Contents

1   Description

This instruction describes how to configure roles for a local Operation and Maintenance (O&M) user account. Roles are used to control which parts of the node resources the local user is allowed to access.

The roles supported by the system are defined as Managed Objects (MOs) under the LocalAuthorizationMethod MO. The roles configured in the user account are used to fetch users access rights from the appropriate Role MOs or CustomRole MOs.

User authorization is activated by unlocking the LocalAuthorizationMethod MO.

Note:  

After authorization activation all users, not only users defined in the Local Authentication MO are subject for authorization. If proper user configuration is not made, then access to Ericsson Command-Line Interface (ECLI) is not possible.

2   Procedure

2.1   Set User Roles for User Account

Prerequisites

• No documents are required.
• No tools are required.
• The following conditions must apply:
  • The user has sufficient access rights to perform the task, for example, the user has Local Authentication Administrator or System Security Administrator role.
  • An ECLI session in Exec mode is in progress.
  • The username for the local user account is known. In this instruction, the username is joedoe.
  • The role names to be assigned to the user are known. In this instruction, the role names SystemAdministrator and EricssonSupport are used as examples.

Steps

1. Navigate to the LocalAuthorizationMethod MO, for example:

   >dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LocalAuthorizationMethod=1

2. List the roles defined in the system:

   (LocalAuthorizationMethod=1)>show

   The following is an example output:

   LocalAuthorizationMethod=1 administrativeState=UNLOCKED CustomRole=Custom_UserAdministrator Role=EricssonSupport Role=SystemAdministrator Role=SystemSecurityAdministrator Role=LocalAuthenticationAdministrator

3. Navigate to the UserAccount MO, for example:

   >dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LocalAuthenticationMethod=1,UserAccountM=1,UserAccount=joedoe

4. Enter Config mode:

   (UserAccount=joedoe)>configure

5. Set the appropriate role names for the user, for example:

   (config-UserAccount=joedoe)> roles=["SystemAdministrator","EricssonSupport"]

6. Commit the settings:

   (config-UserAccount=joedoe)>commit

7. Verify the settings, for example:

   (UserAccount=joedoe)>show -v

   The following is an example output:

   UserAccount=joedoe accountPolicy="ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,⇒ UserManagement=1,LocalAuthenticationMethod=1,AccountPolicy=1" accountState=LOCKED <read-only> accountUsageState=UNUSED <read-only> administrativeState=LOCKED <default> lastLoginTime="" <read-only> lockedTime="2015-11-13T11:20:24Z" <read-only> passwordChangedTime="" <read-only> passwordFailureTimes=[] <empty> <read-only> passwordPolicy="ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,⇒ UserManagement=1,LocalAuthenticationMethod=1,PasswordPolicy=1" passwordState=[] <empty> <read-only> roles "SystemAdministrator" "EricssonSupport" userAccountId="joedoe" userLabel=[] <empty> userName="John M. Doe"