Contents
1 Introduction
This document describes how to configure the Target-Based Access Control (TBAC). TBAC is a selective authentication method that determines if a user is allowed to access a specific Managed Element (ME) based on the target type value.
A target type value can have been set at initial configuration. The Security Administrator must change the target type value when the existing settings no longer match the operator organization needs, for example, in the following situations:
- The ME must become part of a different geographical domain.
- The ME needs to become part of a different functional domain.
- The ME needs to become part of a different skills domain.
1.1 Prerequisites
This section describes the prerequisites, which must be fulfilled before using the procedure.
1.1.1 Conditions
The following conditions must apply:
- The user has the System Security Administrator role.
- The ME is configured to connect with remote LDAP server, refer to Configure LDAP Basic Connection and Configure TLS for LDAP.
- The user profiles are updated with target qualifiers in the LDAP server.
- The new target type value is known.
- An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
- Profile filter is set to ERICSSON_FILTER in Ldap Managed Object (MO).
2 Procedure
To configure TBAC:
- Navigate to the UserManagement MO,
for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1
- Enter Config mode:
(UserManagement=1)>configure
- Set the target type, for example:
(config-UserManagement=1)>targetType="ims.kista.se"
The value is used when a role defined in the LDAP database is prefixed with the target type. Role definitions where the target type prefix does not match are skipped. For more information about configuring targetType, refer to Configure Target Type Identifiers.
- Commit the setting:
(config-UserManagement=1)>commit
- Verify the result:
(UserManagement=1)>show
The following is an example output:
UserManagement=1 targetType "ims.kista.se" userLabel="Selective authentication for Kista site" userManagementId=1 - Navigate to the EricssonFilterMO,
for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1,EricssonFilter=1
- Enter Config mode:
(EricssonFilter=1)>configure
- Enable TBAC:
(config-EricssonFilter=1)>targetBasedAccessControl=UNLOCKED
- Commit the setting:
(config-EricssonFilter=1)>commit
- Verify the result:
(EricssonFilter=1)>show -r ..
The following is an example output:
Ldap=1 baseDn="dc=my-domain,dc=com" fallbackLdapIpAddress="192.168.0.11" ldapIpAddress="192.168.0.10" profileFilter=ERICSSON_FILTER useTls=false EricssonFilter=1 targetBasedAccessControl=UNLOCKED