3 three levels of security, 4 feature access level configuration, Three levels of security – CANOGA PERKINS 9145E Standard NID Software Version 1.0 User Manual

9145E NID Software User’s Manual

Introduction

Three Levels of Security

2

1.3 Three Levels of Security

Most Service Provider management networks provision certain access levels to technicians, network
administrators, and managers. Offering different access levels to critical applications allows network
administrators to keep closer watch on the entire network.

The 9145E allows view-based access to be set up for user interface features and SNMP access. A
capabilities file allows views to be defined in an ASCII file and downloaded to the NID. A three (3) level
security system on the 9145E controls all user interface and SNMPv3 access.

All 9145E features require that the user have a certain access level. The logged in user or SNMPv3
manager’s access level is used to validate and control access to the 9145E features. When accessing a
menu item or an SNMP object, the user’s access level is checked against the access level required for the
feature. If the user’s access level is sufficient, then the access is granted. If the user’s access level is not
sufficient, an error message is displayed in the status area, or an SNMP error is returned.

The three access levels are supervisor, operator, and observer.

In the default configuration, the supervisor access level is allowed complete access to all of the 9145E’s
features including configuring the 9145E’s security system.

The operator access level is allowed access to the 9145E features except those relating to the 9145E’s
security system. This level can be configurable by the administrator.

The observer access level is allowed access to the 9145E features that do not modify the 9145E’s
configuration. This level can be configurable by the administrator.

1.4 Feature Access Level Configuration

The assignment of access levels has a default configuration built into the 9145E. Creating and
downloading a text file called 9145e.cap to the 9145E can change this assignment, however. This file
contains mappings between module features and the access level required to access the feature. As an
example the entry that controls access to the Maximum Frame Size setting looks like:

maxFrameSize=operator

This entry indicates that to change the Maximum Frame Size, a user’s account must have “operator”
access level or greater.

The 9145e.cap file is downloaded to the 9145E via the normal FTP/SFTP/TFTP in the same manner as
downloading a firmware file to the 9145E. The same file may be downloaded to multiple 9145E's to ensure
that each is following the same security rules.

If the file 9145e.cap is not downloaded to the 9145E, then the built-in feature to access level mappings in
the 9145E are used. If a feature is not present in the file “9145e.cap” that is downloaded to the 9145E, then
the built-in feature to access level mapping in the 9145E is used. If errors are found in this file, these errors
are displayed in the 9145E’s System log.

The default “9145e.cap” file containing the 9145E built-in security rules is provided with the 9145E release.
To modify the security rules, simply modify the provided “9145e.cap” file and download this modified file to
the 9145E.