Group Management target_group_mgmt delete Delete a target group.
Target Group Management target_group_mgmt query List all target groups.
Target Group Management target_handlers_manager query Request nodes data from DPS.
Adaptation subscription adaptation_subscription execute Allows access to adaptation
PM subscription actions for
Network.
Adaptation FM NB integration adaptation_fm_nb_integration execute Execute access for
adaptation_fm_nb_integration.
Adaptation element manager adaptation_element_manager execute Allows all operations for an
Element Manager which is
available as a customer
adaptation.
Adaptation Node CLI adaptation_nodecli execute Launch Adaptation Node CLI
128 2/1543-AOM 901 151-1 Uen C | 2018-07-25


Adaptation Installer adaptation_installer execute Allows all actions (including
install and remove) for custom
adaptation actions and scripts.
Adaptation trouble ticketing adaptation_trouble_ticketing execute Execute access for adaptation
to sync with an external
trouble ticketing system.
Adaptation PM NB integration adaptation_pm_nb_integration execute Execute access for
adaptation_pm_nb_integration
.
Adaptation inventory synch adaptation_inventorysynch execute Allows executing of supported
adaptation Node actions such
as Upgrade, Backup, Restore
and Delete Backup.
Adaptation launch help adaptation_launch_help execute Allows access to non standard
help to support an adaptation.
Adaptation CM NB integration adapation_cm_nb_integration execute Execute access for
adaptation_cm_nb_integration
.
Adaptation healthcheck adaptation_healthcheck execute Execute adaptation Node
HealthCheck.
Adaptation Solution 1 adaptation_solution_1 execute Execute access for
adaptation_solution_1
Adaptation Solution 4 adaptation_solution_4 execute Allows all access for
Adaptation Solution 5 adaptation_solution_5 execute Allows all access for
Physical Link Management link_management read Allows to view the link details.
Physical Link Management link_management create Allows to create the links.
Physical Link Management link_management update Allows to update the links.
Physical Link Management link_management delete Allows to delete the links.
Physical Link Management link_management query Allows to query the link details.
Configuration Templates configurationtemplates read Allows viewing list of
templates in Configuration
Templates application
Configuration Templates configurationtemplates create Allows creation of template(s)
in Configuration Templates
application
Configuration Templates configurationtemplates delete Allows deletion of template(s)
in Configuration Templates
application
Network Viewer networkviewer update Manage network
Network Viewer networkviewer read Explore network
Ops ops_enm execute Launch Operations Procedure
Support GUI.
1.1.3 Target Groups Management
Target Group Management provides network administrators the capability to

restrict users access to network resources. Network objects can be collected into
2/1543-AOM 901 151-1 Uen C | 2018-07-25 129

groups and the grouped entities are known as targets. Users then can be
assigned access to target groups.
The concept of Target Group Management is to allow a managed network to be
subdivided into a number of target groups. A target group is a grouping of
targets. These groups are then used for granting access to end users. An
important distinction is between targets and target groups.
A target group is a logical grouping of targets whilst a target is associated to an

entity managed by ENM; these entities are Network Elements, VNFMs, NFVOs,
and other Management Systems.
A user can be assigned to a target group and then the targets can be added or
removed from the target group as needed without constantly having to modify
the user.
A target group is a concept that is internal to ENM. An entity managed by ENM is

unaware of the target group to which it has been assigned.
ENM supports two different scenarios:

— Node Level Scenario: the target group is used, indirectly, by a network
element and centralized Authentication and Authorization (AA) is being
used. If centralized AA is being used, when a user attempts to log-in to the
network element, the network element queries the AA system to see if a user
can connect to that target. Target Group concept is utilized only for nodes
supporting ECIM. Target defined on the node is represented in ENM by target
group. See the section Access Control for Nodes Supporting ECIM on page
131.
— Application Level Scenario: the target group is used by an ENM application

to determine if a user can perform an operation on a specific target.
Target Group Management allows to:
— Define the Target Group
— Delete the Target Group
— Update the existing Target Group
For every user it is possible to assign Target Groups for:

— Each COM role or COM alias to use in Node Level scenario.
— All ENM system roles and custom roles to use in Application Level scenario.
In both cases there are three options to choose:
Assign Manually User must manually assign at least one Target Group.
Assign ALL Predefined Target Group assigns all targets.
130 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Assign NONE Predefined Target Group assigns no targets.
Note: COM roles and COM alias have assigned Target Group NONE by default.
ENM System role and custom role have assigned Target Group ALL by
default.
Target Group name must comply with following policy:

— Only alpha(upper/lower case), numeric, underscore, dash, dot characters are
allowed.
— Name must start with a letter.
1.2 Access Control for Nodes Supporting ECIM

ENM supports Access Control function for Nodes supporting ECIM using LDAP or
TLS (Lightweight Directory Access Protocol or Transport Layer Security), or
LDAPS (LDAP over SSL) to authenticate and authorize users which are
provisioned in ENM.
ECIM Node Roles and Role Aliases
— ENM supports authorization based on COM role and role alias concept.
— The term "COM role" represents privileges on the node.
— The term "COM role alias" represents a group of COM roles.
— Security Administrator can manage these roles using Role Management

application in ENM.
For more information about roles and the COM roles, see Role Management
on page 9.
Note: COM roles and COM role aliases are case-sensitive.
1.2.1 Targets and Target Groups
— A target group is a grouping of targets. These groups are used for granting
access to end users.
— Target Groups can be created and deleted in ENM using the Target Group
Management user interface.
— Grouping of targets to target group information is not currently managed in

ENM and must be provisioned on every node that is to be included in the
target group using targetType attribute.
— Target string information for the node is set using the attributes:
ManagedElement, SystemFunctions, SecM, UserManagement, targetType
with ENM CLI application.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 131

These attributes define the list of target strings the node belongs to.
— targetType on the node can contain several values. Besides the name of the
ManagedElement, the names of the target groups the node is part of must be
set.
Target string value can represent a target group name.
— targetType always contains the name of the Managed Element, which is the
string of the attribute networkManagedElementId in MO ManagedElement.
— By default in ENM roles are assigned to a user with predefined target group
NONE, which means that a user has no privileges on all nodes, regardless of
the target groups defined on the node.
— To set access control to a node when creating a user and assigning a target
group to them, the appropriate target group granting access to particular
nodes must be explicitly assigned to this user.
— For security reasons, it is not recommended to assign target group ALL to a

user, as it grants the user privileges on all nodes.
— The node must be synced before the ManagedElement, SystemFunctions,

SecM, UserManagement, targetType attributes can be modified.
— The target group in ENM must be created before the targetType attribute is
set on the node. Otherwise authentication for users to this node does not
work correctly.
— In ENM there is a special user COMuser, not visible in the UI, created during
installation, with target group ALL assigned.
This user is used internally by ENM applications, and must never be deleted
by users with Security Administrator privileges.
In case this user is accidentally removed, it must be created again, otherwise

ENM applications do not work properly.
Note: Router 6672 does not support all security related ECIM fragments from
18A onwards.
For more information about targets and target groups, see Target Groups
Management on page 129.
1.2.2 Example of Setting Target Group Information for the Node
While adding a node to ENM, it is necessary to configure the attributes

ManagedElement, SystemFunctions, SecM, UserManagement, targetType with
ENM CLI application, with value: "ManagedElement1;SOUTH".
132 2/1543-AOM 901 151-1 Uen C | 2018-07-25

This means that the node has target string: "ManagementElement1" and belongs
to target group: "SOUTH".
The administrator creates the target group: "SOUTH".
When assigning a user COM role “SystemAdministrator” with target group

“SOUTH”, the administrator can allow this user to have “SystemAdministrator”
privileges on all nodes which are configured with "targetType" containing value
"SOUTH".
1.3 User Data Provisioning Principles

This section provides an outline of implementation principles in ENM Security
Identity and Access Management solution.
All user data is stored in PostgreSQL, which is the primary User Management
database.
PostgreSQL is deployed as active/passive, so in case of upgrade or DB node

failure, the database is not available for 30 seconds. User Management is
unavailable for the duration.
When data is stored in the PostgreSQL database, it needs to be synchronized to

LDAP so it can be accessible for other components (for instance Single-Sign On
and Access Control).
If data is not synchronized to LDAP, the following scenarios can occur:
— A user can not be allowed to logon using newly created user account or
changed password.
— A user authorization scope is not updated.
OpenIDM component is responsible for database synchronization. It is deployed

as active/passive. In the event of node (blade) failure or upgrade synchronization
can be interrupted for five minutes due to OpenIDM failover.
Data is synchronized in batches. User synchronization is dependent on number of

users in the system.
Table 66
Number of users in the system Maximum time for updating one user [s]
0 3
500 5
1000 10
2000 15
5000 35
When users are created in batches, the synchronization time increases.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 133

Table 67
Number of users to be created/updated Maximum time for synchronizing all users [s]
500 60
1000 300
2000 600
5000 3000
When a custom role is created or modified, it takes up to 70 seconds minute to

distribute this change within the entire system.
This behavior is intended in upgrade, failover, or normal ENM operation.
1.4 Managing System Configuration and Utilities
1.4.1 Password Handling
The following password policies are enforced:

— Password Complexity
— Force Password Change
— Password Lockout
— Password Ageing
— Password History
The password policies can be modified by any user with security administrator
role from the System Security Configuration section on the ENM Launcher or by
REST interface described in the Validation Management Interface and Validation
Rules section in the Identity and Access Management Programmers Guide,
19817-cna 403 3016 Uen.
1.4.1.1 Password Complexity
When creating or updating the user password, the new password has to conform
with all of the following password complexity policies (default values):
— Minimum password length is eight characters.
— Maximum password length is 32 characters.
— Password must contain at least one lowercase letters.
— Password must contain at least one uppercase letters.
134 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— Password must contain at least one digit.
Note: For more information on Password Policies, refer to the Online Help for
System Security Configuration application.
1.4.1.2 Force Password Change
The user has to change the password:

— On first logon of a new account.
— After the password has been reset for that account.
— If the administrator explicitly forces the password to be changed on next

logon.
Force password change before password expiration: password change page is

displayed to user before its password expires.
That time period is configurable in System Security Configuration. The user has
configurable number of days, from the first time it is notified to change the
password, to perform this action.
If the password is not changed within this time period, the user is not able to log
in and the System Administrator is required to reset the password.
Whenever the user changes the password from a state where he is not already
logged in, there is the need to logon with the new password to access the system.
1.4.1.3 Password Lockout
The user is locked out for three minutes after three consecutive failed logon
attempts within a five minute period. The account is unlocked after three minutes
or, in alternative, administrator can unlock it manually resetting users password.
This prevents potential security attacks where the user attempts to authenticate
with a three invalid passwords until the correct one is found.
Note: The administrator account has a special policy that does not expire and
the user is not forced to change upon first logon. It is recommended to
disable the default "administrator" account as soon as the System
Administrator role has been assigned to an alternate user.
1.4.1.4 Password Ageing
This feature causes password expiration after a configurable time, applied as

default value to all configured users. The users can also be alerted a number of
days before the next password expiration.
The two available parameters are:
2/1543-AOM 901 151-1 Uen C | 2018-07-25 135

1. Number of days of password validity
2. Number of days before expiration to start receiving warnings
Password ageing parameters can be optionally managed per single user. For
additional information, see User Management on page 4.
1.4.1.5 Password History
The Password History feature allows Security Administrator to prevent reuse of

previous passwords.
Any new user password is verified against a configurable number of previous
passwords.
By default the Password History policy is disabled. Once enabled, it can be

configured in the range from one to 12 previous passwords.
Note: For more information on Password History, refer to the Password

Settings Interface section in ENM System Security Configuration
Programmers Guide, 1/19817-cna 403 3065 Uen.
1.4.2 Install ENM Trusted Certificate into Client Browser
This task outlines the steps for exporting the ENM Root CA certificate from ENM
and importing it into all the user client browser as trusted certificates.
When successfully completed, the Client Browser reports a trusted connection.
If the ENM PKI Root CA has been signed by an External CA universally trusted
(using the External CA Support in the document <cite>ENM Public Key
Infrastructure System Administration Guide</cite>, 2/1543-aom 901 151-3
Uen), then this task can be avoided because the trusted certificate is imported in
the browser by default.
1.4.2.1 Export ENM PKI Root CA Certificate
This tasks describes the steps to export an ENM PKI Root CA certificate.
The procedure must be performed after creation of new user account. Every user
receives both user account details and a certificate to enable them to use the
ENM Launcher.
Prerequisites
A Security Administrator user is required.
Steps
1. Open the ENM Launcher.
136 2/1543-AOM 901 151-1 Uen C | 2018-07-25

2. In the launcher screen click Command Line Interface (CLI) (ENM CLI
appears).
3. In the command line type:
pkiadm ctm CACert -expcert -en ENM_PKI_Root_CA -f PEM
4. Save the output file locally.
Results
The ENM PKI Root CA Certificate is locally downloaded.
1.4.2.2 Import ENM PKI Root CA Certificate into Firefox Browser
This task describes how to import ENM PKI Root CA Certificate into Firefox
Browser as trusted certificate. This procedure must be performed before logging
into the system for the first time to remove the warnings that are generated when
connecting through an untrusted connections.
Prerequisites
— A Security Administrator user is required.
— A valid ENM certificate has been received from Security Administrator.
Steps
1. Start Firefox web browser.
2. Select Options > Advanced > Certificates and click View Certificates
Result: A new Certificate Manager window is displayed.
3. Select Authorities > Import in the Certificate Manager window.
4. Select certificate received from security administrator in the new window
Result: A new Downloading Certificate window is displayed.
5. Select Trust this CA to identify websites in Downloading Certificate window

and click OK.
Results
A valid certification is installed on Firefox browser. No security warnings are
displayed when accessing the ENM Launcher page.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 137

1.4.2.3 Import ENM PKI Root CA Certificate into Chrome Browser
This task describes how to import ENM PKI Root CA Certificate into Chrome
Browser as trusted certificate. This procedure must be performed before logging
into the system for the first time to remove the warnings that are generated when
connecting through an untrusted connections.
Prerequisites
— A Security Administrator user is required.
— A valid ENM certificate has been received from Security Administrator.
Steps
1. Start Chrome web browser.
2. Close the remaining windows and navigate to ENM launcher page. The
launcher opens without any warnings.
3. Select Settings > Show advanced settings > Manage certificates and click
Trusted Root Certification Authorities tab
Result: Trusted Root Certification Authorities list is displayed.
4. Select Import
Result: Certificate Import Wizard window appears
5. Click Next > Browse in Certificate Import Wizard window and in the directory
explorer change expected file format to All Files (*.*) then select certificate
received from security administrator and click Open.
6. Click Next in Certificate Import Wizard and ensure that Place all certificates
in the following store Downloading Certificate radio button is checked and
points to Trusted Root Certification Authorities.
7. Click Next > Finish and in the Security Warning window select Yes
Result: The import was successful message appears.
8. Restart Chrome browser and navigate to ENM launcher page. The launcher
opens without any warnings.
Results
A valid certification is installed on Chrome browser. No security warnings are
displayed when accessing the ENM Launcher page.
138 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.4.2.4 Manage the FireFox Browser Security Warning on First Logon
This task outlines how a Security Administrator can add a security exception for
ENM to FireFox browser. The procedure is performed once, on first logon, when
the ENM PKI Root CA certificate is not yet imported into the browser as trusted
certificate.
Prerequisites
The system is up and running with all components installed. When accessing the
ENM Launcher the warning about untrusted connection appears.
Steps
1. Open the ENM Launcher in a FireFox browser
Result: The This Connection is Untrusted warning appears.
2. Expand I Understand the Risks item and click Add Exception
Result: New Add Security Exception window appears.
3. Click Confirm Security Exception in the Add Security Exception window
Result: The ENM Logon page is displayed.
Results
The security exception for ENM is added to the FireFox browser. Security
Administrator can reach the ENM Logon page.
1.4.2.5 Manage the Chrome Browser Security Warning on First Logon
This task outlines how a Security Administrator can add a security exception for
ENM to Chrome browser. The procedure is performed once, on first login, when
the ENM PKI Root CA certificate is not yes imported into the browser as trusted
certificate.
Prerequisites
The system is up and running with all components installed. When accessing the
ENM Launcher the warning about untrusted connection appears.
Steps
1. Open the ENM Launcher in a Chrome browser
Result: The "Your connection is not private" warning appears.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 139

2. Expand Advanced item and click Proceed to <ENM FQDN> (unsafe)
Result: The ENM Logon page is displayed.
Results
The security exception for ENM is added to the Chrome browser. Security
Administrator can reach the ENM Logon page.
1.4.3 Enabling and Disabling Logon Successful Screen in ENM
ENM provides the possibility to show and hide the "Logon Successful" screen
after a user successfully logs in through:
— User Interface (UI) using System Security Configuration application. See
Help Online > User Interface > General Settings for details.
— Northbound Interface (NBI). For further information, refer to General

Settings section of ENM System Security Configuration Programmers Guide,
1/19817-cna 403 3065 Uen.
1.4.4 Multiple Tabs Support
Multiple Tabs Support allows the user to use multiple ENM instances from the
same browser.
The first step to provide possibility to access multiple ENM instances from the
same browser is to set SSO_COOKIE_DOMAIN to ENM FQDN in SED. This
change applies to the system during upgrade.
Limitation
When sso cookie domain change is applied to the system, then session cookies
with domain set to ENM sub-domain are no longer accepted by OpenAM
(component responsible for authentication in ENM). It results in following issues:
— Users cannot authenticate in ENM, because logon redirection loop occurs,
— Users authenticated before upgrade cannot access ENM using previously

retrieved cookies with domain set to ENM sub-domain.
All previously used session cookies with ENM sub-domain needs to be removed
from browser. Thereafter the user is able to logon to ENM.
There is no possibility to use ENM system with sso cookie domain set to ENM
FQDN and ENM system with sso cookie domain set to ENM sub-domain from
single browser if sub-domain of first system is a part of FQDN of second system.
140 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.5 Target Based Access Control

This section provides an outline of the Target Based Access Control (TBAC) for
Topology Browser and the following FM application: Alarm Monitor, Alarm
Search, Alarm Overview, Alarm Supervision Status, ENM CLI.
TBAC is supported for users that are assigned only a specific custom role
containing specific capabilities. These capabilities are detailed in this section.
1.5.1 Targets and Target Groups for FM and Topology Browser
When TBAC is enabled for a user, that user is only able to browse nodes
belonging to the Target Groups assigned to that user when using Topology
Browser functionality to set the network scope for FM applications supporting
TBAC. Users with that custom roles assigned have access only to selected FM
applications and Topology Browser from ENM launcher.
A target group is a grouping of targets. These groups are used for granting access
to end users. Target Groups can be created and deleted in ENM using the Target
Group Management user interface.
Configure a user for TBAC on FM and Topology Browser

To configure a user for TBAC on FM and Topology Browser the following steps
are needed:
— Create a Custom Role with FM, Topology Browser and

‘TopologySearchService’ capabilities (see the table) only (see Role
Management on page 9).
— Create a user and assign to the user only the Custom Role defined in the
previous step (see User Management on page 4).
— Assign Target Groups to the user (TBAC checks are enabled in ENM by doing
this). If any of the needed Target Groups is not yet created, then create it (see
Target Groups Management on page 129).
Application Resources Operation Description
FM alarm_export Query Query for Open/History alarms

data to export the same.
FM alarm_overview Query Query for Open alarms data to
show the overview.
FM alarm_search Query Query for Open or History
alarms data
FM open_alarms Execute Perform ACK/UNACK and
CLEAR operation on open
alarms.
FM open_alarms Update Updating the Comments on the
alarms.
FM open_alarms Query Query for Open alarms data.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 141

FM nodes Execute Enabling/Disabling

Elements and To initiate Alarm
Synchronization
FM nodes Query Query the SupervisionState
FM nodes Update Update the values of
Synchronization and
other attributes under
FmAlarmSupervision and
FmFunction childs.
FM error_event Create Enabling/Disabling
Elements and to initiate Alarm
FM error_event Read Query the SupervisionState
and CurrentServiceState
TopologyBrowser persistentobjectservice Read Allows to read and navigate
TopologyBrowser and
NetworkExplorer.
TopologyBrowser persistentobjectservice Update Update models and associated
attributes in TopologyBrowser
and NetworkExplorer.
TopologyBrowser rootAssociations Read Allows user to read
associations
Network Explorer modelinformationservice Read Read Models and associated
Network Explorer topologySearchService Read Perform searches in Network
Explorer. Require resource
'searchExecutor'
Topology Scoping Panel supports displaying:

— Synced MeContext Nodes
— Synced ManagedElement Nodes
— Synced MeContext with child ManagedElement Nodes
— UnSynced MeContext/ManagedElement Nodes
Topology Scoping Panel does not supports displaying:
— Synced NetworkElement Nodes (it is possible however view its associated

mecontext/mangedelement in scoping panel)
— UnSynced NetworkElement Nodes
— ENM
— ENIQ
— VNFM
— NFVO
142 2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.5.2 Targets and Target Groups for AMOS, Element Manager, and Cabinet
Viewer
Configure a user for TBAC on AMOS, Element Manager, and Cabinet Viewer
To configure a user for TBAC on AMOS, Element Manager, and Cabinet Viewer
the following steps are needed:
— Create a Custom Role with AMOS, Element Manager, and Cabinet Viewer
capabilities (see the table) only (see Role Management on page 9).
this). If any of the needed Target Groups is not already created, then create it
(see Target Groups Management on page 129).
ElementManager element_manager read Allow read only operations in

CabinetViewer Cabinet Viewer and all the
operations in Element
Manager.
ElementManager element_manager execute Allow execution of write
CabinetViewer operations in Cabinet Viewer
and all the operations in
Element Manager.
AMOS amos_em read Allow execution of the MO
READ (get) commands.
AMOS amos_em create Allow execution of the MO
WRITE (set) commands.
AMOS amos_em patch Allow execution of the MO
WRITE (fset) commands.
AMOS amos_em execute Allow execution of the TELNET
(fro) commands.
1.5.3 Targets and Target Groups for CM-CLI
Configure a user for TBAC on CM-CLI

To configure a user for TBAC on CM-CLI the following steps are needed:
— Create a Custom Role with CM-CLI capabilities (see the table) only (see Role
2/1543-AOM 901 151-1 Uen C | 2018-07-25 143


Data.
Data.
Data.
CM-CLI cm_editor delete Update Network Configuration
Data.
CM-CLI cm_config read Capability to use Config Diff,
List, History and Undo
commands.
CM-CLI cm_config create Capability to use Config Create
command.
CM-CLI cm_config execute Capability to use Config
Activate command.
CM-CLI cm_config update Capability to use Config Copy
command.
CM-CLI cm_config delete Capability to use Config Delete
command.
CM-CLI bulk_import execute Capability to use Bulk Import
command.
NetworkExplorer Collections_Private read Read private collection
NetworkExplorer Collections_Public read Read public collection
NetworkExplorer CollectionsOthers_Private read Read others private collection
search
144 2/1543-AOM 901 151-1 Uen C | 2018-07-25


TopologyBrowser persistentobjectservice read Allow to read and navigate
TopologyBrowser and
NetworkExplorer
TopologyBrowser rootAssociations read Allow user to read associations
between NetworkElements
and ManagedObjects.
1.5.4 Targets and Target Groups for SHM
Configure a user for TBAC on SHM

To configure a user for TBAC on SHM the following steps are needed:
— Create a Custom Role with SHM capabilities (see the table) only (see Role
SHM cppinventorysynch_service create Allows to create jobs such as

Upgrade, Backup, License,
Restore, DeleteBackup,
BackupHouseKeeping, Delete
Upgrade,
BackupHouseKeeping, Delete
Upgrade
SHM cppinventorysynch_service execute Allows to view Job Related
Details (Job Progress/Job logs)
SHM cppinventorysynch_service update Allows Continue and
Cancelling of a Job
Data.
Data.
Data.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 145

CM-CLI cm_editor delete Update Network Configuration

Data.
NetworkExplorer Collections_Private read Read private collection
NetworkExplorer Collections_Public read Read public collection
NetworkExplorer CollectionsOthers_Private read Read others private collection
search
TopologyBrowser persistentobjectservice read Allow to read and navigate
TopologyBrowser and
NetworkExplorer
TopologyBrowser rootAssociations read Allow user to read associations
between NetworkElements
and ManagedObjects.
1.6 Authentication with External Identity Provider

This feature provides the capability to have ENM User authentication with
External LDAP Identity Provider.
The external Identity Provider must be LDAPv3 compliant, including the support
of “request Controls” on single LDAP Message. About this case, ENM sends a
specific control type (OID: 1.3.6.1.4.1.36733.2.1.5.1) without criticality flag,
according to RFC-4511. The Identity Provider must ignore the control type, if not
recognised.
Some Identity Provider servers are not fully compliant with this recommendation
(for example, Oracle Unified Directory 11.1.2.2.0), preventing ENM remote user
authentication. In this case, according to the Identity Provider Server capability,
146 2/1543-AOM 901 151-1 Uen C | 2018-07-25

it can be possible to add this OID in the “Access Control” to allow the correct
LDAP message handling and complete with success the remote authentication.
A new attribute AuthMode=Local/Remote has been added for each ENM user in
User Management application.
A Local user is authenticated and authorized by Local ENM DB.
A Remote user is authenticated by External LDAP Identity Provider, while

authorized by Local ENM DB.
In the Local DB, Remote user must be configured with the same username stored
in External DB.
ENM, according to Customer Directory Information Trees (DIT), can support the
following two scenarios:
NOSEARCH
The following figure is an example of Customer DIT: in green the users that can
be authenticated remotely according to the NOSEARCH profile.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 147

STANDARD
The following figure is an example of Customer DIT: in green the users that can
be authenticated remotely according to the STANDARD profile.
148 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Use Cases
Enable System wide Remote Authentication with External Identity: see the
procedure Enable System Wide Remote Authentication with External Identity on
page 149.
Disable System wide Remote Authentication with External Identity: see the
procedure Disable System Wide Remote Authentication with External Identity on
page 164.
Enable / Disable Remote Authentication for individual ENM User: see the
procedure Enable and Disable Remote Authentication for Individual ENM User
on page 164.
1.6.1 Enable System Wide Remote Authentication with External Identity
This task allows the operator to configure the system having ENM User
Authentication with External Identity Provider.
Prerequisites
— Root access privileges to log on one SECSERV virtual machine.
— An ENM user with the following mandatory roles:

— SECURITY_ADMIN
— PKI_Administrator
The following information are needed to run the procedure:

— ldap connection mode allowed by external ldap server: secure (LDAPS) or
unsecure (LDAP).
— in case of ldap secure connection mode the CA certificate that signs Ext IdP
certificate.
— ipaddress and port of primary external ldap server.
— ipaddress and port of secondary external ldap server (Optional).
— In case of "NOSEARCH" (Only Bind):

— User Bind DN Format that is the distinguish name format of the user to
bind. It is required to know in advance all of the DN of the user to bind
except the value of the attribute in its relative distinguish name, for
example: ldap operation allowed by external idp server (search/bind or
only bind).
uid=$user,ou=pdu,dc=acme,dc=com
2/1543-AOM 901 151-1 Uen C | 2018-07-25 149

In this case the only parameter that we leave is the value of the attribute
uid.
— In case of "Standard" (search/bind):

— ext idp server requirement for client authentication
— ldap operation allowed by external idp server (search/bind or only bind

user distinguish name (if Client Authentication is required)
— bind user password (if Client Authentication is required)
— distinguish name of the root of the sub-tree to span in search operation
— filter to be used in search operation
— relative distinguish name of the user to search, for example:
uid=$user
Steps
1. Import Ext IdPCA Certificate in PKI

Ext IdP provides CA Certificate. This must be imported in ENM as Ext CA.
ENM user can drag the pem file into ENM CLI and run the command:
pkiadm extcaimport -fn file:<FileName> --chainrequired false --name <ext CA →

Name>
Example
pkiadm extcaimport -fn file:ldap-otp.pem --chainrequired false --name ExtIdP →
CA
With the command the external CA certificate in pem file is imported in PKI →
with the name "ExtIdpCA".
To verify the result of the import operation:
pkiadm extcalist
Figure 4 Example 1
150 2/1543-AOM 901 151-1 Uen C | 2018-07-25

2. Update trust profile IdP_NBI_TP with an External CA already imported in

PKI
See the section Update Trust Profile IdP_NBI_TP with an External CA
already Imported in PKI on page 154 for the steps to update the trust profile
IdP_NBI_TP.
3. Update external idp configuration in ENM

Depending from different possible use cases, to enable ENM remote
authentication it is necessary to configure some of the parameters described
in the table:
Attribute Name Value Description
authType LOCAL/REMOTEAUTHN Authentication and
authorization type supported by
current ENM installation.
LOCAL means that both
authentication and
authorization are made locally.
REMOTEAUTHN means that
authorization is made locally
while authentication can be
done by external IdP server,
depending on the authMode
attribute set per user basis on
User Management application.
primaryServerAddress < IPv4 server_address>:<port> IPv4 address and port of
For example, primary ext IdP server
141.137.87.62:5389
secondaryServerAddress < IPv4 server_address>:<port> IPv4 address and port of
For example, secondary ext IdP server
141.137.87.63:5389
ldapConnectionMode LDAP/LDAPS It is the ldap connection mode
type that can be secure (LDAPS)
or unsecure (LDAP)
bindDN <bindDN> Proxy account distinguish name,
For example, empty value causes ldap
uid=Proxyadmin,ou=pdu,dc=ac anonymous bind
me,dc=com
bindPassword <bindPassword> Proxy account password,
empty value causes ldap
anonymous bind
remoteAuthProfile NOSEARCH/STANDARD STANDARD in case of ext IdP
with search/bind operation
NOSEARCH in case of external
IdP with only bind operation
baseDN <baseDN> It is the distinguish name of the
For example, ldap node root of the sub-tree
dc=acme,dc=com spanned by search operations
userBindDNFormat <userBindDNFormat> In case of ext IdP with search/
For example, bind operation
In case of (remoteAuthProfile=STANDARD
remoteAuthProfile=STANDARD: )
uid=$user it is the relative distinguish
In case of name format of the users to be
remoteAuthProfile=NOSEARCH: authenticated.
uid= In case of external IdP with only
$user,ou=pdu,dc=acme,dc=com bind operation
(remoteAuthProfile=NOSEARCH
)
it is the full distinguish name of
the users to be authenticated.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 151

Log on any SECSERV VM as root user: running the following script

command, the actual configuration is provided.
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh read
Example of command result:
bindDN = uid=extldapadmin,ou=pdu_nam,dc=acme,dc=com
baseDN = dc=acme,dc=com
bindPassword = nUNY5bz22kVEcSgbv884d4xi1LawLranV5pcCPxgkMA=
primaryServerAddress = 141.137.87.62:1636
ldapConnectionMode = LDAPS
authType = REMOTEAUTHN
secondaryServerAddress = 141.137.87.62:6389
userBindDNFormat = uid=$user,ou=pdu_nam,dc=acme,dc=com
remoteAuthProfile = STANDARD
There are two different profile configurations according to the customer

needs and the customer DIT:
— NOSEARCH use case:
Log on any SECSERV VM as root user and configure the attributes and
related values as in the table:
remoteAuthProfile=NOSEARCH
userBindDNFormat value=< According to the setting on External IdP>
authType value=REMOTEAUTHN
baseDN=< According to the setting on External IdP>
using the script command:
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh <CO →
MMAND> [<OPTIONS>]
Script Online Help is available.
This is an example of commands sequence to configure Ext IdP for

NOSEARCH profile:
152 2/1543-AOM 901 151-1 Uen C | 2018-07-25

[root@svc-2-security cloud-user]# /opt/ericsson/com.ericsson.oss.itpf.s →

ecurity.sso/ext-idp-setting.sh update --name=remoteAuthProfile
--value=NOSEARCH --name=primaryServerAddress --value="141.137.87.62:663 →
6" --name=baseDN --value="dc=acme,dc=com"
--name=secondaryServerAddress --value="141.137.87.63:6636" --name=ldapC →
onnectionMode --value=LDAPS --name=userBindDNFormat --value="uid=\$user →
,ou=pdu
,dc=acme,dc=com" --name=authType --value=REMOTEAUTHN
— STANDARD use case:
Log on any SECSERV VM as root user and configure the attributes and
related values reported in the table below:
remoteAuthProfile=STANDARD
userBindDNFormat value=< According to the setting on External IdP>
authType value=REMOTEAUTHN
baseDN=< According to the setting on External IdP>
bindDN=<Proxy account distinguish name or empty value causes ldap

anonymous bind>
using the script command:
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh <CO →
MMAND> [<OPTIONS>]
Script Online help available.

This is an example of commands sequence to configure Ext IdP for
STANDARD profile:
[root@svc-2-security cloud-user]# /opt/ericsson/com.ericsson.oss.itpf.s →

ecurity.sso/ext-idp-setting.sh update --name=remoteAuthProfile
--value=STANDARD --name=primaryServerAddress --value="141.137.87.62:663 →
6" --name=baseDN --value="dc=acme,dc=com"
--name=secondaryServerAddress --value="141.137.87.63:6636" --name=ldapC →
onnectionMode --value=LDAPS --name=userBindDNFormat --value="uid=\$user →
"
--name=authType --value=REMOTEAUTHN --name=bindDN --value="uid=Proxyadm →
in,ou=pdu,dc=acme,dc=com"
To configure the bindPassword of the bindDN user it is necessary to use

the previous script in interactive mode:
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh upd →
ate -b
Interactive output:
Enter Security Admin credentials
Username: Administrator
2/1543-AOM 901 151-1 Uen C | 2018-07-25 153

Password: < Password for the administrator User >
Enter bind user credentials
bindPassword: < Password for the External DB user configured as

bindDN >
1.6.1.1 Update Trust Profile IdP_NBI_TP with an External CA already Imported in PKI
The trust profile IdP_NBI_TP has been associated in default SW configuration to

SSO VMs and SECSERV VMs, it is needed to update it to allow sso and secserv
VMs to use a secure connection with Ext IdP server using the ext Idp CA
certificate imported in PKI.
1. Disable ENM Credential Manager Checks and Cron Jobs

Before modifying trust profile, disable Credential Manager checks on trusts
and disable Cron Jobs on Services Groups.
These steps are required to avoid that, during the procedure, CredM executes
automatic checks for certificate validity performing VM restart.
a. Configure the disabling of ENM Credential Manager Checks

Log on the MS with root privilege and edit the file:
/ericsson/tor/data/credm/conf/
credentialManagerConfigurator.properties
Adding the following lines:
checkCertsStatusOnTimeout=false
cronAllowed=false
forceCertificateRenewal=true
If the file and the folder are not present they must be created first.
Verify if the folder can be accessed (in read-mode only) by everyone.

b. Verify that the disabling of ENM Credential Manager Checks works
correctly
To avoid the risk that the file has been modified in wrong way
causing credential Manager keeping on restarting SSO and
SECSERV when it checks new trust profile, make a check forcing the
credentialmanager check.
Run the command as root from a single SECSERV VM logged in:
/opt/ericsson/ERICcredentialmanagercli/bin/credentialmanagercliCron →
tab.sh
154 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Look in the log file (on the same SECSERV VM):
/var/log/enmcertificates/enmCertificatesCrontab.log
and search for the last information logged in the file, if all is gone as
expected you have to see the 2 lines as following:
[10/26/17-07:36:08] Starting by cron credentialmanager.sh
[10/26/17-07:36:08] result : Not allowed to run status=100
If the 2 lines are present in the file, go to the next step.
Otherwise if the last lines of the log file are as following:
[10/26/17-07:34:52] Starting by cron

credentialmanager.sh
/ericsson/to r/data/credm/conf/
credentialManagerConfigurator.properties: line 1:
checkCertsStatusOnTimeout: command not found
cronAllowed: command not found
forceCertificateRenewal: command not found
Instantiated CommandCheck
Execute CommandCheck
Connected to 10.247.246.153:8080
checkCertificateValidity /ericsson/credm/cli/data/
certs/credmApiKS.JKS Connected to 10.247.246.153:8080
read TRUST : credmApiCA from C=SE, OU=BUCI_DUAC_NAM,
O=ERICSSON, CN=ENM_Management_CA REST: internal trust
ENM_Management_CA ReWrite Trust for credMServiceProfile
deleteEntry credmApiCA in /ericsson/credm/cli/data/
certs/credmApiTS.JKSThis means that addTrustedEntry
credmApiCA_ENM_Management_CA in something has not
worked as expected because the credentialmanager check
has been executed.Connected to 10.247.246.153:8080
checkCertificateValidity /ericsson/credm/cli/data/
certs/credmApiKS.JKS Connected to 10.247.246.153:8080
read TRUST : credmApiCA from C=SE, OU=BUCI_DUAC_NAM,
O=ERICSSON, CN=ENM_Management_CA /ericsson/credm/cli/
data/certs/credmApiTS.JKS REST: internal trust
ENM_Management_CA SYSTEM RECORDER COMMAND = { ReWrite
2/1543-AOM 901 151-1 Uen C | 2018-07-25 155

Trust for credMServiceProfile (s):credential-manager-

service-api-(m):Trust write SUCCESS (Check) -
(e):credMServiceProfile-(i):svc-1-sso| } deleteEntry
credmApiCA in ...CHECK ... parsing
Sso_CertRequest.xml /ericsson/credm/cli/data/certs/
credmApiTS.JKS ------------TRUST ONLY in
checkActionToPerform --------- addTrustedEntry
credmApiCA_ENM_Management_CA in ------------
IdP_NBI_TP /ericsson/credm/cli/data/certs/
credmApiTS.JKS Call Service API checkTrustAction for
trustProfile SYSTEM RECORDER COMMAND = { IdP_NBI_TP
(s):credential-manager-service-api-(m):Trust write read
TRUST : ssoTS from C=SE, OU=BUCI_DUAC_NAM, SUCCESS
(Check) O=ERICSSON, CN=ENM_NBI_CA -
(e):credMServiceProfile-(i):svc-1-sso| } read TRUST :
ssoTS from CN=IT00114405.ericsson.se, ...CHECK ...
parsing Sso_CertRequest.xml O=OpenDJ RSA Self-Signed
Certificate ------------TRUST ONLY in
checkActionToPerform --------- Trust is valid: nothing
to be done for IdP_NBI_TP ------------IdP_NBI_TP check
result is false Call Service API checkTrustAction for
trustProfile Call Service API IdP_NBI_TP checkCRL for
trustprofile IdP_NBI_TP Crl is valid: nothing to be
done for IdP_NBI_TP check result is false performCheck
executed CredMa END [10/26/17-07:35:06] result :
SUCCESS
In this last case check the modifications on the file:
credentialManagerConfigurator.properties
Correct them and repeat the check described in step a. before going
on with the procedure.
2. Export Idp_NBI_TP
Run the command from ENM CLI to export the trust profile Idp_NBI_TP. The
trust profile Idp_NBI_TP already exists in PKI since it is one of the
predefined trust profiles.
pkiadm profilemgmt --export --profiletype trust --name IdP_NBI_TP
The name of the xml file with IdP_NBI_TP exported is automatically

assigned as exported_1507543748966.xml.
An example of output of the command is:
1 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

2 <Profiles>
3 <TrustProfile Id="13" Name="IdP_NBI_TP">
4 <Active>true</Active>
5 <Modifiable>true</Modifiable>
156 2/1543-AOM 901 151-1 Uen C | 2018-07-25

6 <ExternalCA>
7 <CertificateAuthority>
8 <Id>25</Id>
9 <Name>ExtIdPCA</Name>
10 <IsRootCA>true</IsRootCA>
11 <Subject>
12 <SubjectField>
13 <Type>COMMON_NAME</Type>
14 <Value>IT00114405.ericsson.se</Value>
15 </SubjectField>
16 <SubjectField>
17 <Type>ORGANIZATION</Type>
18 <Value>OpenDJ RSA Self-Signed Certificate</Value>
19 </SubjectField>
20 </Subject>
21 <Issuer>
22 <Id>0</Id>
23 <IsRootCA>false</IsRootCA>
24 <CAStatus>NEW</CAStatus>
25 <PublishToCDPS>false</PublishToCDPS>
26 <IsIssuerExternalCA>false</IsIssuerExternalCA>
27 </Issuer>
28 <CAStatus>ACTIVE</CAStatus>
29 <PublishToCDPS>false</PublishToCDPS>
30 <IsIssuerExternalCA>false</IsIssuerExternalCA>
31 </CertificateAuthority>
32 </ExternalCA>
33 </TrustProfile>
34 </Profiles>
3. Edit the IdP_NBI_TP TrustProfile

Edit the trust profile Idp_NBI_TP xml file:
— remove unnecessary tags, keeping only tags available in the xml
example below.
— add the IdP external CA imported in PKI at the step 1 in ExternalCA

section, for example, ExtIdPCA.
In the example the same name chosen in the example at step 1 ("ExtIdPCA")
has been used instead of the BNF <ext CA Name> to avoid
misunderstanding.
IdP_NBI_TP is the name of the existing predefined TP in PKI.
ENM_NBI_CA is the name of one of the predefined ENM CA.
Example of modified xml file:
1 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

2 <Profiles>
3 <TrustProfile Id="13" Name="IdP_NBI_TP">
4 <Modifiable>true</Modifiable>
5 <TrustCAChain>
6 <IsChainRequired>false</IsChainRequired>
7 <InternalCA>
9 <Name>ENM_NBI_CA</Name>
11 </InternalCA>
12
13 ...
14 </TrustCAChain>
15 <ExternalCA>
17 <Name>ExtIdPCA</Name>
2/1543-AOM 901 151-1 Uen C | 2018-07-25 157

19 </ExternalCA>
</TrustProfile>
</Profiles>
4. Update IdP_NBI_TP
Drag and drop Idp_NBI_TP.xml file on ENM CLI, and run the command to
add the IdP external CA to IdP_NBI_TP trust profile:
pkiadm profilemgmt --update --xmlfile file:IdP_NBI_TP.xml
To verify the correct update of trust profile Idp_NBI_TP:
pkiadm extcalist
For example:
Figure 5
5. SSO VM instances restart in Physical Environment

This step must be done only in case of physical environment.
a. Log on the MS as root user and run the command to find the SSO VM
instances applicable for your deployment.
[root@ms-1~]# cat /etc/hosts | grep sso
10.247.246.129svc-2-sso sso-2-internal # Created by LITP.

Please donot edit 10.247.246.128svc-1-sso sso-1-internal #
Created by LITP. Please do not edit
b. From the MS, log on one of the SVC nodes hosting the SSO VM as the
litp-admin user and then switch to the root user.
[root@ms-1 ~]# ssh litp-admin@svc-1

litp-admin@svc-1's password:
158 2/1543-AOM 901 151-1 Uen C | 2018-07-25

[litp-admin@svc-1~]$ su -
Password:
[litp-admin@svc-1~]# hagrp -state | grep sso
Grp_CS_svc_cluster_sso State ieatrcxb4263 |ONLINE|
Grp_CS_svc_cluster_sso State ieatrcxb4264 |ONLINE|
Repeat all the following steps for eacn SSO instance.
i. Power off the SSO service group.
[root @svc-1 ~]# hagrp -offline Grp_CS_svc_cluster_sso -sys <sso_in →

stance_name>
Example of command and command result:
[root@svc-1 ~]# hagrp -offline Grp_CS_svc_cluster_sso -sys ieatrcxb →

4263
VCS NOTICE V- 16 - 1 - 50733 Attempting to offline group on system →
svc-1
ii. Verify that the SSO service group are OFFLINE checking the output
of the command.
[root@svc-1~]# hagrp -state | grep sso
If the command result is as follows:
Grp_CS_svc_cluster_sso State svc-1|ONLINE|STOPPING| Grp_CS_svc_c →

luster_sso State svc-2|ONLINE|
This means that it is required to wait more time and repeat the
check:
When command result is as the following go to the next step.
Grp_CS_svc_cluster_sso State svc-1|OFFLINE|
Grp_CS_svc_cluster_sso State svc-2|ONLINE|
iii. On the SVC node where SSO instance is OFFLINE, run the
commands:
• Log on the SVC node as the litp-admin user and then switch to
the root user.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 159

• Undefine the SSO VM:
[root@svc-1~]#virsh undefine sso
• Check that the SSO VM has been removed:
[root@svc-1~]#virsh list --all | grep sso
• If the VM has been correctly undefined, no output is displayed

after the command.
iv. Power ON the SSO service groups previously offlined.
[root@svc-1~]#hagrp -online Grp_CS_svc_cluster_sso -sys <sso_instan →

ce_name>
Example of command:
[root@svc-1~]#hagrp -online Grp_CS_svc_cluster_sso -sys ieatrcxb426 →

3
v. Verify that the service group has fully come ONLINE:
If the command result is as follows:
Grp_CS_svc_cluster_sso State svc-1|OFFLINE|STARTING|
This means that we need more time and repeat the check:
until command result is as follows:
vi. Verify that the SSO service group has completed installation/
configuration.
Wait for the complete installation/configuration of the SSO instance
just restarted.
To check this condition login on ms-1 VM as root user and run the
command:
160 2/1543-AOM 901 151-1 Uen C | 2018-07-25

[root@ieatlms4405 ~]# grep sso /etc/hosts
The following is an example of command result:
10.247.246.86 httpd-instance-2
iorfile2.ieatENM5266-6.athtem.eei.ericsson.se # Created
by LITP. Please do not edit
10.247.246.154 sso-instance-1 sso-

instance-1.ieatENM5266-6.athtem.eei.ericsson.se #
10.247.246.155 svc-2-sso sso-2-internal # Created by

LITP. Please do not edit
10.247.246.154 svc-1-sso sso-1-internal # Created by

LITP. Please do not edit
10.247.246.85 httpd-instance-1
iorfile1.ieatENM5266-6.athtem.eei.ericsson.se # Created
by LITP. Please do not edit
10.247.246.84 sso sso-internal # Created by LITP.

Please do not edit
141.137.206.30 haproxy
ieatENM5266-6.athtem.eei.ericsson.se # Created by LITP.
Please do not edit
10.247.246.155 sso-instance-2 sso-

instance-2.ieatENM5266-6.athtem.eei.ericsson.se #
In the command result take note of the sso instances, for example:
sso-instance-1.ieatENM5266-6.athtem.eei.ericsson.se
sso-instance-2.ieatENM5266-6.athtem.eei.ericsson.se
Log on any SECSERV VM as root user and run the command:
[root@svc-3-secserv cloud-user]# curl http://<sso_instance-name>.<h →

aproxy_fqdn>:8080/heimdallr/sso_configured.jsp
An example of the command is:
[root@svc-3-secserv cloud-user]# curl http://sso-instance-1.ieatENM →

5266-6.athtem.eei.ericsson.se:8080/heimdallr/sso_configured.jsp
2/1543-AOM 901 151-1 Uen C | 2018-07-25 161

<html> <head> <title>SSO installation/configuration

status</title> </head> <body> <h1>SSO installation/
configuration complete</h1> RPM name:
ERICsinglesignon_CXP9031664 RPM version:
1.45.1 RPM release: SNAPSHOT20171024093359
SSO installation/configuration complete and server
url contains only lowercases Openam version
13.0.0 SSO monitoring enabled </body> </
html>[root@svc-3-secserv cloud-user]#
The installation and configuration is completed when the command

result contains:
SSO installation/configuration complete
6. SSO VM instances restart in vENM Environment

This step must be done only in case of Cloud Environment.
a. Connect to the first SSO VM.

b. Switch to root user:
[cloud-user@gat-sso-0 ~]$ sudo su
command.
c. Restart the VM.
root@gat-sso-0 cloud-user]# pkill consul

[root@gat-sso-0 cloud-user]# exit
[cloud-user@gat-sso-0 ~]$ exit
From LAF, the consul members monitoring displays the sequence failed
→ left → alive.
[root@gat-emp-0 conf]# consul members | grep sso

gat-sso-0 10.5.1.166:8301 failed client 0.9.2 2 dc1
gat-sso-1 10.5.1.167:8301 alive client 0.9.2 2 dc1
d. Repeat the same for the second SSO VM.
7. Secserv VMs instances restart in Physical Environment.

This step must be done only in case of Physical Environment.
For SECSERV VM instances the same procedure described in 5 for SSO VM

instances must be done except the step described in 5.vi.
For SECSERV VM instances it's enough to wait for ONLINE status after
restart to go on with the procedure.
162 2/1543-AOM 901 151-1 Uen C | 2018-07-25

You can repeat the procedure substituting sso with secserv.
The sequence of the operations to be done for secserv vm instances is the

same described above:
— secserv offline
— virsh undefine
— secserv online
8. SECSERV VMs instances restart in vENM Environment

This step must be done only in case of Cloud Environment.
a. Connect to the first SECSERV VM.

b. Switch to root user:
[cloud-user@gat-sercserv-0 ~]$ sudo su
command.
c. Restart the VM.
root@gat-secserc-0 cloud-user]# pkill consul

[root@gat-secserv-0 cloud-user]# exit
[cloud-user@gat-secserv-0 ~]$ exit
From LAF, the consil members monitoring displays the sequence failed
→ left → alive.
[root@gat-emp-0 conf]# consul members | grep secserv

gat-secserv-0 10.5.1.151:8301 failed client 0.9.2 2 dc1
gat-secserv-1 10.5.1.152:8301 alive client 0.9.2 2 dc1
d. Repeat the same for the second SECSERV VM.
9. Enable ENM Credential Manager Checks and Cron Jobs

This step is required to align SPS certificates to DB and reenable automatic
SPS check for certificate validity.
Log on the MS with root privilege and remove from file /ericsson/tor/
data/credm/conf/credentialManagerConfigurator.properties the
following lines:
checkCertsStatusOnTimeout=false cronAllowed=false
forceCertificateRenewal=true
If the file contains only the above lines it can be removed with:
2/1543-AOM 901 151-1 Uen C | 2018-07-25 163

rm -f /ericsson/tor/data/credm/conf/credentialManagerConfigurator.properties
1.6.2 Disable System Wide Remote Authentication with External Identity
This task allows the operator to turn off the Remote Authentication at system
wide.
This can be required to allow ENM User Access in case both primary and
secondary Ext IdP Servers are not available at the same time.
Prerequisites
— Root access privileges to log on one SECSERV virtual machine.
— The authentication with External IdP is already enabled. See Enable System
Wide Remote Authentication with External Identity on page 149.
Steps
1. Disable external idp configuration in ENM

Log on any SECSERV VM as root user: running the following script
command, the actual configuration is set to enable local authentication only.
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh update - →
-name=authType --value=LOCAL
Note: To enable external authentication again, run the command:
/opt/ericsson/com.ericsson.oss.itpf.security.sso/ext-idp-setting.sh →
update --name=authType --value=REMOTEAUTHN
1.6.3 Enable and Disable Remote Authentication for Individual ENM User
This task allows the operator to configure each ENM user for Local or Remote
Authentication.
From User Management application, you can enable or disable the remote
authentication per user basis, updating the AuthMode attributes. See the User
Management application.
An ENM user with SECURITY_ADMIN role is required.
Note: AuthMode can not be set to Remote for the Administrator user.
In case of remote authentication, the password defined in ENM cannot

be used for authentication or changed by the user itself until that user is
switched to Local or the Ext IdP is disabled at system wide.
164 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Disabling User Status in User Management page for a remote user has no effect
in terms of preventing this user to access the system: this status configuration
makes sense only for 'local' users and has no meaning for 'remote' users.
In order to prevent a 'remote' user to access the system, update its AuthMode to
local and then configure its Status to Disabled.
2/1543-AOM 901 151-1 Uen C | 2018-07-25 165

2 IDAM Limitations
This section provides the limitations of the IDAM security solution in the current
ENM system.
Where possible preventative steps are included to minimize outcome of
limitation. Limitations
1. User Management Availability
For a regular user (user without SECURITY_ADMIN role), the availability of

the system during upgrade is as follows:
User is able to login anytime (except the first login, see “change password”).
User is not able to change password.
Details: New password is stored in User Management database. However it

is not visible for the end user until it is synchronized to LDAP; OpenIDM,
responsible for database synchronization, is active/passive, so during
upgrade the data is synchronized in 5 minutes.
End user experience when OpenIDM is down:
— user attempts to login.
— user is prompted to change password (either due to first login, or due to

Security Administrator requested user to change password).
— password is changed and stored in User Management database; user is

logged out.
— user attempts to login.
— since OpenIDM is down, new password is not synchronized to LDAP, as

result user can't login using new password.
For the Security Admin the availability of the system during upgrade, in
addition to the above, is as follows:
Backend of User Management application (OpenIDM) is deployed as active/

passive, so User Management is not available during upgrade.
The following use cases are not available:
— Force password change
— Change password
End user experience then OpenIDM is down (from the User Management
application point of view):
166 2/1543-AOM 901 151-1 Uen C | 2018-07-25

IDAM Limitations
— User, with Security Admin privilege, creates new user account.
— The user account is created, but one can not access ENM using this
account, until OpenIDM synchronizes this account to LDAP.
The above covers lack of availability caused by OpenIDM deployment on

SVC. There is also additional downtime in User Management due to
downtime due to DB nodes outage:
— PostgreSQL requires 30 seconds to fail over, so it is 60 second of

downtime during upgrade.
2. Role Management function
— Creating 'Custom Role' with all exposed capabilities doesn't mean giving
all rights in the system. It's not possible to create superuser in this way.
— Only applications listed in capabilities during creation of 'Custom Role'

expose their resources and actions. If an application is not listed there, it
does not expose it's resources and actions.
3. Target Groups Management function
— Assignment of target group with role to a user is only supported for COM
roles and COM role aliases.
— In case of SIU02/TCU02 the Target Group must have some specific

value. For example, SIU-Target-Group or any valid string value.
4. Account Naming
When creating users, do not use the combination of a username starting with
“temporary_amos_”, a first name starting with “Temporary”, and a last name
starting with “Amos”. This combination is reserved for use by AMOS. If this
combination is used, the user does not appear in User Management (neither
on the NBI or in the UI) and later the user is automatically deleted by the
system. This means that if a user that meets this criteria is added, it is not
possible to manage that user after the creation.
ENM username must have a maximum of 20 characters associated with the

roles:
— BO_NETAN_Operator
— BO_Universe_Operator
2/1543-AOM 901 151-1 Uen C | 2018-07-25 167

— NetworkAnalytics_BusinessAuthor_Operator
— NetworkAnalytics_Consumer_Operator
The limitation is due to Active Directory in OCS for SSO configuration. Refer
to "SSO Configuration for OCS AD DS Server" of System Administrator Guide,
1543-CNA 403 2826 Uen.
5. User Management database
All user data is stored in PostgreSQL, which is the primary User Management
database.
— PostgreSQL is deployed as active/passive, so in case of upgrade or DB

node failure, the database is not available for 30 seconds.
— OpenIDM component is responsible for database synchronization. In the

event of node (blade) failure or upgrade it takes 7-10 minutes to
synchronize data.
— Data is synchronized in batches. Synchronizing one user takes up to 15

seconds. Where users are created in batches, the synchronization time
increases.
6. Role Based Access
Only relevant admin roles are allowed to launch certain security applications
even though operator roles are allowed to do so.
The following limitations apply:
— Node Security Configuration application is available only for

Administrator in ENM Launcher.
— PKI Profile/Entity Management applications are only available to

Administrator or Security Administrator in ENM Launcher.
7. User Session
Sessions are maintained based on session replication mechanism, that

replicates sessions between all active SSO instances. If the session
replication fails, the sessions are terminated. This can happen in case of
rollback, or upgrade where a new version of SSO component is deployed and
the change breaks all existing sessions. In case the user session was
terminated, it needs to be established again. To do that user needs to log on
ENM again, using given credentials.
168 2/1543-AOM 901 151-1 Uen C | 2018-07-25

Security Reference List
Security Reference List
[1] ENM System Administrator Guide, 1/1543-aom 901 151 Uen

[2] ENM Identity and Access Management Programmers Guide, 19817-cna
403 3016 Uen
[3] ENM Security Management Troubleshooting Guide, 1/1543-aom 901
151-4 Uen
[4] ENM System Security Configuration Programmers Guide, 1/19817-cna 403
3065 Uen
[5] ENM Product Description, 1/1551-AOM 901 151
[6] ENM Parameter List, 1/190 59-AOM 901 151
[16] ENM Troubleshooting Guide, 1/15901-AOM 901 151
[11] ENM Site Engineering Document, 1/1057-AOM 901 151
(Available from local Ericsson Support)
[12] ENM Security System Administrator Guide, 2/1543-aom 901 151 Uen
[12] ENM Identity and Access Management System Administrator Guide,
2/1543-aom 901 151-1 Uen
[13] ENM Network Security Configuration System Administrator Guide, 2/1543-
aom 901 151-2 Uen
[14] ENM Public Key Interface System Administrator Guide, 2/1543-aom 901
151-3 Uen
2/1543-AOM 901 151-1 Uen C | 2018-07-25 169

ENM Identity and Access Management System Administrator Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ENM Identity and Access Management System Administrator Guide

Uploaded by

Copyright:

Available Formats

ENM Identity and Access Management

System Administrator Guide

2/1543-AOM 901 151-1 Uen C

© Ericsson AB 2018. All rights reserved. No part of this document may be

2/1543-AOM 901 151-1 Uen C | 2018-07-25

1 Identity and Access Management System 1

2/1543-AOM 901 151-1 Uen C | 2018-07-25

1.6 Authentication with External Identity Provider 146

2 IDAM Limitations 166

Security Reference List 169

2/1543-AOM 901 151-1 Uen C | 2018-07-25

1 Identity and Access Management System

— Industry-standard password management in terms of complexity and control

— Identity and Access Administration

— User Data Provisioning Principles and Managing System Configuration and

Access control is implemented on different layers:

Security Administrator manages Access Control by mapping different roles,

2/1543-AOM 901 151-1 Uen C | 2018-07-25 1

Identity and Access Administration

ENM application users are distinct from LITP users:

1.1 Identity and Access Administration

2 2/1543-AOM 901 151-1 Uen C | 2018-07-25

General Security Administrator operations

Create Target List Target Delete Target

Create Roles Create Users

Security Administrator List Users

Delete Aliases Delete Users

Figure 1 General Security Administrator Operations

Management of users and identities can be performed in two ways:

— Through published programmatic interface exposed over Northbound

IdAM consists of:

— Target Groups Management

— Access Control for Nodes Supporting ECIM

2/1543-AOM 901 151-1 Uen C | 2018-07-25 3

— Target Based Access Control

— User Data Provisioning Principles

— Managing System Configuration and Utilities

— Authentication with External Identity Provider

1.1.1 User Management

User Management application allows handling of users, their certificates and

— Listing of All Users

— Retrieving User Profile Summary

— Assign User Roles and Target Groups

— Changing User Password

— Revoking User Certificate

— Editing existing Users

— Retrieving User Credentials

— Managing Password Ageing per User

1.1.1.1 User Name Policy

When creating or updating the username, adhere to the following username

— The username can contain small and capital letters.

4 2/1543-AOM 901 151-1 Uen C | 2018-07-25

— The username cannot match a username already created in the system,

— The username cannot be defined using the following invalid names:

1.1.1.2 Create a New Security Administrator

ENM provides a predefined administrator account, used to create the first

Once new Security Administrator user account is created, it is recommended to

In some cases it can be necessary to re-enable the predefined administrator

As a user with the SECURITY_ADMIN role, do the following:

1. Launch ENM and add security exception for ENM.

2. Create a new user or update an existing user.

1.1.1.3 Create a User Account

2/1543-AOM 901 151-1 Uen C | 2018-07-25 5