No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Authorization

User Authorization

User authorization specifies who can perform what operations on which objects. The operations that users can perform on objects vary according to their rights.

Basic concepts

Figure 3-2 shows the rights elements: objects and operations.

Figure 3-2 Rights elements

Authorization is the function of assigning rights to users.

Authorization is to assign eSight operation rights for users. The eSight assigns rights to users by adding the users to roles.

After some operations and objects are allocated to a role, the role has the rights of the operations on the objects. If a user is added to the role, the user has the rights of the role.

The operation rights required vary with task operations. The operation rights in major eSight function scenarios are as follows.

Table 3-2 Operation rights in function scenarios

Function Scenario

Operation Rights

Resource access

Access Resource, Configure Protocol Template, Edit Group, View Group

User management

User Management

Topology monitoring

Modify Topology

Alarm monitoring

Alarm Settings, Browse Current Alarms, Browse Historical Alarms, Browse Events, Browse Masked Alarms, Clear alarms, Acknowledge and unacknowledge alarms

Lower-layer NMS monitoring

Lower-Layer NMS, Modify Topology, Browse Current Alarms

Notification server and notified group setting

SMS Settings, User Group Settings, Email Server Settings

License management

License Management, Update License, Revoke License

Database overflow dump setting

Database Overflow Dump

Log management

Log Management

A user with the User Management right can add, delete, and modify users, roles, regions, account policies, password policies, client IP address policies, and login time control policies. In addition, the user can disable and enable users and forcibly log out other login users (including the admin user) on the View Online User page.

Application Scenario

The eSight can manage the devices in an office in a centralized manner. The devices in the office are allocated to two user-defined object groups by region, namely, city A and city B, and monitored and maintained by different engineers. To help the engineers to monitor and maintain the devices by using the eSight, you need to assign accounts and rights for them.

Figure 3-3 shows the network diagram in the current scenario.

Figure 3-3 Rights- and domain-based network diagram

Preparing for Authorization

Complete the following task before authorization:

  • Create subnets and device groups so that authorization can be assigned to users by subnet or device group. In this scenario, you can plan two groups (city A and city B) to centrally monitor and maintain the devices in the groups.
  • Connect devices so that management rights can be assigned by device.
  • Set an account security policy, including the account policy, password policy, and idle time setting.

Authorization Plan

Plan authorization to improve the efficiency in assigning and maintaining rights.

Based on role responsibilities, the following three roles are planned.

Table 3-3 Role planning

Role

Responsibility

Managed Object

Operated Rights

Administrators

Performs operation and maintenance operations on the devices in city A and city B.

Devices in city A and city B

Has the default operation rights of the eSight administrator.

Alarm monitor of City A

Monitors alarms of the devices in city A.

Devices in city A

Browse Current Alarms

Browse Masked Alarms

Browse Historical Alarms

Browse Events

Alarm monitor of City B

Monitors alarms of the devices in city B.

Devices in city B

Browse Current Alarms

Browse Masked Alarms

Browse Historical Alarms

Browse Events

Based on user responsibilities, the following three users are planned.

Table 3-4 User planning

User Name

Role

Initial Password

Access Control Policy

Operator_AB

Administrators

ps_OperatorAB

The allowed login time is not limited.

The allowed login IP addresses range from 10.10.10.1 to 10.10.10.9.

Alarm_Monitor_A

Alarm monitor of City A

ps_AlarmMonA

The allowed login time is not limited.

The allowed login IP addresses range from 10.10.10.1 to 10.10.10.9.

Alarm_Monitor_B

Alarm monitor of City B

ps_AlarmMonB

The allowed login time is not limited.

The allowed login IP addresses range from 10.10.10.1 to 10.10.10.9.

Configuration Procedure

Configure user rights on the eSight according to the plan results.

  1. Create two groups, city A and city B. Choose Resource > Common from the main menu.
  2. Choose Resources Group > Group Management in the navigation area on the left.

    Assign devices by group to users to improve authorization efficiency.

  3. Create alarm monitoring roles for city A and city B respectively, and assign the management rights and operations for the roles. Choose System > System Management > User Management from the main menu. In the navigation tree on the left, choose Role.
    NOTE:
    • The administrator is the default role of the eSight, and the default object group manages all the devices and has all the operation rights. Therefore, you do not need to create the object group for the operator role.
    • When you set basic information to create roles during initial authorization, other users, except the admin user, are not created. Therefore, you do not need to set the users that are assigned with the roles.
    • When maintaining rights, change the users that are assigned with a role due to employee transfer. Specifically, in the Selected Users list on the right of the role change page, search and delete users.
    • The Open API user group role can call only open APIs. The Open API user group role is assigned to OpenAPI users. The Open API user group role does not take effect if it is assigned to common users. Users in Open API user group have the operation rights on all managed objects. The number of users in Open API user group must be controlled to prevent permission abuse.

      OpenAPI user log in through open APIs and interwork the eSight with third-party systems.

  4. Create users Operator_AB, Alarm_Monitor_A, and Alarm_Monitor_B. Choose System > System Management > User Management from the main menu. In the navigation tree on the left, choose User.
    NOTE:
    • When creating a user, you can record personal data, such as phone number and email address. you are obligated to take considerable measures, in compliance with the laws of the countries concerned and the user privacy policies of your company, to ensure that the personal data of users is fully protected.
    • Personal data such as phone numbers and email addresses are anonymized in the eSight GUI and encrypted in the eSight during batch data transmission to ensure data security.

    Assign the users with roles so that they have related management rights. Specify an access control policy to restrict the login time and IP addresses. This ensures account security.

When the preceding configuration is complete, you can provide the accounts to related personnel.

Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 337097

Downloads: 682

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next