System Administrator O&M

Context

For commercial deployment with a contract, license files are generated based on the order. Onsite engineers obtain the licenses that are bound to ESNs, download the licenses, and load them on the system.

For a remote disaster recovery system. You only need to apply a license for the active iMaster NCE-WAN cluster. After the DR configuration is complete, the system automatically synchronizes the license to the standby iMaster NCE-WAN cluster.

Prerequisites

• You have obtained the authorization ID (LAC code), activation code, or project contract number.
• You have obtained the ESDP permission.

  ESDP defines five roles: guest, carrier GTS, enterprise GTS, TAC, and channel. The following table describes the permissions and license application methods of the five roles:

  Role	Permission	License Application Method
  Guest	Can only download and activate commercial licenses by using authorization passwords.	An end user can obtain the guest permission on the license website after applying for a Uniportal account on Huawei website. A Huawei employee can obtain the guest permission when accessing the license website through a W3 account.
  Carrier GTS	Can perform the following operations on all commercial licenses and temporary licenses: activation and downloading, ESN change, and maintenance.	A Huawei employee can submit a carrier GTS application form on the license website.
  Enterprise GTS		A Huawei employee can submit an enterprise GTS application form on the license website.
  TAC		A Huawei employee can submit a TAC application form on the license website.
  Channel	Can download, activate, and maintain all commercial licenses in the contracts and apply for temporary licenses.	The administrator of a certified channel needs to log in to the user management system of Huawei enterprise BG to apply for enhanced permission of license website for the employees of the channel.

Procedure

1. Choose System > Administrator > License Management on the home page.
2. Click Obtain ESN to obtain the ESN.

3. Log in to the Huawei ESDP (https://app.huawei.com/sdp/portal.html) and choose License Activation > Entitlement Activation to access the License Activation page.
4. On the page, search activation IDs based on the entitlement ID and select the desired ID.

5. Click Next and enter the ESN of the desired server.

6. Click Next and then Activate License.

7. Click Download to download the license file.

Context

A permanent license defines the number of devices that can be added in a resource item. For example, if the resource item of AR100 series devices is 100, iMaster NCE-Campus allows to add a maximum of 100 AR100 series devices. If there are more than 100 devices, the excess AR100 series devices cannot be added to iMaster NCE-Campus.

In enterprise-built private cloud scenarios, the system administrator directly imports global permanent license files when constructing the cloud management platform. Tenants do not need to purchase the license activation code from the MSP.

The system administrator can manage global permanent licenses only when the system administrator logs in to iMaster NCE-Campus for the first time and sets the license mode to Global Permanent Mode.

Prerequisites

The iMaster NCE-CampusInsight license file has been imported to iMaster NCE-Campus. Before interconnecting iMaster NCE-Campus to iMaster NCE-CampusInsight, you need to synchronize the iMaster NCE-CampusInsight license to iMaster NCE-Campus. For details, see Configuring Interconnection with iMaster NCE-CampusInsight.

Procedure

1. Choose System > Administrator > License Management on the home page.
2. To load a license file, click Upload License.

   In the Select License File dialog box, select the obtained license file. License files of iMaster NCE-Campus and iMaster NCE-CampusInsight can be uploaded. If iMaster NCE-Campus is interconnected with iMaster NCE-CampusInsight, you can upload the iMaster NCE-CampusInsight license through iMaster NCE-Campus.

   If the license fails to be loaded, the possible reasons are as follows:

   • The license file signature is incorrect.
   • The license file is tampered with.
   • The license file type is incorrect.
   • The license file size exceeds 50 KB.
   • The license is invalid or has expired.

   If the preceding errors occur, contact technical support engineers.

3. Click OK. The license file is loaded successfully. Click to view the detailed information about the loaded license file.
   • After a license is loaded successfully, you can view the software ID for SnS charging and authentication.
   • License expiration time recorded in the license file: indicates the expiration time of the license on iMaster NCE-Campus. After the license expires, it will become unavailable, for example, devices can no longer be managed by iMaster NCE-Campus.
   • License SnS expiration time recorded in the license file: indicates the expiration time of SnS (maintenance service and remote technical support). After SnS expires, Huawei stops providing maintenance services and remote technical support.

4. Click the License Information tab to view the license information.
   • Select NCE-Campus from the Product name drop-down list to view the detailed information about controller licenses.

   • Select CampusInsight from the Product name drop-down list to view the detailed information about iMaster NCE-CampusInsight licenses.

Follow-up Procedure

• Revoking a license

  When replacing the iMaster NCE-Campus server, you can revoke the license to ensure that the license can still be used on the new server.

  Click Revoke License to revoke the commercial license on the old iMaster NCE-Campus server. A revocation code is generated. You can use the revocation code and the ESN of the new iMaster NCE-Campus server to apply for a new commercial license on ESDP. Then, all resources in the revoked license are available for use.

  After you click in the Operation column for the desired license file, the commercial license enters the grace period which lasts two months. If you do not load a new license before the grace period ends, the license is automatically disabled and all devices are forced offline.

• Removing a license

  After you click in the Operation column for the desired license file, iMaster NCE-Campus enters a license-unloaded state.

  Only when no tenant under the system administrator has devices, you can remove the license.

Context

For licenses that cannot be redistributed: The system administrator directly imports license files, and tenants do not need to purchase the license activation code from the MSP.

The system administrator can manage and redistribute global subscription licenses only after logging in to iMaster NCE-Campus for the first time and setting the license mode to Global Subscription Mode. If Global Subscription Mode is selected, set License Redistribution to No.

Procedure

1. Choose System > Administrator > License Management on the home page.
2. Click Upload License and load the license. If iMaster NCE-Campus interconnects with iMaster NCE-CampusInsight, you need to import the license files of both iMaster NCE-Campus and iMaster NCE-CampusInsight.

   In the Select License File dialog box, select the obtained license and click OK.

   If the license fails to be loaded, the possible causes are as follows:

   • The license file signature is incorrect.
   • The license file is tampered with.
   • The license file type is incorrect.
   • The license file size exceeds 50 KB.
   • The license is invalid or has expired.

   If the preceding errors occur, contact technical support personnel.

3. Query license information.
   • Check the license resources.

     Statistics on the total license consumption can be collected by resource item.

   • Check the daily consumption of license resources.

     The daily consumption of license resources can be queried by date.

   • View the license import record. Click to view the detailed information about a license file.

     After a license is loaded successfully, you can view the software ID for SnS charging and authentication.

Follow-up Procedure

• Recalculate the expiration time.

  Click Recalculate Expiration Time to set resource items with different expiration time to the same expiration time for easy management. This operation is irreversible.

  The function of recalculating the expiration time can be used to integrate resources. For example, there are three types of license resource items, including AR100 series: 10 device-days with 5 yuan per device-day; AR1200 series: 20 device-days with 10 yuan per device-day; and indoor AP series: 20 device-days with 20 yuan per device-day. Assume that iMaster NCE-Campus manages 5 AR100 series devices and 10 AR1200 series devices. You can click Recalculate Expiration Time to integrate license resources. The formulas are as follows: 10 x 5 + 20 x 10 + 20 x 20 = 650, 5 x 5 + 10 x 10 = 125 (consumption of all devices in a day), 650/125 = 5 R 25 (remainder 25). Then the license resources of the AR100 and AR1200 series devices will expire in five days. The remaining 25 yuan will be added to the new license resource pool to be integrated in the next calculation.

  This function enables resource allocation to be more flexible. Expired resources can be integrated so that they can be used normally.

• Click Expiration Notification, enable Receive expiration notification, and configure the email addresses of recipients. Notification emails will be sent to the specified email addresses when a license is about to expire.
  • The system administrator must configure an email server before enabling Receive expiration notification. Otherwise, Receive expiration notification cannot be enabled. For details, see Configuring an Email Server.
  • A maximum of five email addresses can be configured. Email addresses need to be separated with line breaks.
  • If a license resource item is about to expire in less than 30 days, the system will send notification emails at 02:25 every day.
  • If license expiration notification is configured, the license expiration email is sent only to the email addresses specified in Notified object. In this case, you are advised to specify the email address of the tenant administrator in Notified object.

• Export or send a license usage report.
  • Export the license usage report. Click Export, and select CSV or HTML. The license usage report is exported into a CSV or HTML file.

  • Configure the system to send the license usage report immediately. Click Send Email, and select Immediately. On the Send Immediately page that is displayed, click Add, configure the email address to which the report needs to be sent, select the report format (CSV or HTML), and click . Set the fiscal year and date, and click OK. The license usage report is converted into an HTML or a CSV file and sent to the specified email address.

    The sent report records the license usage data of last calendar month. For example, if you configure the system to send the license usage report in July, the report recording the license usage data of June is sent.

    Before enabling Receive expiration notification, configure an email server. For details, see Configuring an Email Server.

  • Configure the system to send the license usage report periodically. Click Send Email and select Periodically. On the Send Periodically page that is displayed, set Export enabling to , specify the report name as well as the fiscal year and date, and click Add. Configure the email address to which the report needs to be sent, select the report format (CSV or HTML), and click . Select the report sending time, and click OK. The license usage report is converted into an HTML or a CSV file and sent to the specified email address.

Context

For licenses that can be redistributed: The system administrator can redistribute a license to an MSP administrator in package mode, and then the MSP administrator allocates license resources to tenants for refined license management.

The system administrator can manage and redistribute global subscription licenses only after logging in to iMaster NCE-Campus for the first time and setting the license mode to Global Subscription Mode. If Global Subscription Mode is selected, set License Redistribution to Yes.

By default, the system grants a one-year license resource for iMaster NCE-Campus and a 30,000 device-day subscription license resource. You need to purchase new license resources before the license expires to prevent service interruption.

Procedure

1. Import the license file.
   1. Choose System > Administrator > License Management on the home page.
   2. Click Upload License and load the license. If iMaster NCE-Campus interconnects with iMaster NCE-CampusInsight, you need to import the license files of both iMaster NCE-Campus and iMaster NCE-CampusInsight.

      In the Select License File dialog box, select the obtained license and click OK.

      If the license fails to be loaded, the possible causes are as follows:

      • The license file signature is incorrect.
      • The license file is tampered with.
      • The license file type is incorrect.
      • The license file size exceeds 50 KB.
      • The license is invalid or has expired.

      If the preceding errors occur, contact technical support personnel.

   3. Query license information.
      • Check the license resource control.

        Statistics on the total license consumption can be collected by resource item.

      • Check the daily consumption of license resources.

        The daily consumption of license resources can be queried by date.

      • View the license import record. Click to view the detailed information about a license file.

        After a license is loaded successfully, you can view the software ID for SnS charging and authentication.

2. Configure a license package.

   Click the License Package tab, click Create, select the device series contained in the license package, and click Apply.

   If iMaster NCE-Campus interconnects with iMaster NCE-CampusInsight, you need to configure license packages of both iMaster NCE-Campus and iMaster NCE-CampusInsight.

3. Allocate the package to the MSP.
   1. Click the MSP License tab. Click on the left of the MSP administrator to view the license status and resource consumption of the MSP.

   2. Click Create, click in the Package Name column to select a license package, and click OK.

   3. Configure the number of license resources (unit: device x day) and then click . The license package is allocated to the MSP.

   4. (Optional) Click to freeze the license package. The frozen license package cannot be redistributed or used. Click to change the number of resources in the license package. Click to delete an allocated package.

      Freezing or deleting a license package will cause the related devices to go offline. Therefore, exercise caution when performing these operations.

   5. (Optional) Click Disable Strategy and set Unified deactivation time and Longest Arrears (days) of the license package.

      The license will be deactivated either at the deactivation time set in Disable Strategy or the actual expiration time of the license, whichever is earlier.

4. Log in to iMaster NCE-Campus as an MSP and allocate license resources to tenants. For details, see Activating and Allocating Licenses (Global Subscription Mode + Enable License Redistribution).

Follow-up Procedure

Click Recalculate Expiration Time to set resource items with different expiration time to the same expiration time for easy management. This operation is irreversible.

The function of recalculating the expiration time can be used to integrate resources. For example, there are three types of license resource items, including AR100 series: 10 device-days with 5 yuan per device-day; AR1200 series: 20 device-days with 10 yuan per device-day; and indoor AP series: 20 device-days with 20 yuan per device-day. Assume that iMaster NCE-Campus manages 5 AR100 series devices and 10 AR1200 series devices. You can click Recalculate Expiration Time to integrate license resources. The formulas are as follows: 10 x 5 + 20 x 10 + 20 x 20 = 650, 5 x 5 + 10 x 10 = 125 (consumption of all devices in a day), 650/125 = 5 R 25 (remainder 25). Then the license resources of the AR100 and AR1200 series devices will expire in five days. The remaining 25 yuan will be added to the new license resource pool to be integrated in the next calculation.

This function enables resource allocation to be more flexible. Expired resources can be integrated so that they can be used normally.

Context

By default, the admin user has all rights.

To ensure system security, the admin user can create multiple sub-accounts and assign different rights to each sub-account based on the account role.

Prerequisites

• Configure global account policies.

  You can configure account policies to define the user name length and login rules to improve account security of iMaster NCE-Campus. Account policies have been configured on iMaster NCE-Campus by default and can be modified as required.

  Choose System > Administrator > Administrator from the main menu. Click Account Policy to configure global account policies.

• Configure global password policies.

  A simple administrator password can be easily cracked. To prevent this problem, configure password policies that define the complexity requirements of iMaster NCE-Campus administrator passwords, the password change interval, and the character limitation. Password policies have been configured on iMaster NCE-Campus by default and can be modified as required.

  Choose System > Administrator > Administrator from the main menu. Click Password Policy to set the global password policy.

  For security purposes, configure all password policies provided by iMaster NCE-Campus.

  If PCI authentication is required, modify account and password policies as follows:

  • Enable Disable unused accounts, and set Maximum number of consecutive idles days of account to 90. An account is disabled if the account has not logged in to the system at all for more than 90 days.
  • Set Invalid password monitoring period (min) to 30 in the Account Lockout Trigger Conditions area. In this case, if an account fails to log in to the system for five consecutive times within 30 minutes, the account is locked for 30 minutes.
  • Set Number of historical passwords that cannot be reused to 4.

• Roles have been created.

  If functional rights of existing roles in the system do not meet requirements, you can create new roles before creating accounts or workgroup.

  Choose System > Administrator > Administrator from the main menu, and click the Role tab. Click Create, and select functional rights to create a role.

  By default, a system administrator has following roles. These roles cannot be deleted or modified.

  • System administrator: The system administrator has the right to manage the iMaster NCE-Campus servers. This includes monitoring clusters and configuring the mail server, SMS server, and GIS map.
  • Operator: The operator manages system service running.
  • Open API operator: The open API operator owns the privilege of open API services and configurations.

Procedure

1. Choose System > Administrator > Administrator from the main menu.

   By default, the admin account is preset on iMaster NCE-Campus.

   admin: System administrator. When the admin user adjusts the account policy, password policy, and idle timeout policy, the account policy of the admin user is changed accordingly. The admin account cannot be modified or deleted. After logging in to iMaster NCE-Campus as the system administrator for the first time, change the initial password as prompted.

   The default username and password are available in iMaster NCE-Campus Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

2. Click Create, and set parameters on the Create User page.

   For security purposes, keep the password secure and change it periodically.

   • Manually configure a password when creating a user account.

     Set Password create mode to Manual and then set a password for the account. If Modify password first login is set to Yes, the user will be prompted to change the password when using this account to log in to iMaster NCE-Campus for the first time, and can successfully log in after changing the password.

   • Configure a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the user account.

     • If you choose to configure a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If the password for a user account is configured via email, the user does not need to change the password upon the first login to iMaster NCE-Campus.

     Parameter	Description
     Account	Login account of a newly created administrator.
     User type	LOCAL: Local users can log in to iMaster NCE-Campus only from the web UI. THIRD-PARTY SYSTEM ACCESS: A third-party system access user calls the northbound API /controller/v2/tokens to log in to iMaster NCE-Campus. NOTE: If the user type is Third-party system access, the user can log in to iMaster NCE-Campus only by API call. If the user type is Local, the user can log in to iMaster NCE-Campus only from the web portal. In an upgrade scenario, the user type is changed from Local or Third-party system access to Both. When the user type is Both, the user can log in to iMaster NCE-Campus either by API call or from the web portal.
     Password create mode	Mode in which a password is created. The options are Manual and Email.
     Password	Initial login password of the newly created administrator. NOTE: This parameter is displayed only when User Type is Local. If the password creation mode is set to Email, you must enter a valid email address. After the account is created, the system sends a link to the mailbox. You need to click the link to configure the account and password. In this mode, you do not need to change the password when you log in to iMaster NCE-Campus for the first time.
     Confirm password
     Modify password first login	Whether to change the password upon first time login.
     Mobile number	Phone number of an administrator, which is provided for easy and prompt contact by MSPs under the administrator. The email address can be used for password retrieval, receiving messages sent from the controller, and other purposes. Ensure that the mobile number is correct.
     Email address	Email address of an administrator, which is provided for easy and prompt contact by MSPs under the administrator. The email address can be used for password retrieval, receiving messages sent from the controller, and other purposes. Ensure that the email address is correct.
     Role	Selected the role from the drop-down list.

3. Click Next.
4. On the Managed Object page that is displayed, select the accounts to be managed by the system administrator, and click Next. By default, Select All Resources is disabled.

   The Select all resources parameter is configurable only the admin user creates a sub-administrator account.

   The created sub-account can create workgroups only when Select all resources is enabled.

5. On the Access Control page that is displayed, click Create, set the allowed IP address range, and click OK.

   After the IP address range is added, the account can use only an IP address within this range to log in to iMaster NCE-Campus. If no IP address range is added, the account can use any IP address to log in to iMaster NCE-Campus.

   After logging in to iMaster NCE-Campus using this account, choose System > System Management > Account Information from the menu. Configure the IP address range on the Access Control page.

6. Click OK.

Follow-up Procedure

• Modify the account information, reset the password, and disable/enable/ an account.
  1. Choose System > Administrator > Administrator from the main menu.
  2. In the Operation column, click to modify account information, click to reset the password, and click to disable the account. If the account has been disabled, click to enable the account.

• Delete an account.
  1. Choose System > Administrator > Administrator from the main menu.
  2. Select an account, and click Delete.

• Transfer workgroup administrator rights.

  If the administrator of a workgroup is changed, an upper-level administrator can transfer the corresponding rights to another administrator.

  Workgroup administrators can transfer their rights to the administrators created by themselves. Before transferring rights of a work administrator, ensure that the workgroup administrator has created an administrator account.

  • This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
  • If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
  1. Choose System > Administrator > Administrator from the main menu. Click the User tab.
  2. Click Select, select the desired workgroup, and click OK.

     Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.

     The new account must be an administrator account created by the old workgroup administrator account.

     If the icon is moved to the right of the new administrator account, the rights are transferred successfully.

• Create a user group.

  To create a user group, choose System > Administrator > Administrator from the main menu. Click the User Group tab, and click Create to create a user group.

  User groups are used to interconnect iMaster NCE-Campus with third-party services, such as the Active Directory Federation Services (ADFS), NetIQ, LDAP server, AD server, and RADIUS server.

  Click Next to select objects to be managed by user groups.

  Only a user with administrator rights can configure user groups.

• Configure personal settings.

  Personal settings improve iMaster NCE-Campus access security. This function applies only to the current user.

  • Set the maximum number of concurrent online users.
    1. Choose System > System Management > Account Information from the menu.
    2. On the Basic Information page, click and set Max. concurrent users. Click Apply. The value 0 indicates there is no limit on the maximum number of concurrent online users.

  • Change the password.
    1. Choose System > System Management > Account Information from the menu.
    2. On the Basic Information page, click next to the password. In the dialog box that is displayed, set a new password.

  • Modify the login IP address range of the current account.

    Click Access Control tab. On the Access Control page, set the IP address range and click Create. If no IP address range is set, there is no limit on the login IP address range of the current account.

• Configure the idle timeout period.

  To prevent unauthorized users from using the administrator account while the administrator is away, set the idle timeout time. If an administrator does not perform any operation within the specified period, the account will be automatically logged out. To perform further operations after the account is logged out, the administrator must log in to iMaster NCE-Campus again.

  Choose System > Administrator > Administrator from the main menu, click Idle timeout setting, set the idle time, and click OK.

• Check online user management information.

  Choose System > Administrator > Administrator from the main menu, click Online user tab.

• Check whether you have signed a privacy statement.
  1. Choose System > System Management > Account Information from the menu.
  2. On the Basic Information page, check whether you have signed the privacy statement.
     • If Sign privacy statement is Not signed, you have not signed the privacy statement.
     • If Sign privacy statement is Signed, you have signed the privacy statement.
• Withdraw a privacy statement.
  To withdraw your consent to this privacy statement, click Cancel next to Sign privacy statement and click OK in the Warning dialog box that is displayed.

  You will be logged out if you withdraw the consent to the privacy statement. In addition, your mobile number and email address will be deleted from the controller. This may affect your login or password retrieval. Exercise caution when performing this operation.

Context

The sub-accounts and user roles created by the administrator are not isolated. Horizontal unauthorized operations may be performed, which brings security risks.

For example, the default root administrator account, who has the highest rights, creates account A and account B, and assigns the accounts to subordinate departments or partners, respectively. If both account A and account B have the account management and role management rights, account A and account B can modify and delete accounts and roles of each other.

To prevent horizontal unauthorized operations, you can configure a workgroup to isolate accounts and user roles created by administrators. Workgroups are configured a hierarchical tree structure, that is, upper-level workgroups grant rights to lower-level workgroups. Users in a workgroup can maintain accounts and roles in their own workgroup along with lower-level workgroups. Among workgroups at the same level, account permissions are isolated and data is invisible to each other.

To prevent horizontal unauthorized operations, the default root administrator can assign workgroup administrator accounts, instead of sub-accounts, to subordinate departments or branches.

• A maximum of five levels of workgroups can be created.
• Only the administrator of father workgroup can create sub-workgroups.
• The current user can configure an account policy and a password policy and set idle timeout settings only for the workgroup to which the user belongs but not for the sub-workgroups of the workgroup.

Procedure

1. Log in to iMaster NCE-Campus as the system administrator, choose System > Administrator > Work Group, click Create, set workgroup parameters, and click Next.
   Table 4-23 Basic information about a workgroup

   Parameter	Description
   Workgroup name	Name of a workgroup, which identifies the purpose of the workgroup.
   Number of users	Number of administrator accounts in a workgroup, including administrator accounts in the sub-workgroups of the workgroup.
   Number of workgroups	Number of sub-workgroups that can be created in a workgroup.
   Description	Workgroup description.
   Role	User roles of a workgroup administrator. By default, workgroup supports the following roles: System administrator, Operator, and Open API operator. The operation rights of these roles are: System administrator: The system administrator has the right to manage the iMaster NCE-Campus servers. This includes monitoring clusters and configuring the mail server, SMS Server, and GIS map. Operator: The operator manages system service running. Open API operator: The open API operator owns the privilege of open API services and configurations. When creating a workgroup, you need to use the administrator account to create role. Otherwise, Role cannot be selected when a sub workgroup is created for the workgroup.

2. Configure the workgroup administrator and click Next.

   For security purposes, keep the password secure and change it periodically.

   • Manually set a password when creating a user account.

     Set Password create mode to Manual. Then you can directly set a password when creating the account.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the account.

     • If you choose to create a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If a password is created via email, you do not need to change the password upon the first login to iMaster NCE-Campus.

3. Select managed objects, that is, the MSP administrators that can be managed by the workgroup, and then click OK.

4. Log in to iMaster NCE-Campus as the workgroup administrator.

Follow-up Procedure

• Modify a workgroup.
  1. Log in to iMaster NCE-Campus using the system administrator and choose System > Administrator > Work Group from the main menu.
  2. Click in the Operation column in the row of the target workgroup to modify the workgroup.

     You can modify only the level-1 sub-workgroups of the current user and cannot modify the workgroup to which the current user belongs or the workgroups of level 2 or higher.

• Delete a workgroup.
  1. Log in to iMaster NCE-Campus as the system administrator and choose System > Administrator > Work Group from the main menu.
  2. Select the target workgroup and click Delete.
     • Only sub-workgroups can be deleted, and the workgroup to which the current user belongs cannot be deleted.
     • Deleting a workgroup will delete information about sub-workgroups at all levels, as well as users, roles, and user groups of the workgroup.
     • Deleting a workgroup is a risky operation. Exercise caution when performing this operation.
• Transfer workgroup administrator rights.

  If the administrator of a workgroup is changed, an upper-level administrator can transfer the corresponding rights to another administrator.

  Workgroup administrators can transfer their rights to the administrators created by themselves. Before transferring rights of a work administrator, ensure that the workgroup administrator has created an administrator account.

  • This operation can only be performed on level-1 sub-workgroups of the workgroup to which the current user belongs and cannot be performed on the workgroups of level 2 or higher.
  • If workgroup administrators remain online after their rights are transferred, they will be forced offline and has no rights.
  1. Choose System > Administrator > Administrator from the main menu. Click the User tab.
  2. Click Select, select the desired workgroup, and click OK.

     Select a desired account and click Hand Over to enable this account to become the new workgroup administrator.

     The new account must be an administrator account created by the old workgroup administrator account.

     If the icon is moved to the right of the new administrator account, the rights are transferred successfully.

Context

When the system administrator creates an MSP administrator, the system collects information such as the email address and mobile number of the user, notifies the user that the information has been obtained, and asks for the user's authorization.

You can manage privacy statements online. For example, you can create, delete, modify, and query a privacy statement, query the privacy statement list, or publish a privacy statement as required.

By default, the privacy statement function is enabled on iMaster NCE-Campus. If this function is not required, you can disable it on the management plane. Privacy statements will become unavailable after this function is disabled. To disable the privacy statement function, perform the following steps:

1. Log in to the management plane.
2. Choose Product > Software Management > Deploy Product Software from the main menu, choose More > Modify Configurations, set

   supportSignPrivacystatement(supportSignPrivacystatement, use 'ON', or 'OFF to OFF), and click OK

   .

3. Click to check whether the configuration is successful.

Prerequisites

The administrator has the permission to create, release, modify, and delete a privacy statement.

Procedure

1. Choose System > Administrator > Privacy Management from the main menu.
2. Click Create. On the Create Privacy Statement page, set the name, version, and content of the privacy statement.

   A privacy statement can be in the draft or released state. A privacy statement in the released state cannot be released again.

3. Click OK. The privacy statement is created.
4. Click in the Operation column of the desired privacy statement. In the Warning dialog box that is displayed, click OK to release the latest privacy statement.

   If a privacy statement with the same name has been published, set the version number to a value greater than that of the published one.

Related Operations

Follow-up Procedure

When creating an MSP administrator, the system administrator configures that the MSP administrator has to sign the privacy statement.

• MSPs for which a privacy statement has been configured must sign the privacy statement as prompted when they log in to iMaster NCE-Campus. Otherwise, the login will fail.
• After a privacy statement is in released state, the privacy statement version of the MSP who is using the privacy statement with the same name will change to the latest version. When the MSP logs in to the system, the MSP needs to sign the latest privacy statement.

Context

A system administrator does not directly provide services to tenants. Instead, an MSP provides services to tenants. Therefore, you need to create an MSP and the MSP administrator first. The MSP is responsible for providing cloud managed devices and cloud network services to tenants. After a tenant applies for managed services from an MSP, the MSP can use iMaster NCE-Campus to query the device status and maintain devices on the tenant network.

Prerequisite

• You can set the authentication mode to Username/Password or Username/Password + SMS verification code when you log in to iMaster NCE-Campus as an MSP administrator. If SMS two-factor authentication is required, configure an SMS server in advance according to Configuring an SMS Server.
• A privacy statement has been created. For details, see Managing Privacy Statements. MSP administrators for which a privacy statement has been configured must sign the privacy statement as prompted when they log in to iMaster NCE-CampusiMaster NCE-WAN. Otherwise, the login will fail.

Procedure

1. Log in to iMaster NCE-Campus as the system administrator.
2. Access the MSP Management menu.

   Choose MSP Management > MSP Management > MSP Management.

3. Click Create.
4. On the MSP Information tab page, configure MSP information. If the authentication mode is set to Username/Password + SMS verification code, set the mobile number for receiving SMS messages. You need to create a privacy statement in advance. For details, see Managing Privacy Statements. MSP administrators for which a privacy statement has been configured must sign the privacy statement as prompted when they log in to iMaster NCE-Campus. Otherwise, the login will fail.

   If Username/Password + SMS verification code is configured, the SMS verification code must meet the following requirements:

   • The validity period of a verification code is 5 minutes. If the validity period exceeds 5 minutes, you need to obtain a new verification code.
   • You cannot obtain a verification code multiple times within 1 minute. After 1 minute, you can click the verification code button again to resend a verification code SMS message. The previous verification code automatically becomes invalid.
   • The function of obtaining verification codes is locked for 10 minutes after five consecutive attempts.
   • If you enter an incorrect verification code for three consecutive times, the verification code becomes invalid and you need to obtain a new one.

   When the system administrator logs in to iMaster NCE-Campus for the first time, the Split licenses function takes effect only after the license mode is set to Tenant Subscription Mode.

   To allow the MSP administrator to uniformly manage and allocate tenant license resources, enable Split licenses. The MSP administrator then can activate a license and allocates license resources to tenants after logging in to iMaster NCE-Campus. The tenants do not need to activate licenses by themselves.

   To allow tenants to activate licenses by themselves, disable Split licenses. After logging in to iMaster NCE-Campus, tenants can activate their own licenses.

5. Click Next.
6. On the Administrator Information page, configure administrator information.

   For security purposes, keep the password secure and change it periodically.

   • Manually set a password when creating a user account.

     Set Password create mode to Manual. Then you can directly set a password when creating the account. You will be prompted to change the password when logging in to iMaster NCE-Campus for the first time. You can log in only after the password is changed successfully.

   • Create a password via email.

     Set Password create mode to Email. After the account is created, the system sends a URL to your email box. You can click the URL to configure a password for the account.

     • If you choose to create a password via email, configure an email server before creating an account. Otherwise, the system fails to send a URL to the specified email address. For details, see Configuring an Email Server
     • If a password is created via email, you do not need to change the password upon the first login to iMaster NCE-Campus.

7. Click OK.

Follow-up Procedure

Parameter Description

Context

Based on service requirements, the tenants and tenant services under an MSP administrator can be transferred to other MSP administrators for management.

Tenant migration involves tenant network security and must be confirmed and approved by tenants.

Tenants created by an MSP administrator enabled with the license split function cannot be transferred to another MSP administrator.

Procedure

1. Choose MSP Management > MSP Management > Tenant Migration from the main menu.
2. Select the current MSP, the tenant administrator account to be transferred, and the new MSP administrator, and click Apply.

3. In the High Risk dialog box that is displayed, select Confirmed, and click OK.

4. Check whether the account is successfully migrated.

   Log in to iMaster NCE-Campus as the new MSP administrator. The new account information is displayed on the Tenant Management > Tenant Management > Tenant Management page.

Context

Using the device whitelist function, you can control devices that can register with iMaster NCE-Campus based on the device ESNs.

After this function is enabled, devices whose ESNs are not in the whitelist are regarded as unauthorized devices.

• A tenant administrator can only add devices whose ESNs are in the whitelist to iMaster NCE-Campus.
• Unauthorized devices that have been added to iMaster NCE-Campus before the device whitelist function is enabled cannot go online after they go offline.

Procedure

1. Choose System > System Management > Device Whitelist from the main menu.
2. Switch on Enable device whitelist.

3. Add device ESNs to the device whitelist.
   • Batch import device ESNs

     Click Import. In the dialog box that is displayed, download the Excel template, enter device ESNs in the template, and import the template as prompted.

   • Add device ESNs one by one

     Click Create. In the dialog box that is displayed, click Add and add device ESNs one by one.

You can click Export to export information about all unauthorized devices currently deployed on the network to a CSV file.

Context

A system administrator can check and maintain information about devices of all tenants.

Procedure

1. Access the tenant device management page. Choose MSP Management > MSP Management > Device List from the main menu.
2. Set filter criteria, and view basic device information in a list. You can also delete and export tenant device information on demand.
3. Click in the Operation column to set the content to be displayed on the page.

4. Export device information and download it to the local host.
   • Select specified devices and click Export to export information about the selected devices.

   • If you do not select any device and click Export, information about all devices will be exported.

Context

If a tenant administrator finds that the device to be added has been used and the device cannot be either deleted or added, contact the system administrator to clear the ESN of the device. After the ESN of the device is cleared, the device can be added.

Prerequisites

When the system administrator clears the ESN of a device or deletes a device, the system will notify the tenant administrator who is using the device through an email.

To ensure that the email can be sent successfully, perform the following configurations.

• The MSP administrator has correctly configured the email server. For details, see Configuring an Email Server.
• When creating a tenant administrator, you must specify an email address. By default, the notification email is sent to the tenant administrator.

Procedure

1. Access the tenant device management page. Choose MSP Management > MSP Management > Device List from the main menu.
2. Select a device, and click Clear ESN.

   In the dialog box that is displayed, click Confirmed, and then click OK.

   After the ESN of the device is cleared, the cloud AP and non-stacked switch are restored to factory settings and are disconnected from the iMaster NCE-Campus. For other devices, disconnect the device from the iMaster NCE-Campus. The system then notifies the tenant administrator who is using the device through an email.

3. Select a device, and click Delete Device.

   If the device has been added to the fabric, the device then cannot be deleted.

   In the dialog box that is displayed, click Confirmed, and then click OK.

   After the device is deleted, the device cannot be viewed on the system UI. The system then notifies the tenant administrator who is using the device through an email.

Context

To ensure device security, you can disable tenants from changing device BootROM passwords.

Procedure

1. Choose MSP Management > MSP Management > Device Password Policy from the main menu.
2. Disable The device BootROM password can be configured, view the warning information that is displayed, click OK, and click Apply.

   After this function is disabled, tenants cannot set or change device BootROM passwords, and the BootROM passwords of all devices under tenants will be restored to their factory settings. Exercise caution when disabling this function.

Context

System information can be viewed or configured through the web UI.

On the iMaster NCE-Campus web UI, you can quickly understand the iMaster NCE-Campus basic configuration, entity information, system information, and operating system information about the server where iMaster NCE-Campus is located.

Procedure

• View or modify iMaster NCE-Campus basic configuration.
  1. Choose System > System Management > System Information from the main menu.
  2. View iMaster NCE-Campus basic configuration in the Basic Configuration area.

  3. Click in the upper right corner to modify iMaster NCE-Campus basic configuration.
  4. Click Apply.

• View iMaster NCE-Campus entity information.
  1. Choose System > System Management > System Information from the main menu.
  2. View iMaster NCE-Campus entity information in the Entity Information area.

• View iMaster NCE-Campus system information.
  1. Choose System > System Management > System Information from the main menu.
  2. View iMaster NCE-Campus system information in the System Information area.

• View the operating system information about the server where iMaster NCE-Campus is located.
  1. Choose System > System Management > System Information from the main menu.
  2. View the operating system information of the server where iMaster NCE-Campus is located in the OS Information area.

Parameter Description

Prerequisites

• iMaster NCE-Campus is working properly.
• The email server is working properly, if email notifications need to be sent.

Context

Users can configure upgrade and maintenance bulletins, which are available on the pages displayed before or after user login or are sent to all administrators including the system administrator, MSP administrator, and tenant administrator through emails.

• System administrators can release bulletins repeatedly. If an existing bulletin is modified, the old bulletin will be replaced by the new one.
• After email notification is enabled, the system will send only one email for each bulletin release.

Procedure

1. Choose Maintenance > Maintenance > System Bulletin from the main menu.
2. Set the bulletin lifetime, bulletin content, and email notification parameters.

3. Click Apply.

   After the bulletins are configured and take effect, refresh the page or log in to iMaster NCE-Campus again. Click on the right of the page to view the bulletins.

   Alternatively, you can log out of the system and view the bulletins on the login page.

Context

Information about iMaster NCE-Campus update logs in each version is pushed to users, which allows users to understand the new features in time and determine whether to deploy them.

Procedure

1. Choose Maintenance > Maintenance > Function Update Notification from the main menu.
2. Click Create, set the version number and feature description, and click OK.

   View the new features of each version, and modify or delete the new features.

3. Log in to iMaster NCE-Campus as an MSP administrator or tenant administrator, click on the right of the page, and choose Cloud Platform Update Log to view logs recording function updates on iMaster NCE-Campus.

Context

Information about new features in each version is pushed to users, which allows users to understand the new features and determine whether to deploy them.

Procedure

1. Choose Maintenance > Maintenance > Function Update Notification from the main menu.
2. Click the New Function Push tab, click Create, and set Title, Push image, Function Introduce, Start Time, and End time.

   You can view the pushed information on the login page at the specified pushing time.

Context

Single sign-on (SSO) is a property of access control over multiple systems. With this property, a user logs in once and gains access to all systems without being prompted to log in again to each of them.

iMaster NCE-Campus integrates the authentication function of the SSO system and can function as the SSO server of the SSO system. In this case, users can log in to iMaster NCE-Campus through the Active Directory Federation Services (AD FS) or NetIQ.

In addition, users can log in to a third-party system through iMaster NCE-Campus. To enable this function, the trusted address of the access party (which is the desired third-party system) needs to be configured on iMaster NCE-Campus. After the trusted address passes the verification, users can log in to the third-party system through iMaster NCE-Campus.

Procedure

1. Choose System > System Management > SSO Configuration from the main menu.
   • On the SSO Configuration page, click Create and configure the Security Assertion Markup Language (SAML) protocol and metadata.

     Interconnect iMaster NCE-Campus with the AD FS or NetIQ to implement the SSO function using the AD FS or NetIQ as the SSO authentication server. After the configuration, users can log in to iMaster NCE-Campus using through the AD FS or NetIQ. For details, see Configuring Interconnection with AD FS and Configuring Interconnection with NetIQ.

   • Click the SSO Server Configuration tab, click Create, and configure the trusted address of an access party.

     This allows users to log in to the third-party system through iMaster NCE-Campus after its address is verified. A maximum of 256 trusted addresses can be configured. Currently, you can log in to iMaster NCE-CampusInsight through iMaster NCE-Campus. For details, see Configuring Interconnection with iMaster NCE-CampusInsight.

Prerequisites

You have the following operation rights: Alarm Operation, Clear Alarm, Change Severity, and Synchronize NE Alarms.

Context

Figure 4-4 Alarm status relationship

Based on the alarm acknowledgment and clearance status, alarms are classified into:

• Current alarms: include uncleared and unacknowledged alarms, acknowledged but uncleared alarms, and unacknowledged but cleared alarms. O&M personnel can monitor and handle alarms that they are concerned about on the Current Alarms page.
• Historical alarms: include alarms that have been cleared and acknowledged. Historical alarms are a data source for network performance optimization. O&M personnel can query and collect statistics on alarms.

Procedure

1. Choose Alarm > Alarm > Current Alarms from the main menu.
2. On the Current Alarms page, you can perform the following operations:

   Operation	Scenario	Operation
   Viewing alarm details	Obtain key alarm information, including alarm names and location information, to facilitate fault diagnosis and troubleshooting.	In the alarm list, click the arrow on the left of the row that contains a desired alarm to view the alarm details.
   Manually acknowledging an alarm	An acknowledged alarm indicates that the alarm is being handled by the user whose name is displayed in the Acknowledged By column. When the alarm is acknowledged, the alarm status changes from unacknowledged to acknowledged.	You can select one or more alarms and click Acknowledge above the alarm list. You can also click in the Operation column of the row that contains a desired alarm. After you have acknowledged an alarm, the Acknowledged By column shows the user name.
   Manually clearing alarms	Some alarms cannot be automatically cleared. Therefore, you need to clear the alarms manually after rectifying the faults.	You can select one or more alarms and click Clear above the alarm list. You can also click in the Operation column of the row that contains a desired alarm. If the alarm has been acknowledged after being cleared, the alarm will be moved to the Historical Alarms page. If the alarm has not been acknowledged after being cleared, it is retained on the Current Alarms page, with a green background. NOTE: The cleared alarm cannot be restored. Exercise caution when performing the operation.
   Quick entries for setting alarm rules	O&M personnel can quickly set rules related to an alarm from the quick entries. Only authorized users can perform related operations. For details about the rules, see Table 4-41.	In the Operation column that contains a desired alarm, click to select a rule to be set.

   Table 4-41 Introduction to quick entries for rules

   Rule	Description
   Set Masking Rule	You can set an alarm masking rule to mask alarms that you are not concerned about. The masked alarms will not be displayed on the Current Alarms page.
   Acknowledging	Identify the user who handles an alarm to avoid one alarm being handled by multiple users.
   Clear	When a fault occurs on the interconnected NE or in the system, an alarm is generated. When the fault is rectified, a clear alarm is generated and the alarm is cleared. If the system fails to receive the clear alarm or the alarm cannot be automatically cleared due to a network fault, you need to manually clear the alarm. When you manually clear the alarm, an alarm clearance command is sent from Alarm Management, and then the corresponding NE or system clears the corresponding alarm.
   Set Intermittent/Toggling Rule	After a rule is set, intermittent or toggling alarms can be discarded or displayed on the Masked Alarms page to reduce interference caused by repetitive alarms.

Parameter Description

Usage Scenario

Controller alarms and forwarder alarms are saved in the database. To prevent excess historical data from affecting database performance, the earliest 20% alarms are saved to a local file and the data in the database is deleted, after the size of historical alarms in the database reaches 30 GB. A dump file is automatically deleted when its size reaches 1 GB or its storage period reaches 180 days. If the file size or the retention duration exceeds the threshold, the dump file will be automatically deleted.

You can configure an alarm dump policy to dump historical alarms to the remote SFTP server. In this case, you can view historical alarms to locate faults. iMaster NCE-Campus performs dumping detection every 4 hours. When dumping conditions are met, iMaster NCE-Campus automatically dumps alarms to the remote SFTP server. You can view the dumped alarms on the SFTP server.

Example dump file formats are as follows:

• Historical alarm dump file: history_alarm_dump_2018-12-20_02.20.06.37.zip
• Event dump file: event_dump_2018-12-20_02.20.00.141.zip

If some alarms fail to be dumped, iMaster NCE-Campus reports an alarm. Troubleshoot the fault based on the alarm information.

Configuring Alarm Dumping

1. Choose Alarm > Alarm > Alarm Dump from the main menu.
2. To make it easy for users to view all alarm files, you are advised to enable the data overflow dump function. Set SFTP server parameters for alarm dumping.

3. Set the alarm dump parameters. iMaster NCE-Campus performs alarm dump detection every 4 hours. When alarm dump conditions are met, iMaster NCE-Campus automatically dumps alarms to the remote SFTP server. You can view the dumped alarms on the SFTP server.

   If the alarm data of a tenant needs to be dumped through SFTP, enable Dump data of tenants.

   If the alarm data of the tenant does not need to be dumped through SFTP, disable Dump data of tenants.

4. Click Apply.
5. (Optional) Delete or refresh the SSH public key. If an SSH public key has been updated, delete the expired key and update the SSH public keys displayed on the page. An SSH public key ensures the security of data transmission between iMaster NCE-Campus and the file server.

Parameter Description

Prerequisites

The administrator has correctly configured the email server. For details, see Configuring an Email Server.

Procedure

1. Choose Alarm > Alarm > Alarm Notification from the main menu.
2. Set Mail notification to , set email notification parameters based on the site requirements, and click Apply. The following figure shows an example. Set the parameters.

3. After the email notification function is configured successfully, all email addresses set in Recipient E-mail will receive the same alarm email.

   Alarm notification emails (excluding the detailed alarm description) sent to users are displayed in the same language as that of the iMaster NCE-Campus web UI. If a language switchover is performed on iMaster NCE-Campus, you need to reconfigure the alarm notification function for the language switchover in the emails to take effect.

   However, the language in which the detailed alarm description is displayed in alarm notification emails must be consistent with the language of the management plane web UI. For example, if the language of the management plane web UI is English, the detailed alarm description is displayed in English.

Parameter Description

Log Types and Operation Entrances

Table 4-46 lists the log types and operation entrances on iMaster NCE-Campus.

Usage Scenario

All logs are saved in the database. To prevent excessive historical data from affecting database performance, iMaster NCE-Campus checks the number of historical logs every 4 hours. When the dumping conditions are met, iMaster NCE-Campus automatically dumps logs to the remote SFTP server and delete the dumped logs from the iMaster NCE-Campus database. You can view the log files on the SFTP server.

Example dump file formats are as follows:

• Security log: 192.168.3.5_SecurityLog_Store_2016_06_06_09_00_14.zip
• Operation log: 192.168.3.5_OperationLog_Store_2016_06_06_09_00_00.zip
• Run log: 192.168.3.5_SystemLog_Store_2016_06_06_14_00_57.zip
  • In the file name, 10.170.209.91 indicates the IP address of the cluster node where the log is dumped, and 2019_06_08_01_07 indicates the time when the log file is dumped.
  • If an exception occurs during the dump, iMaster NCE-Campus generates an alarm. Rectify the fault based on handling suggestions in the alarm information.

Procedure

1. Choose System > Logs > Logs from the main menu and click the Log Overflow Dump tab.
2. To make it easy for users to view all log files, you are advised to enable the data overflow dumping function. Set SFTP server parameters for log dumping.

   Then, click Test Connectivity to check whether the parameter settings are correct.

   For log dumping, iMaster NCE-Campus functions as a client and supports only the HMAC-SHA2-256 and HMAC-SHA2-512 encryption algorithms. Therefore, the peer SFTP server must support at least one of the encryption algorithms. Otherwise, iMaster NCE-Campus will fail to communicate with the SFTP server.

3. Configure the log dumping criteria and local dumping policy.

   The data dumping conditions take effect separately for security logs, operation logs, and run logs. Logs of the same type can be dumped only after such logs exceed the configured dumping condition values. Otherwise, the logs of a specific type will not be dumped to the SFTP server.

4. Click Apply.
5. (Optional) Delete or refresh SSH public keys. If an SSH public key has been updated, delete the expired key on the page and update SSH public keys displayed on the page. An SSH public key ensures the security of data transmission between iMaster NCE-Campus and the file server.