Академический Документы
Профессиональный Документы
Культура Документы
Security Management
Function
The security management provides the following functions: l
Ensuring the legal use of the system.
l Managing users, command sets, and roles.
l Preventing illegal users from accessing the system through the login authentication. l
Providing security control for various security management operations through the
operation authorization.
The security management function is implemented by the Operation & Maintenance
Module (OMM) server and clients.
l The OMM clients process data in the login window and the command tree of security
management and display the processing result.
l The OMM server implements login authentication and operation authorization.
Basic Components
Users, roles, command sets, and operation commands are basic components of the
security management.Figure 2-1 shows the inclusion relationships (referred to as affiliated
relationships) between users, roles, command sets, and operation commands.
2-1
SJ-20120730093520-013|2012-10-31(R1.0)
Figure 2-1 Relationships Between Users, Roles, Command Sets and Operation
Commands
Users
Users are operators who log in to the OMM client and perform related operations.
The administrator restricts the users permissions by defining their roles.
Roles
Roles are the permissions provided to the corresponding users, which in essence
assign the operation permissions to a group of users by defining the operation
command sets.
Table 2-1 lists the default roles in the ZXUN iCX(MSCS).
Table 2-1 Default Roles
ID
Role
Highest Permission
Valid or Not
Administrator
All
Yes
Operator
Configuration
Yes
Maintenance
System maintenance
Yes
Data query
Yes
personnel
4
Supervisor
Command Sets
2-2
SJ-20120730093520-013|2012-10-31(R1.0)
Highest Permission
Command Set
Command Set
ID
Administrator
All
Command sets of
configuration permission.
Highest Permission
Command Set
Command Set
ID
Operator
Configuration
Command sets of
configuration permission.
Highest Permission
Command Set
Command Set
ID
Maintenance
System maintenance
personnel
maintenance permission.
4
2-3
SJ-20120730093520-013|2012-10-31(R1.0)
Highest Permission
Command Set
Command Set
ID
Supervisor
Data query
You can run the SHOW CMDSET MEMBER command to check the specific command
corresponding to the command set.
For example, to check the commands related to the operation management
permission, run the following command:
SHOW CMDSET MEMBER:IID=1;
SHOW CMDSET MEMBER:NAME="Command sets of operation management permissio
n";
l Operation Commands
Operation commands are used to perform operations after users log in to the OMM
client.
Table of Contents
Adding a Command Set ................................................................................................ 2-4
Adding a Role ................................................................................................................ 2-7
Adding a User .............................................................................................................. 2-10
Modifying Own Password ............................................................................................ 2-15
Adding a Login IP Range............................................................................................. 2-16
Disconnecting A Login User Forcibly .......................................................................... 2-18
Modifying the Password Policy of OAM User.............................................................. 2-19
Modifying the Account Policy of OAM User ................................................................ 2-22
Unlocking a User Manually .......................................................................................... 2-24
Inner Control Management .......................................................................................... 2-25
Steps
1. To add a command set, perform the following operations:
a. In the command box of the Terminal window, enter the ADD CMDSET command.
The ADD CMDSET configuration area is displayed, see Figure 2-2.
2-4
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter Command Set Name, which cannot be identical with the name used by an
existing command set. For example: test.
c. Click
Note:
Command Set ID is assigned by the system automatically.
2-5
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-6.
Table 2-6 ADD CMDSET MEMBER Parameter Description
Parameter
Description
Command Set ID
Setting
Command ID
c. Click
- End of Steps -
Related Operation
For related operation commands, refer to the following table.
Operation
Command
Command Function
Delete Cmdset
DEL CMDSET
2-6
SJ-20120730093520-013|2012-10-31(R1.0)
Operation
Command
Command Function
Copy Cmdset
COPY CMDSET
Delete Cmdset
DEL CMDSET
Member
MEMBER
Show Cmdset
SHOW CMDSET
Member
MEMBER
Show Role by
SHOW CMDSET
Cmdset
ROLE
Steps
1. To add a role, perform the following steps:
a. In the command box of the Terminal window, enter the ADD ROLE command.
The ADD ROLE configuration area is displayed, see Figure 2-6.
Figure 2-6 ADD ROLE Configuration Area
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-7.
Table 2-7 ADD ROLE Parameter Description
Parameter
Description
Setting
Role Name
Name of the customized role. Enter a role name different from any
existing name for easy recognition.
You can specify a maximum of 50
characters.
2-7
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Role Description
Setting
Including:
l Yes indicates that this role is
effective.
l No indicates that this role is not
effective.
The default value is Yes.
c. Click
Example: Add and validate role TEST. Figure 2-7 shows the execution result.
Figure 2-7 Result of Adding a Role
Note:
The Role ID is assigned by the system automatically.
2-8
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-8.
Table 2-8 ADD ROLE CMDSET Parameter Description
Parameter
Description
Setting
Role ID
Internal ID of a role,
automatically assigned by
parameters.
is added.
Role Name
command.
is added.
Command Set ID List Command set ID
c. Click
Example: The role name is TEST, the command set ID is 5. Figure 2-9 shows
the execution result.
Figure 2-9 Result of Adding a Command Set for a Role
Related Operation
For related operation commands, refer to the following table.
Operation
Command
Command Function
Delete Role
DEL ROLE
Deletes a role.
Modify Role
SET ROLE
Copy Role
COPY ROLE
Steps
1. To add a user, perform the following steps:
a. In the command box of the Terminal window, enter the ADD USER command,
and then select the More... check box. The ADD USER configuration area is
displayed, see Figure 2-10.
Figure 2-10 ADD USER Configuration Area
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-9.
2-10
SJ-20120730093520-013|2012-10-31(R1.0)
Description
Setting
User Name
Description
Description of a user.
Description of a user.
Valid User(Yes or
Default: Yes.
No)
status is effective.
Mobile
the user.
user.
user.
Maximum Login
Default: 10.
Count
of concurrently login
users with the same user the system the number of concurrently
account.
Restrict Password
Validity
password
is
always
effective.
User Password
to the system.
User Confirm
Password
Restrict Operable
Date
2-11
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
Time
End
Time
are
required.
Day of Week
Days in a week of
Week
c. Click
Example: Add user test with other parameters using their default values. Figure
2-11 shows the execution result.
2-12
SJ-20120730093520-013|2012-10-31(R1.0)
Note:
The User ID is generated by the system automatically.
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-10.
Table 2-10 ADD USER ROLE Parameter Description
Parameter
Description
Setting
User ID
Internal ID of a
user, automatically
generated by the
command.
is added.
User Name
2-13
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
Role ID List
Role ID
c. Click
Example: The user name is test, the role ID is 5. Figure 2-13 shows the
execution result.
Figure 2-13 Result of Adding User Roles
- End of Steps -
Related Operation
For related operation commands, refer to the following table.
Operation
Command
Command Function
Delete User
DEL USER
Deletes a user.
Modify User
SET USER
Show User
SHOW USER
Copy User
COPY USER
2-14
SJ-20120730093520-013|2012-10-31(R1.0)
Steps
1. In the command box of the Terminal window, enter the SET PASSWORD command.
The SET PASSWORD configuration area is displayed, see Figure 2-14.
Figure 2-14 SET PASSWORD Configuration Area
2. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-11.
Table 2-11 SET PASSWORD Parameter Description
Parameter
Description
Setting
Old Password
modify
New Password
Confirm Password
the same with the new password. means that the confirm password
is empty.
3. Click
- End of Steps -
Related Operation
For related operation commands, refer to the following table.
2-15
SJ-20120730093520-013|2012-10-31(R1.0)
Operation
Command
Command Function
to be Effective or Not
SET ALLUSERPASSWD
Password
Steps
1. In the command box of the Terminal window, enter the ADD USER IPSEC command.
The ADD USER IPSEC configuration area is displayed, see Figure 2-15.
Figure 2-15 ADD USER IPSEC Configuration Area
2. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-12.
Table 2-12 ADD USER IPSEC Parameter Description
Parameter
Description
Setting
User ID
ID of the user.
User Name
Description
2-16
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
IP Section
Required.
i.
ii.
A maximum of 50 IP
address segments can be
configured for a user.
3. Click
Example: The user name is test, the start IP address is 10.40.53.45, and the end IP
address is 10.40.53.47. Figure 2-16 shows the execution result.
Figure 2-16 Result of Adding a Login IP Range for a User
- End of Steps -
Related Operation
For related operation commands, refer to the following table.
Operation
Command
Command Function
2-17
SJ-20120730093520-013|2012-10-31(R1.0)
Prerequisite
You have logged in to the Local Maintenance Terminal page as the system administrator
admin.
Steps
1. To query information of a login user, including user name, IP address, login time and
login type, perform the following steps:
a. In the command box of the Terminal window, enter the SHOW LOGINUSER
command. The SHOW LOGINUSER configuration area is displayed, see Figure
2-17.
Figure 2-17 SHOW LOGINUSER Configuration Area
b. Enter the name of the user (If you leave it blank, you queries all users logging in
to the LMT).
c. Click
Example: Query all users logging in to the LMT. Figure 2-18 shows the execution
result.
Figure 2-18 Result of Querying All Login Users
2-18
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-13.
Table 2-13 RMV USERLINK Parameter Description
Parameter
Description
Setting
User Name
disconnected
30 characters.
IP address format
IP Address
Type
c. Click
HH:MM:SS
system.
End of Steps -
Prerequisite
You have logged in to the Local Maintenance Terminal page as the system administrator
admin.
2-19
SJ-20120730093520-013|2012-10-31(R1.0)
Steps
1. To query current password policy, perform the following steps:
a. In the command box of the Terminal window, enter the SHOW PASSWORDTAC
TIC command. The SHOW PASSWORDTACTIC configuration area is displayed.
Parameter setting is not required.
b. Click
2. To modify the password policy of OAM user, perform the following steps:
a. In the command box of the Terminal window, enter the SET PASSWORDTACTIC
command. The SET PASSWORDTACTIC configuration area is displayed, see
Figure 2-20.
Figure 2-20 SET PASSWORDTACTICConfiguration Area
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-14.
Table 2-14 SET PASSWORDTACTIC Parameter Description
Parameter
Description
Setting
Password
default of 0. It is recommended
to change it to 6.
2-20
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
Enable Password
Including:
Complexity
means:
Requirement
four
categories:
English uppercase
characters, English
lowercase characters, base
10 digits and non-alphabetic
characters.
l A password cannot be
identical with the user name.
l A password cannot be the
reverse of the user name
string.
Reminding Days
Before Password
Expired
Must Modify
Including:
Expired Password
Count of Latest
Passwords Cannot
Be Reused
Day of Latest
Passwords Cannot
Be Reused
Must Modify
Password When
2-21
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
Must Modify
Password When
Alarmed User
Login
c. Click
End of Steps -
Prerequisite
You have logged in to the Local Maintenance Terminal as the system administrator
admin.
Steps
1. To query current account policy, perform the following steps:
a. In the command box of the Terminal window, enter the SHOW USERTACTIC
command. The SHOW USERTACTIC configuration area is displayed. Parameter
setting is not required.
b. Click
2-22
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-15.
Table 2-15 SET USERTACTIC Parameter Description
Parameter
Description
Setting
Lock Status
Including:
l Never Lock: indicates that the
system does not lock this user
even if the user types a wrong
password many times.
l Policy Lock: indicates that the
system does not lock this user
if the number of times that the
user successively enter a wrong
password exceeds the preset
number. The user is unlocked after
preset auto unblocking time.
l Lock Forever: indicates that the
system locks a user the number of
times that the user successively
types a wrong password exceeds
the preset number. The user can
only
Lock User by IP
be
manually
unlocked.
Whether to lock an
account in accordance
Forever. Including:
account.
2-23
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
Max. Times of
Incorrect Password
Enter
Forever.
(Hr)
system automatically
unlocks a user.
Lock-Check Period
(d)
detection.
Reminding Days
before Account
account expiration to
Expired
c. Click
End of Steps -
Prerequisite
You have logged in to the Local Maintenance Terminal page as the system administrator
admin.
Steps
1. To query locked user, perform the following steps:
a. In the command box of the Terminal window, enter the SHOW LOCKEDUSE
R command. The SHOW LOCKEDUSER configuration area is displayed, see
Figure 2-22.
2-24
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter the User Name. If no name is entered, the system queries all locked users.
c. Click
b. Enter the parameters in accordance with your actual situations. For the parameter
description, refer to Table 2-16.
Table 2-16 UNLOCK USER Command Parameter Description
Parameter
Description
Setting
User Name
want to unlock
IP Address
c. Click
End of Steps -
Inner control management and inner control account are described as follows:
l An inner control account is created during installation. It is used for accessing data
files or other resources in the system. For the application of an inner control account,
see Figure 2-24.
l Inner control management adopts its own policy, which is different from the policy of
managing permission users.
l The user having the inner control management permission can query and set the inner
control management policy as required.
Inner control management covers modification of account password, inner control
password policy. The following table provides the description for related operation
commands.
Figure 2-24 Inner Control Account Application
Prerequisite
You have logged in to the Local Maintenance Terminal page as the system administrator
admin.
Steps
1. To query information of inner control accounts, perform the following steps:
a. In the command box of the Terminal window, enter the SHOW ACCOUNTINF
O command. The SHOW ACCOUNTINFO configuration area is displayed, see
Figure 2-25.
2-26
SJ-20120730093520-013|2012-10-31(R1.0)
b. Click
to query the information of all inner control accounts. If you want to query
information of an inner control account, select the type of the account from the
Account Type list or enter the name of the account in the Account Name text
box. For the parameter description, refer to Table 2-17.
2. To modify description or password validity of an inner control account, perform the
following steps:
a. In the command box of the Terminal window, enter the SET ACCOUNTINFO
command. The SET ACCOUNTINFO configuration area is displayed, see Figure
2-26.
Figure 2-26 SET ACCOUNTINFO Configuration Area
Description
Account Type
Setting
l Data File Account
l File Transfer Account
l OMP File Transfer Account
l OMP TELNET Account
Account Name
Case-insensitive.
control account
2-27
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Account Description
Setting
Password Validity(d)
control account
password
c. Click
Example: Modify description of the file transfer account 1_FTP to FTP, and set the
password validity to 60. Figure 2-27 shows the execution result.
Figure 2-27 Result of Modifying Description of an Inner Control Account
3. To modify the password of an inner control account, perform the following steps:
a. In the command box of the Terminal window, enter SET ACCOUNTPASSWD
command. The SET ACCOUNTPASSWD configuration area is displayed, see
Figure 2-28.
Figure 2-28 SET ACCOUNTPASSWD Configuration Area
2-28
SJ-20120730093520-013|2012-10-31(R1.0)
Description
Setting
Account Type
Options:
control account
Account Name
Case-insensitive.
control account
whose password is
to be modified
Old Password
Original password
account
New Password
New password of
account
Confirm Password
Confirm password
account
c. Click
Prerequisite
You have logged in to the Local Maintenance Terminal page as the system administrator
admin.
Steps
1. Query the password policy of inner-control accounts.
2-29
SJ-20120730093520-013|2012-10-31(R1.0)
b. Enter the command parameters as needed. For the parameter description, refer
to Table 2-19.
Table 2-19 SET PASSWDTACTIC Parameter Description
Parameter
Description
Setting
Min Length of
Minimum length of a
Password
password
Max Length of
Maximum length of a
Password
password
2-30
SJ-20120730093520-013|2012-10-31(R1.0)
Parameter
Description
Setting
Weak Password
Including:
Check
policy means:
A password must
l
contain characters
is
disabled.
English
characters,
base 10 digits
and
non-alphabetic
characters.
l
Range: 1-50.
Before Password
Expired
password expires.
When Password
Expired
expiration.
c. Click
End of Steps -
2-31
SJ-20120730093520-013|2012-10-31(R1.0)
2-32
SJ-20120730093520-013|2012-10-31(R1.0)