CHAPTER 10 These topics describe how Cisco ANA implements a two-dimensional security engine combining a role-based security mechanism with scopes (groups of NEs) that are granted to users. In addition, it describes managing users in the Cisco ANA platform, including defining users and passwords. Overview of User Authentication and Authorization, page 10-1 Steps for Setting Up Users and Scopes, page 10-5 Creating and Managing Scopes, page 10-6 Managing User Accounts and Controlling User Access, page 10-8 Deleting a Cisco ANA User Account, page 10-13 Changing a User s Cisco ANA Password, page 10-14 Overview of User Authentication and Authorization Cisco ANA uses a combination of methods to manage user authentication and authorization: User authentication can be managed locally by Cisco ANA or externally by an LDAP application. Either method can be used to validate user accounts and passwords, thus controlling who can log in to Cisco ANA. If you use Cisco ANA, user information and passwords are stored in the Cisco ANA database. If you use an external LDAP application, passwords are stored on the external LDAP server. See External Authentication, page 10-2. User authorization is managed through a combination of user access roles and scopes: User access roles control the actions a user can perform in the Cisco ANA GUI clients. When a user s account is created, the user is assigned an access role that determines the user s default permissions. For more information, see User Access Roles and Default Permissions, page 10-2. Scopes are groups of network elements that are created by administrators. Once a scope is created, you can assign it to users. A user s default permissions determine the actions the user can perform on the NEs in the scope. These actions are referred to as the user s security level on that scope. If desired, you can assign the user a more strict user access role for a scope. For more information, see Device Scopes, page 10-3. 10-1
Overview of User Authentication and Authorization Chapter 10 Cisco ANA determines whether a user is authorized to perform a task as follows: For GUI-based tasks (tasks that do not affect devices), authorization is based on the default permission that is assigned to the user s account. For device-based tasks (tasks that do affect devices), authorization is based on the device scope assigned to the user s account that is, whether the device is in the user s assigned scopes and whether the user meets the minimum security level for that scope. User authorization information (roles and scopes) is always stored in the Cisco ANA database. The external LDAP server, if used, only stores passwords. External Authentication External authentication means that user authentication and passwords are validated by an external application, rather than by Cisco ANA. When Cisco ANA performs the authentication, Cisco ANA validates users by checking information that is saved in the Cisco ANA database. If you use an LDAP application, the information is validated by the external LDAP server. If Cisco ANA is using external authentication and cannot communicate with the LDAP server, the only user permitted to log back into Cisco ANA is root. This is because root is the LDAP emergency user, and is validated only by Cisco ANA. The root user can then log in to Cisco ANA, change the authentication method to local, and edit user accounts so that those users can subsequently log in. Cisco ANA uses LDAP version 3. If you want to use external authentication, you must do the following: Perform the necessary installation prerequisites. See the Cisco Active Network Abstraction 3.7.1 Installation Guide. Configure Cisco ANA so that it can communicate with the LDAP server. See Using an External LDAP Server for Password Authentication, page 6-10. If you are switching from external authentication to Cisco ANA authentication, you can import the user information from the LDAP server into Cisco ANA. That procedure is described in the Cisco Active Network Abstraction 3.7.1 Installation Guide. User Access Roles and Default Permissions User access roles control the actions a user is authorized to perform in Cisco ANA. Cisco ANA provides five predefined security access roles that you can grant to users to enable system functions (see Table 10-1). Table 10-1 Role Viewer Operator OperatorPlus User Access Roles Views the network, links, events, and inventory. Has read-only access to the network and to nonprivileged system functions. Performs most day-to-day business operations such as managing alarms, manipulating maps, viewing network-related information, and managing business attachments. Manages the alarm lifecycle. 10-2
Chapter 10 Overview of User Authentication and Authorization Table 10-1 Role Configurator Administrator User Access Roles (continued) Performs tasks and tests related to configuration and activation of services, through Command Builder, Configuration Archive, NEIM, and activation commands. Manages the Cisco ANA system and its security using the Cisco ANA Manage GUI. User access roles are used in two ways: for default permissions and for device scope security levels. When you create a user account, you assign one user access role to the account. This role determines the user s default permissions, which in turn determine the GUI-based functions the user can perform (those that do not affect devices). The device-based operations (that do affect devices) the user can perform are controlled by the user s assigned device scopes. When a new user is defined as an Administrator, this user can perform all administrative actions, including opening all maps, working with all scopes, and managing the system using Cisco ANA Manage. These activities are performed with the highest privileges. Cisco ANA Manage supports multiple administrators. Once a user account is created, you can assign a device scope to the account. The device scope controls which devices a user can access, and the actions they can perform on those devices. For more information, see Device Scopes, page 10-3. Device Scopes Device scopes are groups of managed NEs. Users can only access devices when a device scope has been assigned to their account. In this way, you can control the devices a user can access. Furthermore, you can designate a security level (user access role) within each scope that controls the actions users can perform on those NEs. (The GUI-based operations (that do not affect devices) are controlled by the user s default permissions.) Cisco ANA provides a predefined scope called All Managed Elements, which cannot be edited. It has these characteristics: The scope includes all network elements (as the name implies). This scope is automatically assigned to user accounts with Administrator privileges when the accounts are newly created. This is done by default. If necessary, you can edit the scope to have less privileges, or even delete it completely, which would give the Administrator full access to all GUI functions that do not affect devices. The scope can be assigned to non-administrator user accounts, but with lower privileges. For example, for an account with OperatorPlus privileges, you could assign the All Managed Devices scope to the account, but the highest available security level would be Configurator. Whenever the All Managed Elements scope is assigned to an Administrator either when the Administrator account is created or after increasing a user s privileges to Administrator role the scope has a unique (and recognizable) security level called Special. The Special security level is equivalent to the Administrator security level and grants the Administrator user complete access to the network devices. 10-3
Overview of User Authentication and Authorization Chapter 10 Note that a device scope can override a GUI user access role. Here is an example: 1. John has the Operator user access role (his default permission) for GUI operations. 2. John has the Configurator role for the device scope CE-SJ. John can perform Configurator operations on any devices in the device scope CE-SJ, even though his default permission is the Operator user access role. Table 10-2 describes the actions a user can perform in the GUI clients or in a scope, based on each user access role. Table 10-2 User Access Role Administrator Configurator Scope and GUI Functions Permitted According to User Access Roles GUI-Based Actions Permitted to Users with This Role Administrators are the only ones that can perform actions in Cisco ANA Manage, which means managing: Gateways, units, AVMs, VNEs. Event notifications Global settings: Database segments, event management settings, polling groups, protection groups, service disclaimers, report settings, and security settings (including user authentication method and password rules). Device scopes. User accounts. Manage static topology links. Workflow templates and workflows. Administrators are the only ones that can perform event management actions in Cisco ANA EventVision. Map management: Manage the maps that users are allowed to access. Map management: Create maps. Advanced tools: Ping and Telnet an NE directly from the client. Enable and disable port alarms. Cisco ANA Command Builder. Device Based (Scope) Actions Permitted to Users with This Role All Activation services: Add and publish activation commands on managed NE (regardless of whether the NE is inside or outside the Configurator s scope) 10-4
Chapter 10 Steps for Setting Up Users and Scopes Table 10-2 Scope and GUI Functions Permitted According to User Access Roles (continued) User Access Role OperatorPlus Operator Viewer GUI-Based Actions Permitted to Users with This Role Map management: Create new maps and add NEs. Edit, delete, and rename maps. Save maps. Map manipulation: Create and break aggregations. Change map layout. Set background image. Create business links. Map manipulation: Create and delete business tags. Application: Log into Cisco ANA NetworkVision. Change user password (if using local authentication). View the device list. View map. View link properties. Use table filter. Export from any table. Device Based (Scope) Actions Permitted to Users with This Role Map manipulation: Create business tags for NEs. Display network information: Include path tool traffic, rates, drops, or any dynamic data. Display network information: Refresh port information from NE. Display network and business tag information: View alarm list and alarm properties, and find alarms. Find and view attachments. View NE properties and inventory. Calculate and view affected parties. Open port utilization graph. Steps for Setting Up Users and Scopes Follow these steps to set up user accounts and device scopes: 1. Install licenses. This allows you to control and monitor the number of client and BQL connections over a limited or unlimited period of time based on the client licenses installed. For more information, see Cisco ANA Licensing, page 2-1. 2. Configure external authentication if you want to use an external LDAP server to store passwords and authenticate users. For more information, see Using an External LDAP Server for Password Authentication, page 6-10. 3. Define scopes. This enables you to group specific managed NEs so that users can view and manage those NEs based on their individual user role. For more information, see Creating and Managing Scopes, page 10-6. 10-5
Creating and Managing Scopes Chapter 10 4. Define Cisco ANA user accounts. This enables you to define and manage user accounts, including the maps the user can access. For more information, see Managing User Accounts and Controlling User Access, page 10-8. 5. Grant scopes and roles to users. This enables you to manage general user account information, the list of scopes assigned to each user, and security access roles per scope. For more information, see Changing User Information and Disabling Accounts (General Tab), page 10-10. Creating and Managing Scopes Cisco ANA Manage enables you to group specific managed NEs so that users can view and manage those NEs based on their user role or permission. After a scope is created, it can be assigned to a user. Multiple scopes can be assigned to a single user and a single scope can be assigned to multiple users. When the scope is assigned to a user, you must provide the user with security access roles that define the user s role within the assigned scope. See Changing User Information and Disabling Accounts (General Tab), page 10-10. These topics explain how to manage scopes: Creating a Scope, page 10-6 Editing and Viewing Scope Properties, page 10-7 Deleting Scopes, page 10-7 Creating a Scope You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To create a scope: Select Scopes in the Cisco ANA Manage window. Open the New Scope dialog box in one of the following ways: Right-click Scopes, then choose New Scope. Choose File > New Scope. Click New Scope in the toolbar. In the Scope field, enter a name for the scope. Specify the devices to include in the scope: To add devices to the scope, select the required devices from the Available Devices list and then click Add All or Add Selected to move the devices to the Active Devices list. To remove devices from the scope, select the devices in the Active Devices lists and then click Remove Selected or Remove All to move the devices to the Available Devices list. Note You can select multiple devices by using the Ctrl key. 10-6
Chapter 10 Creating and Managing Scopes Step 5 When the Active Devices list includes the required devices for the scope, click OK. The scope is saved and is displayed in the content area. Editing and Viewing Scope Properties Cisco ANA Manage enables you to edit or view the details of a scope. To edit or view scope properties: Step 5 Select Scopes in the navigation pane. Select the scope that you want to edit or view in the content area. Open the Properties dialog box for the scope in one of the following ways: Right-click the scope, then choose Properties. Choose File > Properties. Click Properties in the toolbar. For more information about the Properties dialog box, see Creating and Managing Scopes, page 10-6. Edit and view the properties as required. Click OK. Deleting Scopes When a scope is deleted, it is deleted from all users who have the assigned scope. You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To delete a scope: Select Scopes in the navigation pane. Select the scope that you want to delete in the content area. Note You can select multiple scopes by using the Ctrl key. Right-click the scope, then choose Delete. The scope is deleted and is removed from the content area. 10-7
Managing User Accounts and Controlling User Access Chapter 10 Managing User Accounts and Controlling User Access The Users windows enable you to define and manage user accounts. This includes managing general user information as well as security access rights and forced login changes, as required. You can also monitor a user s last login time. Configuring a new user account in Cisco ANA involves these steps: 1. Create the user account and assign the default permissions that will control the user s access to GUI functions. See Creating User Accounts and Assigning Default Permissions, page 10-8. 2. (Optional) Specify the maximum number of client connections and when the user must change their password. See Changing User Information and Disabling Accounts (General Tab), page 10-10. 3. Apply scopes and scope permissions that will control the user s access to network elements. See Controlling User Permissions and Access to Scopes (Security Tab), page 10-11. 4. (Optional) Control which existing maps a user can access. This feature is disabled by default, and users can only access the maps they create after their user account is enabled. To enable this feature and change configure user access to existing maps, see Controlling User Access to Maps (Maps Tab), page 10-12. Creating User Accounts and Assigning Default Permissions A new user is created with the following predefined system defaults: No scopes are assigned to the user. The number of connections is unlimited. The password must be changed every 30 days. The maximum number of login attempts is 5. You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To define a user account: Select Users in the Cisco ANA Manage window. Open the New User dialog box in one of the following ways: Right-click Users, then choose New User. Choose File > New User. Click New User in the toolbar. 10-8
Chapter 10 Managing User Accounts and Controlling User Access Enter the information required to define a new user: Field User Name Full Name External user only Password Confirm password Role Force password change at next login Enter the new user s name to be used for logging in. Note The username is unique and can contain a maximum of 20 characters. Special characters cannot be used. (Optional) Enter the full name of the user. Note Valid entries contain a maximum of 20 characters; special characters cannot be used. (Optional) Enter a free text description of the user. If checked, Cisco ANA will only let the user log in if the user s password can be validated by an external LDAP server. The password fields are disabled. (If external authentication is being used, the box is checked by default. See Using an External LDAP Server for Password Authentication, page 6-10.) Enter the new Cisco ANA password, which is then stored in the Cisco ANA database. (This field is disabled if the Non-ANA Authentication Only check box is checked.) Passwords must adhere to the global password rules set by the administrator (see Setting Global Password Rules, page 6-16). Reenter the new Cisco ANA password. In the drop-down list, choose the security access role that will be the user s default permissions. Note The permission applies only to activities or actions that are not related to an NE. For more information on the functionality that a user can perform, see User Access Roles and Default Permissions, page 10-2. This check box is checked by default and forces the user to change the user password when they next log in. (This field is disabled if the Non-ANA Authentication Only check box is checked.) Click Create. The new username and default security access role are displayed in the content area. The basic user account is created. To verify your settings, see Changing User Information and Disabling Accounts (General Tab), page 10-10. The user will not be able to see any network elements until you assign a scope to the user. See Controlling User Permissions and Access to Scopes (Security Tab), page 10-11. 10-9
Managing User Accounts and Controlling User Access Chapter 10 Changing User Information and Disabling Accounts (General Tab) After you create a user account, when you view the user properties and select the General tab, you will see the information you entered when the account was created. You can further refine the account by controlling the number of GUI client connections for the user, or forcing them to change their password after a certain time. You can also disable or reenable a user account using the following procedure. You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To view or edit general user information: Select Users in the Cisco ANA window. Right-click the required user, then choose Properties. The Properties dialog box is displayed with the General tab selected by default. Edit the general properties as required: Field User Name Last Login Full Name Enable account External user only Limit connections to The current username. The username cannot be modified. The date and time that the user last logged in. The user s full name. A description of the user. Check this check box to enable the user account, or uncheck the check box to disable the user account. The user account is automatically locked when the number of logins defined is exceeded (the Limit Connections to option is enabled). It is also locked if the user account is not active for a certain number of days, as configured in the Global Settings branch (see Automatically Disabling Accounts for Inactive Users, page 6-17); by default, this period is 30 days. You can manually lock or unlock a user s account at any time. A user whose account is locked cannot log into the system. If checked, Cisco ANA will only let the user log in if their password can be validated by an external LDAP server. The passwords entered in the Password field in this dialog box will be disabled, and the user will not be able to log in even if Cisco ANA switches back to local authentication. (If external authentication is being used, the box is checked by default. See Using an External LDAP Server for Password Authentication, page 6-10.) If you uncheck this check box, Cisco ANA prompts you for a new password that will be used for local authentication. The password is stored in the Cisco ANA database, and the Force Password fields become active. The number of Cisco ANA client sessions that the user can be running at any one time. 10-10
Chapter 10 Managing User Accounts and Controlling User Access Field Force password change after days Force password change at next login If checked, it forces the user to change their password after a specific number of days. Uncheck this check box to allow the user to retain their current password indefinitely. If you check the check box, enter the number of days after which the user is forced to change their password. (This field is disabled if the Non-ANA Authentication Only check box is checked.) Check this check box to force the user to change their user password when they next log in. You can set this option at any time. (This field is disabled if the Non-ANA Authentication Only check box is checked.) Step 5 Click Apply to accept your entries. Click OK to close the Properties dialog box or click the Security tab to assign scopes to the user. (See Controlling User Permissions and Access to Scopes (Security Tab), page 10-11 for more information.) Controlling User Permissions and Access to Scopes (Security Tab) The Security tab enables you to manage the user s capability to view and manage applications and NEs by applying user scopes and security access roles. Users cannot view any network elements until a scope is assigned to them. The scopes, and the level of access to the network elements, is controlled by the settings you specify in the following procedure. Note A user can have different security access roles for different scopes. You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To assign a scope and security level to a user: Step 5 Select the Users branch in Cisco ANA. Right-click the required user, then choose Properties. In the User Properties dialog box, click the Security tab. In the Default drop-down list, choose the default security level for the user. By default, a new user is assigned the viewer security access role. The level that you select here is the value displayed in the ANA Users table. Click Add to add a scope to the active rights of the user. 10-11
Managing User Accounts and Controlling User Access Chapter 10 Step 6 In the Security Level dialog box, choose the required scope and the appropriate security level within this scope for the user: Field Available Scopes Security Level Lists all predefined and unassigned scopes. Displays the security access roles for the defined scopes. For more information, see Device Scopes, page 10-3. Step 7 Step 8 Click OK. The scope is added to the list of Active Rights in the Security tab. Click Apply, then OK. Controlling User Access to Maps (Maps Tab) You can use the Maps tab to control user access to existing maps. Note This feature is disabled by default. When logging in to Cisco ANA NetworkVision, new users do not have permission to view any existing maps; they can only access maps they create going forward. However, administrators can assign existing maps to new users by enabling this feature and manually assigning the maps. You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To enable this feature. Log into the gateway as anauser (where anauser is the UNIX account for the Cisco ANA application, created when Cisco ANA is installed; an example of anauser is ana37), and change to the $ANAHOME/Main directory: # cd $ANAHOME/Main Run the following command (which is one line): # runregtool.sh -gs 127.0.0.1 set 0.0.0.0 site/mmvm/services/securitymanager/map-security-enabled true When the gateway server returns a success message, restart the gateway. To assign maps to a user (after enabling the feature): Select Users in the Cisco ANA window. Right-click the required user, then choose Properties. The User Properties dialog box is displayed. 10-12
Chapter 10 Deleting a Cisco ANA User Account Click the Maps tab. The Maps tab is divided into two parts: The left side displays a list of all available maps in the database that have not been assigned to the user. The right side displays all maps that have been assigned to the user and that the user can open and manage in Cisco ANA NetworkVision. The following buttons are displayed between the available maps and assigned maps lists in the Maps tab: Button Moves the selected map to the Assigned Maps list. Move the entire available map list to the Assigned Maps list. Removes a selected map from the assigned map list to the Available Map list. Removes the entire assigned map list to the Available Map list. Choose a map from the list of Available Maps, then click the required button to add the map to the list of Assigned Maps to the user. Note You can select multiple rows by using the Ctrl key. Step 5 Step 6 Choose and move maps between the two lists, as required, using the appropriate buttons. Click OK to confirm the user s assigned maps. Deleting a Cisco ANA User Account You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. To delete a user account: Select Users in the Cisco ANA window. In the content area, select the user account that you want to delete. Note You can select multiple rows by using the Ctrl key. Right-click the user, then choose Delete. The selected user is deleted, and is not displayed in the content area. 10-13
Changing a User s Cisco ANA Password Chapter 10 Changing a User s Cisco ANA Password You can use Cisco ANA Manage to change a user s Cisco ANA password at any time. Passwords must adhere to the global password rules set by the administrator (see Setting Global Password Rules, page 6-16). The following procedures apply only if you are using Cisco ANA to validate users. If you are using an external LDAP application to manage passwords, you must change the passwords in the LDAP server. There are different procedures for administrators and for users, as described in the following. You must have Administrator privileges (user access role) to use this and all other functions in Cisco ANA Manage. Changing Passwords Procedure for Administrator To change a user s password as an administrator: Step 5 Step 6 Select Users in the Cisco ANA window. In the content area, select the user whose password you want to change. Right-click the required user, then choose Change Password. Enter the new password in the Password and Confirm Password fields. Click OK. A confirmation message is displayed. Click OK. Changing Passwords Procedure for Users Cisco ANA Manage also enables the current user to initiate a change of password. To change your password as a user: Step 5 Choose Tools > Change User Password. Enter the old password in the Old Password field. Enter the new password in the New Password and Confirm Password fields. Click OK. A confirmation message is displayed. Click OK. 10-14