Contents

1   Description

This instruction describes how to configure the Target-Based Access Control (TBAC). TBAC is a selective authentication method that determines if a user is allowed to access a specific Managed Element (ME) based on the target type value.

A target type value can have been set at initial configuration. The Security Administrator must change the target type value when the existing settings no longer match the operator organization needs, for example, in the following situations:

• The ME must become part of a different geographical domain.
• The ME needs to become part of a different functional domain.
• The ME needs to become part of a different skills domain.

2   Procedure

2.1   Configure Target-Based Access Control

Prerequisites

• This instruction references the following documents:
  • Configure LDAP Basic Connection
  • Configure Target Type Identifiers
  • Configure TLS for LDAP
• No tools are required.
• The following conditions must apply:
  • The user has the System Security Administrator role.
  • The ME is configured to connect with remote LDAP server, refer to Configure LDAP Basic Connection and Configure TLS for LDAP.
  • The user profiles are updated with target qualifiers in the LDAP server.
  • The new target type value is known.
  • An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
  • Profile filter is set to ERICSSON_FILTER in Ldap Managed Object (MO).

Steps

1. Navigate to the UserManagement MO, for example:

   >dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1

2. Enter Config mode:

   (UserManagement=1)>configure

3. Set the target type, for example:

   (config-UserManagement=1)>targetType="ims.kista.se"

   The value is used when a role defined in the LDAP database is prefixed with the target type. Role definitions where the target type prefix does not match are skipped. For more information about configuring targetType, refer to Configure Target Type Identifiers.

4. Commit the setting:

   (config-UserManagement=1)>commit

5. Verify the result:

   (UserManagement=1)>show

   The following is an example output:

   UserManagement=1 targetType "ims.kista.se" userLabel="Selective authentication for Kista site" userManagementId=1

6. Navigate to the EricssonFilterMO, for example:

   >dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1,EricssonFilter=1

7. Enter Config mode:

   (EricssonFilter=1)>configure

8. Enable TBAC:

   (config-EricssonFilter=1)>targetBasedAccessControl=UNLOCKED

9. Commit the setting:

   (config-EricssonFilter=1)>commit

10. Verify the result:

    (EricssonFilter=1)>show -r ..

    The following is an example output:

    Ldap=1 baseDn="dc=my-domain,dc=com" fallbackLdapIpAddress="192.168.0.11" ldapIpAddress="192.168.0.10" profileFilter=ERICSSON_FILTER useTls=false EricssonFilter=1 targetBasedAccessControl=UNLOCKED