Permissions
Each role is composed of a set of permissions.
These permissions are used to identify which parts and objects inside the FOXMAN-UN are subject to be operated/accessed by a user.
A user has roles assigned. Each role has a set of permissions. The sum of all permissions of all roles assigned to a user determines what a user can do inside the FOXMAN-UN.
Permissions are a fixed set of properties. The properties can be flags (enable/disable access to one functionality) or an access property determining if you have read access, full access, or no access (“none”) to specific elements in the system.
Permissions are responsible to give a user access to elements in the system
The definition of the permissions present in the system shown below will help clarifying the concept:
Network Engineering | Linked Menu (NEM Client) | Authorization Filter, Restricted URLs (not for admin or app token) (POST; PATCH, PUT) | |
Section Management | Enables the possibility to edit sections. | *Operation failure when writing section | sections |
Network Design | Defines the capability to see or edit meaningful services on top of network infrastructure. Allows the management and configuration of MPLS-TP, Networking Package and advanced services. | Application → ENP Application → NP *operation failures on editing Application → CEM Application → ENP expert mode disabled for viewer | "/npnetworkmgr/", "/enp/" "\\/mib\\/mpls\\/", "\\/mib\\/cem\\/", "\\/mib\\/tdm\\/" |
Traffic Engineering | Allows the creation and use of service profiles for MPLS-TP networks (only makes sense in combination with previous one). | *Authorization error | |
Maps, Agents & Nodes | Exposes the permission to see the nodes in the system, or to be able to create and group nodes inside the FOXMAN-UN. | View/edit such items | symbols |
Provides the capability to access/edit the nodes, agents and maps defined in the FOXMAN-UN. | Execute commands in FO Agent Provides access to ALS Configurator (edit mode) | /agents /bpnodes | |
Ethernet Security Manager | Enables the possibility to access Ethernet Security Manager operations inside the client. | Application → ESM | |
Network Monitoring | |||
Service Supervision | Exposes the possibility to supervise services and create such supervision services | Application → Service Supervision (No permission) *Authorization error | "service-supervision", "servicesupervision", "/bpservicemgr/services" |
Performance Monitoring | Enables the access to performance monitoring | Network → PM System → Metrics Database | |
Alarm Configuration | Configuration of alarm related settings (Alarm customization, forwarding and related global settings) | Fault management → Alarm Configuration | "/bpalarms/customisations", "/bpalarms/settings" |
Alarm Management | Capability to see/manage system and node alarms and acknowledge them | Acknowledge/clear alarms in alarm list. | alarms |
System Management | |||
Role Base Access Control | Allows the creation and edition of users, including the capability to assign/unassign roles to specific users. | Role Base Access Control tab in NEM Configurator | "/rbac", "/bp/security" |
Credential Management | Exposes credential distribution functionality: the capability to distribute FOXMAN-UN keys or passwords to nodes. Management of SNMP security profiles. | SNMP Security Profiles Credentials distribution; Credentials distribution tasks | READ restricted also "/credentialdistribution" |
Remote Administration | Exposes the capability to execute server related management operations, like starting or stopping services, creating private/public key pairs or main standby configuration. | System → RAT (Initial Screen → RAT) | "/mainstandby", "/nemcore/service", "/nemcore/inventory" |
Remote Execution | Allows the access to a set of scripts executed on server side to perform various sets of functionalities. | System → Remote Executor | READ restricted also "/nemcore/scripts" |
Node Management | |||
Node Restore Configuration | Enables the capability to restore one of the five previous NE configurations stored automatically by the system. | *Authorization | |
Profile and CPS Management | Allows the access to legacy operations for administration of NE Passwords, Profile/CPS and ESW tasks. | Network → Profile & CPS Tasks | |
Software Management | Exposes the possibility to access new software management tool. | Network → ESW Management | ESW |
Node Access Information | Allows the possibility to access nodes as information user class. | ECST info Read-only other tools | |
Node Access Maintenance | Allows the possibility to access nodes as maintenance user class. | ECST maintenance | |
Node Access Manager | Allows the possibility to access nodes as manager user class, or to configure nodes in those which has no user class associated. | ECST Manager Other tools write access | |
Node Access Session Manager | Allows the possibility to access nodes as session manager user class. | ECST Session Manager | |