Configuring Security
Use the Security menu to configure and manage various levels of security. You can:
-
Add, modify, or delete domains, see Domain Management.
-
Add, modify, clone or delete roles using the default privileges, see Role Management.
-
Add, modify, clone or delete user groups, assign roles to the user groups, see User Group Management.
-
Map the existing external user groups to the Prime Cable Provisioning user groups, see User Group Mapping.
-
Add, modify, or delete users, assign roles and domains to these users, see User Management.
Domain Management
Domains are a set of instances with various objects such as Device, COS, File, DPE, NR, Provisioning Group, and DHCP Criteria. Domain represents a collection of these objects grouped for instance level access control. Only authenticated users with the appropriate access privileges will be able to view the instances that exist in their domains.
Domains are represented hierarchically with all the custom domains added as sub domains of the default domain RootDomain. A user who has access to a parent domain can access all of the sub domains of that parent domain.
Adding a Domain
Note |
By default, Domain management related pages or widgets are not available in the Admin UI. Even the instance level authz field is not displayed. To enable them, the property /adminui/enableDomainAdministration must be set to true. This property can be set in the adminui.properties file located at BPR_HOME/rdu/conf. Restart the tomcat server after making the changes to the property file. |
To add a domain:
Procedure
Step 1 |
Choose Security > Domain Management. |
Step 2 |
Select a parent domain and click Add Domain to display the Add Domain page. |
Step 3 |
Enter the new domain’s name. Domains must have unique names across the system. |
Step 4 |
Enter a short description of the new domain. The description helps in identifying the domain or any detail that uniquely identifies the new domain. |
Step 5 |
Click Save. |
Role Management
A role is a job function that defines a set of capabilities a user or user group can perform. These capabilities are governed by the privileges assigned to the role. Privileges allow the user to perform operations like create, read, update, and delete objects and its properties in Prime Cable Provisioning. Privileges are in-built in Prime Cable Provisioning and cannot be modified, see Table 1 for the list of default privileges.
A set of default out-of-the-box roles are available for use. You also can create custom roles with any set of in-built privileges assigned to a custom role. These roles are loaded into the RDU database after installing Prime Cable Provisioning.
Adding a New Role
To add a role:
Procedure
Step 1 |
Choose Security > Role Management. |
Step 2 |
Click Add Role to display the Add Role page. |
Step 3 |
Enter the new role’s name. |
Step 4 |
Enter a short description of the new role. The description helps in identifying the role or any detail that uniquely identifies the new role. |
Step 5 |
To add privileges to the new role:
|
Step 6 |
To add the properties that can be modified for this role:
|
Step 7 |
To add custom property: |
Step 8 |
Click Save. |
Modifying a Role
The default roles listed in Table 1 cannot be modified. To modify a custom role, select the role and click Edit. Make the necessary edits and click Save.
Note |
If you are modifying a custom property through the Admin UI, it can be of type String only. However, if you are using the Configuration.changeRoleProperties API, it need not be restricted to the type String alone. |
User Group Management
A user group is a collection of users. Similar to a user, a user group can also be assigned roles. Users who belong a user group will inherit all the roles assigned to that the user group. Those roles are constrained to only be valid on the resources that are also members of the group. A user can be a member of more than one group. The set of privileges the user gains is the aggregate of all those from the role.
From the User Group Management option you can add, modify, delete and clone user groups.
Adding a New User Group
To add a user group:
Procedure
Step 1 |
Choose Security > User Group Management. |
Step 2 |
Click Add User Group to display the Add User Group page. |
Step 3 |
Enter the new user group’s name. |
Step 4 |
Enter a short description of the new user group. The description helps in identifying the user group’s role or any detail that uniquely identifies the new user group. |
Step 5 |
Click Add Roles. |
Step 6 |
Check the appropriate check box to determine the new user group's role. |
Step 7 |
Click Apply. |
Step 8 |
Click Save. |
User Group Mapping
Prime Cable Provisioning provides user-group mapping, which enables mapping of an external user-group name to a Prime Cable Provisioning user-group name. An external group can be mapped to any existing Prime Cable Provisioning user-group. In the example table below Operator is mapped to ProvGroupAdmin and Admin is mapped to administrators.
The following table lists examples for User Group mapping.
External user-group |
RDU user-group name |
---|---|
Operator |
ProvGroupAdmin |
Admin |
Administrators |
In the user-group mapping table, set of external group names must be unique and not duplicates. However, more then one external group can map to an internal user-group.
Note |
Before deleting an internal user-group, all the mappings to that user-group should be deleted. |
Adding a User Group Mapping
To create a new user group mapping:
Procedure
Step 1 |
Choose Security > User Group Mapping. |
||
Step 2 |
Click Add User Group Mapping. A new blank row appears. |
||
Step 3 |
Enter the existing external user group name in the Remote Group Name field.
|
||
Step 4 |
Select the user group to be mapped from the User Group Name drop-down list. |
||
Step 5 |
Click Save. |
User Management
Managing users involves adding, modifying, and deleting users who administer Prime Cable Provisioning. Depending on your privileges you can use this menu to add, modify, and delete users. This menu displays all users configured to use Prime Cable Provisioning and identifies their user groups.
Prime Cable Provisioning provides role based access to a user with specific privileges to ensure access control and the integrity of provisioning data. A user can be assigned roles that determine the scope of actions they can perform in Prime Cable Provisioning. A user can also be added to user groups with pre-assigned roles.
The assigned username appears near the top-right corner of every screen on the Admin UI.
Note |
During migration from an acceptable previous release to Prime Cable Provisioning, all migrated read-only users are assigned to the out of the box read only role and RootDomain. Similarly, all the read-write users are assigned to the out of the box read only role and RootDomain. You can administer users only if you have user related privileges. |
Adding a New User
Adding a new user is a simple process of entering the user’s name and creating a password. However, while creating a new user you must specify number of sessions, assign a role, or add the user to a user group or domain to be able to gain privileges to perform specific actions.
Note |
Prime Cable Provisioning comes with one Admin user already created; you cannot create this user again. |
To add a new user:
Procedure
Step 1 |
Choose Security > User Management. |
||
Step 2 |
Click Add to display the Add User page. |
||
Step 3 |
Enter the new user’s name. |
||
Step 4 |
You can restrict the number of concurrent sessions a user can have by modifying the value in the Number of sessions allowed field. If you do not specify any value in this filed, the number of sessions allowed for the user would be decided on the value of the field at the RDU Defaults page. |
||
Step 5 |
Enter a short description of the new user. The description helps in identifying the user’s job, position, or any detail that uniquely identifies the new user. |
||
Step 6 |
Enter a password and confirm it. Ensure that the password that you enter has at least 8 characters. |
||
Step 7 |
To add roles to the new user:
|
||
Step 8 |
To add the new user to a user group:
|
||
Step 9 |
To add the new user to a domain:
|
||
Step 10 |
Click Save.
|
Default Configurations
This section describes the default configurations of Prime Cable Provisioning.
Default Privileges
The following table lists the default privileges in Prime Cable Provisioning.
Privileges |
Description |
||
---|---|---|---|
All |
|||
* |
The user is granted access to all the objects. It is equivalent to granting all the privileges to the user. |
||
Class of Service |
|||
PRIV_COS_CREATE |
Enables adding a new COS object in the system. |
||
PRIV_COS_READ |
Enables viewing a COS object and all of its properties. Enables the selection of COS objects. |
||
PRIV_COS_UPDATE |
Enables modifying any property of a COS object. |
||
PRIV_COS_DELETE |
Enables deleting a COS object from the system. |
||
DHCP Criteria |
|||
PRIV_DHCP_CRITERIA_CREATE |
Enables adding a new DHCP Criteria object in the system. |
||
PRIV_DHCP_CRITERIA_READ |
Enables viewing a DHCP Criteria object and all of its properties. Enables the selection of DHCP Criteria objects. |
||
PRIV_DHCP_CRITERIA_UPDATE |
Enables modifying any property of a DHCP Criteria object. |
||
PRIV_DHCP_CRITERIA_DELETE |
Enables deleting a DHCP Criteria object from the system. |
||
Files |
|||
PRIV_FILE_GENERIC_CREATE |
Enables adding generic files into the system. |
||
PRIV_FILE_GENERIC_READ |
Enables viewing, searching, selecting, and exporting properties and data of generic files. |
||
PRIV_FILE_GENERIC_UPDATE |
Enables replacing a generic file. |
||
PRIV_FILE_GENERIC_DELETE |
Enables deleting a generic from the system. |
||
PRIV_FILE_CABLELABS_CONF_SCRIPT_CREATE |
Enables adding CableLabs script file into the system. |
||
PRIV_FILE_CABLELABS_CONF_SCRIPT_READ |
Enables viewing, searching, selecting, and exporting properties and data of CableLabs script file. |
||
PRIV_FILE_CABLELABS_CONF_SCRIPT_UPDATE |
Enables replacing a CableLabs script file. |
||
PRIV_FILE_CABLELABS_CONF_SCRIPT_DELETE |
Enables deleting a CableLabs script file from the system. |
||
PRIV_FILE_CABLELABS_CONF_TMPL_CREATE |
Enables adding CableLabs template file into the system. |
||
PRIV_FILE_CABLELABS_CONF_TMPL_READ |
Enables viewing, searching, selecting, and exporting properties and data of CableLabs template file. |
||
PRIV_FILE_CABLELABS_CONF_TMPL_UPDATE |
Enables replacing a CableLabs template file. |
||
PRIV_FILE_CABLELABS_CONF_TMPL_DELETE |
Enables deleting a CableLabs script template from the system |
||
PRIV_FILE_CABLELABS_STATIC_CONF_CREATE |
Enables adding CableLabs static config file into the system. |
||
PRIV_FILE_CABLELABS_STATIC_CONF_READ |
Enables viewing, searching, selecting, and exporting properties and data of CableLabs static config file. |
||
PRIV_FILE_CABLELABS_STATIC_CONF_UPDATE |
Enables replacing a CableLabs static script config file. |
||
PRIV_FILE_CABLELABS_STATIC_CONF_DELETE |
Enables deleting a CableLabs static script config file from the system. |
||
PRIV_FILE_DCFG_CREATE |
Enables adding a Dynamic Configuration Filename Generation (DCFG) script into the system. |
||
PRIV_FILE_DCFG_READ |
Enables viewing, searching, selecting, and exporting properties and data of DCFG script. |
||
PRIV_FILE_DCFG_UPDATE |
Enables replacing a DCFG script. |
||
PRIV_FILE_DCFG_DELETE |
Enables deleting a DCFG script from the system. |
||
PRIV_FILE_FIRMWARE_CREATE |
Enables adding a firmware image into the system. |
||
PRIV_FILE_FIRMWARE_READ |
Enables viewing, searching, selecting, and exporting properties and data of firmware image. |
||
PRIV_FILE_FIRMWARE_UPDATE |
Enables replacing firmware image. |
||
PRIV_FILE_FIRMWARE_DELETE |
Enables deleting a firmware image from the system. |
||
PRIV_FILE_JAR_CREATE |
Enables adding a JAR file into the system. |
||
PRIV_FILE_JAR_READ |
Enables viewing, searching, selecting, and exporting properties and data of a JAR file. |
||
PRIV_FILE_JAR_UPDATE |
Enables replacing a JAR file. |
||
PRIV_FILE_JAR_DELETE |
Enables deleting a JAR file. |
||
PRIV_FILE_MIB_CREATE |
Enables adding a MIB file into the system. |
||
PRIV_FILE_MIB_READ |
Enables viewing, searching, selecting, and exporting properties and data of a MIB file. |
||
PRIV_FILE_MIB_UPDATE |
Enables replacing a MIB file. |
||
PRIV_FILE_MIB_DELETE |
Enables deleting a MIB file from the system. |
||
Devices, DeviceType |
|||
PRIV_DEVICE_CREATE |
Enables adding a new device into the system. |
||
PRIV_DEVICE_READ |
Enables viewing device properties, searching for devices, and selecting devices. Also permits the use of show device-config in the DPE CLI |
||
PRIV_DEVICE_UPDATE |
Enables changing any property of a device object. |
||
PRIV_DEVICE_DELETE |
Enables deleting a device from the system. |
||
PRIV_DEVICE_REGEN |
Enables invoking regeneration of the device configuration. |
||
PRIV_DEVICE_OPERATION |
Enables operations on this device. |
||
RDU |
|||
PRIV_RDU_READ |
Enables viewing RDU status. |
||
PRIV_RDU_EVENT |
Required to register for RDU events. |
||
Node Type and Node |
|||
PRIV_GROUP_CREATE |
Enables creating a group. |
||
PRIV_GROUP_READ |
Enables viewing and selecting all groups. |
||
PRIV_GROUP_UPDATE |
Enables updating a group. |
||
PRIV_GROUP_DELETE |
Enables deleting a group. |
||
LicenseKey |
|||
PRIV_LICENSE |
Enables adding, updating, and deleting all the license keys. Viewing license is not protected. |
||
Publishing |
|||
PRIV_PUBLISHING |
Enables all, read, and update. |
||
CRS |
|||
PRIV_CRS_CREATE |
Enables creating CRS |
||
PRIV_CRS_READ |
Enables viewing and searching of the requests queued by CRS. |
||
PRIV_CRS_UPDATE |
Enables a user to pause or resume a CRS job |
||
PRIV_CRS_DELETE |
Enables a user to delete a CRS job. |
||
ProvGroup |
|||
PRIV_PROVGROUP_READ |
Enables viewing Provisioning Group properties |
||
PRIV_PROVGROUP_UPDATE |
Enables updating ProvGroup properties |
||
PRIV_PROVGROUP_DELETE |
Enables deleting a provisioning group from Prime Cable Provisioning. |
||
DPE |
|||
PRIV_DPE_READ |
Enables viewing DPE status. For DPE CLI, permits Disabled Mode. |
||
PRIV_DPE_UPDATE |
Permits DPE CLI Enabled Mode |
||
PRIV_DPE_DELETE |
Permits deleting a DPE. |
||
PRIV_DPE_SECURITY |
All security related admin operations including changing dpe admin password and configuring authentication. |
||
NR |
|||
PRIV_NR_READ |
Enables viewing CNR status. |
||
PRIV_NR_UPDATE |
Enables updating NR extension point |
||
PRIV_NR_DELETE |
Enables deleting a CNR from Prime Cable Provisioning. |
||
User |
|||
PRIV_USER_CREATE |
Enables adding users. |
||
PRIV_USER_READ |
Enables viewing or searching users. |
||
PRIV_USER_UPDATE |
Enables changing user properties. |
||
PRIV_USER_DELETE |
Enables deleting users. |
||
PRIV_USER_SECURITY |
Enables assigning roles, user group to users. Also allows the setting of a user's number of allowed sessions.
|
||
Role |
|||
PRIV_ROLE_CREATE |
Enables adding roles. |
||
PRIV_ROLE_READ |
Enables reading or search roles and privileges. |
||
PRIV_ROLE_UPDATE |
Enables changing role properties. |
||
PRIV_ROLE_DELETE |
Enables deleting roles. |
||
Domain |
|||
PRIV_DOMAIN_CREATE |
Enables adding domains. |
||
PRIV_DOMAIN_READ |
Enables viewing and selecting operations on domains. |
||
PRIV_DOMAIN_UPDATE |
Enables updating operations. |
||
PRIV_DOMAIN_DELETE |
Enables deleting operations. |
||
Custom Property |
|||
PRIV_PROPERTY_CREATE |
Enables adding a new customer property. |
||
PRIV_PROPERTY_READ |
Enables viewing of RDU Defaults and custom property. |
||
PRIV_PROPERTY_UPDATE |
Enables modifying a custom property. |
||
PRIV_PROPERTY_DELETE |
Enables deleting a custom property. |
||
System Defaults |
|||
PRIV_SYSDEF_READ |
Enables viewing system properties e.g. GetRDUDefaults. |
||
PRIV_SYSDEF_UPDATE |
Enables modifying system properties e.g. ChangeRDUDefaults |
||
Logging |
|||
PRIV_LOGGING |
Setting logging/debug levels. Viewing logs. |
||
PRIV_AUDIT_LOGGING |
Enables viewing Audit logs. |
||
User Group |
|||
PRIV_USERGROUP_CREATE |
Enables create operations |
||
PRIV_USERGROUP_READ |
Enables all read and selection operations |
||
PRIV_USERGROUP_UPDATE |
Enables update operations |
||
PRIV_USERGROUP_DELETE |
Enables delete operations |
Default Roles
The following table lists the default roles in Prime Cable Provisioning.
Role Name |
Description |
||
---|---|---|---|
Admin |
Admin is the super administrator and has all capabilities, including modifying device property value. |
||
COSAdmin |
COS admin can add, delete, update, search, and export all COS and their properties. |
||
DeviceAdmin |
Device admin can add, delete, search, relate, un-relate, regenerate, and device operation privileges on all available devices. DeviceAdmin also has permissions to read and modify all attributes and properties. |
||
DHCPAdmin |
DHCP admin can add, delete, update, and search all DHCP Criteria and their properties. |
||
FileAdmin |
File admin can add, delete, update, search, and export all files and their properties. |
||
ProvGroupAdmin |
Provisioning Group admin can view and update Provisioning Group properties. ProvGroupAdmin can also view, update, and delete servers of a Provisioning Group as well as their properties. This role permits all operations on the DPE CLI. |
||
RDUAdmin |
RDUAdmin can view, add, and delete all RDU default and system properties. This role can read, add, and delete permissions on license, read and modify permissions on all available publishing plug-in, manage CRS, and manage MIBs. |
||
ReadOnly |
ReadOnly has read permission on all available resources, except user, user group, domain, and roles. |
||
ReadWrite |
ReadWrite has create, read, modify, and delete permission on all available resources except user, user group, domain, and roles. |
||
ReadOnly and ReadWrite roles are provided for backward compatibility only. These roles do not have access to any security related features like user, user-group, domain, role, and user-group-mapping that are introduced in Prime Cable Provisioning.
|
|||
SecurityAdmin |
SecurityAdmin has add, delete, relate, un-relate permissions on all available groups and modify permission on all attributes. |
||
UserAdmin |
UserAdmin can add, delete, modify, read, relate, un-relate all available users and properties for user. |
||
CRSAdmin |
CRSAdmin can enable, disable, pause, resume, and view CRS. This role can also create, delete, and update any CRS request. |
Default User Groups
The following table lists the default user groups in Prime Cable Provisioning.
User Group |
Description |
Role |
---|---|---|
Administrators |
This user group consists super users. |
Admin |
Default Domains
The following table lists the default domains in Prime Cable Provisioning.
Domain |
Members |
---|---|
RootDomain |
All current objects |
Default Users
The following table lists the default user in Prime Cable Provisioning.
User |
Assigned Role |
Assigned User Group |
Assigned Domain |
---|---|---|---|
admin |
Admin |
Administrators |
RootDomain |