The user access control defines the users that are allowed access to the ME device and the specific privileges that they are granted. There are two access points within the system for granting privileges. You can assign access system-wide, providing access to the entire box. This is done from the top level of the configuration hierarchy. Or, you can configure access to a specific VSP. This is done through the VSP configuration object.
System-wide users log in with their user name:
username: jdoe
VSP users log in with the VSP name followed by their user name:
username: cxc1\jdoe
Whether from the top level or within a VSP, the configuration is basically the same. The one major difference is in the RADIUS configuration. Because a VSP can already have a RADIUS server configured, you can simply reference that server from the VSP-level. When setting up RADIUS-based access from the top-level, you must also configure the server properties.
Each access point includes a set of user directories and a set of permission definitions. The user directory contains an authentication database of locally configured users. In addition, you can configure other authentication directory types, such as RADIUS.
Note:
The order in which you configure the directories establishes the order in which the ME checks directories for authentication. For example, if you want to override a users privileges as they are set in the RADIUS directory, configure the static users directory first.If authentication succeeds, the permissions associated with that user are applied to all the subsequent operations.
Opens the access configuration object for editing. You can set access privileges from two points in the hierarchy, either:
system-wide, from the top level of the CLI hierarchy
per-vsp, from within each VSP object
Opens or creates a set of permissions. From this object you can set access to a variety of box-level services.When a user successfully logs in, the ME applies the permissions associated with that user to all subsequent operations.
Note that enabling permissions is not the same as enabling the service. For more information on enabling services, see the following chapters:
| Property | Chapter reference |
|---|---|
|
CLI |
Configuring CLI objects |
|
ME Management System |
Configuring Web objects |
|
User portal |
Oracle Communications OS-E Management Tools |
|
Config |
Throughout this manual |
|
Status |
Status provider show commands |
|
Actions |
Actions |
|
Call logs |
Configuring Master services objects |
|
Templates |
Configuring Web service objects |
|
Web services |
Configuring Web service objects |
|
Debug |
N/A |
Enter a previously configured permissions set name to edit it or enter a new text string to create the permission set.
cli: Sets permissions for users to access the CLI.
Default: normal
Values: advanced: Allows full access to CLI commands.
normal: Allows partial CLI access. When restricted, users do not have access to advanced functionality such as debug tools, shell, etc. Further access is dependent on the other properties set in this object (config, status, actions).
disabled: Prohibits access to the cli.
Example: set cli advanced
cms: Sets access to the ME Management System.
Default: enabled
Values: enabled: Allows access to the ME Management System
enabled-web-only: Allows access to the ME Management System only.
disabled: Prohibits access to the ME Management System.
Example: set cms enabled-web-only
user-portal: Sets the user access to the portal feature of the ME Management System. See the Oracle Communications OS-E Management Tools guide for complete information on this feature.
Default: disabled
Values: enabled: Sets the user portal to display call and IM data. When enabled, and all other permission properties are disabled, the user is taken directly to the portal page when logging into the ME Management System. If other properties are enabled as well, the user is taken to the ME Management System home page, and the portal tab is available for selection.
enabled-advanced: Sets the user portal to display session data, in addition to the standard call and IM data.
disabled: Disables the user portal.
Example: set user-portal enabled
config: Sets access to system configuration commands. These commands are used to change the running configuration.
Default: enabled
Values: enable: Allows full access to config commands.
view: Allows users to view the system configuration, but prevents them from executing config commands.
disabled: Prohibits access to config commands.
Example: set config view
status: Enables or disables the ability to execute system show status commands. These commands display various components of system status and data.
Default: enabled
Values: enabled | disabled
Example: set status disabled
actions: Enables or disables the ability to execute system actions. An action is a command that immediately acts on the ME and one of its components.
Default: enabled
Values: enabled | disabled
Example: set actions disabled
call-logs: Enables or disables access to the system accounting functions and call-log data. Accounting functions include RADIUS and Diameter accounting services, system logging (syslog), the accounting database, and the accounting file system. Call logs include user-specific sessions, whole sessions, and SIP message logs.
Default: enabled
Values: enabled | disabled
Example: set call-logs disabled
templates: Sets the ability to use the web services template API. Templates provide access to a bundled configuration process that simplifies the use of web services by automating aspects of the configuration. For example, you could create a template to automate provision of the ME devices. When enabled, the user can access the template interface; when disabled, the user cannot.
You must enable web-services permissions for access to the template API. Additionally, this permission provides read-only access. You must also enable other permissions (e.g., config, status, and actions) for full web services capabilities.
Default: enabled
Values: enabled | disabled
Example: set templates disabled
troubleshooting: Sets the ability to use the troubleshooting web service. The ME provides a troubleshooting web service that accesses the call database and sends troubleshooting requests to the ME device for call binding information. When enabled, the user can access the troubleshooting web service; when disabled, the user cannot.
Default: enabled
Values: enabled | disabled
Example: set troubleshooting disabled
web-services: Sets the ability to initiate WSDL requests through the web services management API. When enabled, the user can access the web service interface; when disabled, the user cannot. Note that this permission provides read-only access. You must also enable other permissions (e.g., config, status, and actions) for full web services capabilities. Enable template permissions for access to the template API.
Default: enabled
Values: enabled | disabled
Example: set web-services disabled
debug: Enables or disables the ability to access debug commands. When enabled, the user has shell and debug access; when disabled, the user does not. Typically, these commands, which are a licensed feature, are not for end-user use. If not licensed, the debug property does not display.
Default: disabled
Values: enabled | disabled
Example: set debug enabled
login-attempts: Specifies the maximum number of failed login attempts allowed by the ME device. When this value is reached the user is locked out until an administrator either configures a new password or executes the ”login unlock” action for that user.
Default: unlimited
Values: Min: 3 / Max: 12
Example: set login-attempts 3
permitted-view: Assign a permitted view you want a user to have. If no permitted-view is specified, the default permitted view is set to all.
Default: all
Values: all
minimal
basic
secureAccessProxy
secureMediaProxy
lcs
sametime
imFederation
e911
phoneServices
pstn
csta
security-admin
security-operator
sip-admin
Example: set permitted-view security-admin
config-filter: Select the existing config-filter you want to use for this permission set.
Default: There is no default setting
Example: set config-filter filter1
action-filter: Select the existing action-filter you want to use for this permission set.
Default: There is no default setting
Example: set action-filter actionfilter1
gui-tools-update-software: When enabled, this privilege allows users to use the Update software action under the Tools tab.
Default: enabled
Values: enabled | disabled
Example: set gui-tools-update-software disabled
gui-tools-upload-files: When enabled, this privilege allows users to use the Upload license file and Upload file actions under the Tools tab.
Default: enabled
Values: enabled | disabled
Example: set gui-tools-upload-files disabled
gui-tools-download-files: When enabled, this privilege allows users to use the Retrieve license, Download file, and Download saved configuration file actions under the Tools tab.
Default: enabled
Values: enabled | disabled
Example: set gui-tools-download-files disabled
directory-white-list: The directories that are allowed to be read from or written to by various services.
Default: There is no default setting
Example: set directory-white-list /directory
Opens the users directory for configuration. When setting up authentication through this directory, you statically add users, and their privileges, to the system authentication database. Alternatively, you can configure the ME to perform authentication via a RADIUS server with the radius object.
Specifies the password requirements for locally configured users. It is through this object that you define string requirements, reusability, and expiration times.
duration: Specifies the length of time, in days, for which a password is valid. When a password expires, the ME prompts you to change it on your next log in and sends a message to the event log.
Default: unlimited
Values: Min: 1 / Max: 365; unlimited (the password never expires)
Example: set duration 7
minimum-length: Specifies the minimum number of characters allowed for a password.
Default: 4
Values: Min: 2 / Max: 64
Example: set minimum-length 5
character-types: Specifies the number of different character types allowed in a password. The character type choices are uppercase, lowercase, numeric, and other (anything non-alphanumeric).
Default: 1
Values: Min: 1 / 4
Example: set character-types 3
allow-sequences: Specifies whether the password can contain sequences or repeated characters. If set to true, any string is acceptable (if it meets the other property constraints). If set to false you cannot include a sequence or repeated character in a password. A sequence is considered two or more consecutive numbers or letters (ab, 67, or MN, for example). Characters are considered repeated only if they are directly next to each other (skiing would be invalid, banana would be allowed).
Default: true
Values: true | false
Example: set allow-sequences false
recycle-check: Specifies whether and when a password can be reused. If set to disabled, any password can be reused. Specifying a number indicates the number of previous passwords that cannot be reused. For example, specifying four requires that a new password not be the same as any of the last four passwords.
Default: disabled
Values: enabled | disabled
Example: set recycle-check enabled
Adds the named user to the system authentication database and assigns a previously configured set of permissions.
Enter a user name for the entry; enclose the name in quotation marks if it contains spaces.
password: Configures a password for the named user. A password string must be at least four characters long.
Default: There is no default setting
Example: set password admin
confirm: ************
permissions: Associates a set of permissions with the named user. These permissions include access to a variety of box-level services. See the permissions object for details.
Enter a previously configured set of permissions.
Default: There is no default setting
Example: set permissions vsp access permissions grantAll
Configures the ME to use a RADIUS server to perform user authentication and sets basic RADIUS functionality. For system-wide access use the group and server objects to define and identify the server. For VSP access, use the group property within this object. Alternatively, you can statically configure users for authentication and privileges via the users object.
Note:
The radius subobject is applicable to the access object whether you configure it from the top level of the CLI hierarchy or from within a VSP. However, the group property, which references a previously configured RADIUS group, is only available from within a VSP. When configuring RADIUS from outside of the VSP, you must create a new group and server.admin: Enables or disables the RADIUS server authentication configuration. When enabled, the ME device forwards authentication requests to the specified RADIUS server.
Default: enabled
Values: enabled | disabled
Example: set admin enabled
group: Specifies the RADIUS group that the ME uses for user authentication. A RADIUS group defines the authentication and accounting services associated with a group of RADIUS servers, configured using the VSP radius-group object. Enter a reference to a previously configured group.
Default: There is no default setting
Example: set group ”vsp radius-group mgmtEmployees”
default permissions: Associates a set of permissions to apply if there are no specifically configured permissions in place. These permissions include access to a variety of box-level services. See the permissions object for details.
Enter a previously configured set of permissions.
Default: There is no default setting
Example: set default-permissions vsp access permissions grantAll
default-sip-address <regExp> <replacement>: Specifies the SIP address to use when displaying calls via the portal. When the portal is configured for a user, they only see their own calls in the ME Management System. In order to filter for the user, the ME needs to know the SIP address. This can be set on the RADIUS server. If there is not a SIP address defined for the user in the RADIUS server, the ME uses this property to generate a SIP address from the access user name.
For more information regarding configuring regular expressions and replacement strings, see Using Regular Expressions.
Default: There is no default setting
Values: regExp: Enter a regular expression identifying the portion of the attribute to match. For example, the following expression identifies a subexpression (between the parenthesis) that matches all names:
(.*)
replacement: Enter a string that defines how to recompose the resulting regExp string. The replacement string is what the ME searches on when displaying calls in the portal for that user. In the following example, the first component from the regular expression is substituted in place of the ”1” and appended to ”@company.com.” \1@company.com
Example: set default-sip-address (.*) \1@company.com
Configures a RADIUS group allowing the ME device (the RADIUS client) to perform user authentication for user access. (To setup authentication of SIP traffic, use the VSP radius-group object.) Associate servers with the group using the server object.
This object is only available when configuring user access outside of the VSP. Specify the RADIUS group name using up to 16 alphanumeric characters with no blank spaces.
admin: Enables or disables the RADIUS authentication and accounting server configuration. When enabled, authentication and SIP call accounting records are forwarded to the specified server IP address and port numbers.
Default: enabled
Values: enabled | disabled
Example: set admin disabled
accounting-mode: Sets the RADIUS group accounting operational algorithm.
Default: duplicate
Values: round-robin: If you configure multiple accounting servers in the accounting group, the round robin algorithm performs continued accounting requests to primary and secondary servers until a valid accounting response is received.
duplicate: The duplicate algorithm issues multiple duplicate accounting requests to all servers in the RADIUS accounting group. A duplicate accounting request uses the same client source IP address and source UDP port.
fail-over [retryNumber]: If you configure multiple accounting servers, the failover algorithm forwards accounting requests to secondary servers should the current accounting server fail. You can specify up to 256 failover servers.
Example: set accounting-mode round-robin
authentication-mode: Sets the RADIUS group authentication operational algorithm.
Default: fail-over 3
Values: round-robin: If you configure multiple authentication servers in the RADIUS group, the round robin algorithm performs continued authentication requests to primary and secondary servers until a valid authentication response is received.
fail-over <retryNumber>: If you configure multiple authentication servers in the RADIUS group, the failover algorithm forwards authentication requests to secondary servers should the current authentication server fail. You can specify up to 256 failover attempts to other servers.
Example: set authentication-mode round-robin
type: Sets the type of SIP accounting record to use. Currently, the only valid SIP accounting record type is Cisco.
Default: cisco
Example: set type cisco
included-in-default: Specifies if this RADIUS group is to be included in the default RADIUS authentication and accounting target group.
If set to true, authentication and accounting requests are forwarded to this group if there are no configured policies that govern or redirect RADIUS requests to other servers.
Default: true
Values: true | false
Example: set included-in-default false
send-digest-contents: Specifies whether to include the SDP contents in the RADIUS Auth-Request message. If set to true, the ME does include the contents.
Note that this feature is for customized RADIUS use. If you enable it for a RADIUS server that does not support this option, the RADIUS server will then reject every RADIUS request.
Default: false
Values: true | false
Example: set send-digest-contents true
Identifies and defines the operating parameters of the RADIUS server(s) for a specified group. This object is only available when configuring user access outside of the VSP.
Enter the host name or IP address for your RADIUS server.
admin: Enables or disables the RADIUS authentication and accounting server configuration. When enabled, authentication and SIP call accounting records are forwarded to the specified server IP address and port numbers.
Default: enabled
Values: enabled | disabled
Example: set admin disabled
authentication-port: Sets the UDP port number that the RADIUS client (the ME device) uses to send authentication requests to the RADIUS server.
Default: 1812
Values: Min: 1 / Max: 65535
Example: set authentication-port 998
accounting-port: Sets the UDP port number that the RADIUS client (the ME device) uses to send accounting requests to the RADIUS server.
Default: 1813
Values: Min: 1 / Max: 65535
Example: set accounting-port 999
secret-tag: Specifies the shared secret used to authenticate transactions between the ME device and the RADIUS server. The specified shared secret is never sent over the network.
Note that the secret you enter here is a shared secret, and must match the secret configured on the RADIUS server. Enter the string in alphanumeric characters. See Understanding Passwords and Tags for a description of the ME password handling.
Default: There is no default setting
Values: Min: 1 / Max: 32
Example: set secret abc123xyz
timeout: Specifies the time in milliseconds to elapse before an accounting or authentication request to a RADIUS server times out. If the request times out, the request is retried for the specified number of attempts before the request is forwarded to the next RADIUS server in the configuration or dropped.
Default: 1000
Values: Min: 1 / Max: 65535
Example: set timeout 1500
retries: Sets the number of times the ME retransmits an accounting or authentication request if the RADIUS server does not respond.
Default: 3
Values: Min: 2 / Max: 5
Example: set retries 5
window: Configures the maximum number of simultaneous RADIUS client requests (authentication and accounting) sent to the RADIUS server.
Default: 32
Values: Min: 1 / Max: 127
Example: set window 115
Configures the specific fields of the call detail record that the ME should send to the target RADIUS server(s). See the accounting call-field-filter object description for complete details.
Applies access permissions to a group that is already defined in an enterprise directory server.This could be a group created in any number of ways: for example, as part of the directory setup and inherited by the ME device or through the directories group object.
You can configure permissions for any number of groups through this object, but can only map a group to one set of permissions.
admin: Enables or disables the application of the specified permissions to the identified group.
Default: enabled
Values: enabled | disabled
Example: set admin disabled
directory: Specifies the directory server from which the ME derives its user information. Enter a reference to a previously configured enterprise directory.
Default: There is no default setting
Example: set directory active-directory employees
group-mapping: Maps previously defined directory groups to a set of previously configured permissions. Enter a group name that is recognized on the specified directory. Enter a reference to the permissions (configured using the permissions object), enclosing the reference in quotation marks.
Default: There is no default setting
Example: set group-mapping marketing ”vsp access permissions viewOnly”
This object allows you to apply action and configuration filtering on a per-user basis.
config-filter: Applies configuration filtering on a per-user basis. Enter a name for the filter.
Default: There is no default setting
Example: set config-filter filter1
action-filter: Applies action filtering on a per-user basis. Enter a name for the filter.
Default: There is no default setting
Example: set action-filter actionfilter1
This object applies configuration filtering on a per-user basis.
admin: Enable or disable this configuration filter.
Default: enabled
Values: enabled | disabled
Example: set admin enabled
filter: Specify the filter. Enter this value in free form, separating the class, object, and properties with a backslash ”\”.
Default: There is no default setting
Example: set filter filter1 cluster\box\interface\ip
This object applies action filtering on a per-user basis.
admin: enable or disable this action filter.
Default: enabled
Values: enabled | disabled
Example: set admin enabled
filter: Specify the filter. Enter the action without any arguments. If you enter the action with arguments, the filter is ignored.
Default: There is no default setting
Example: set filter restart
Configures the pattern to use to extract a privilege to grant.
name: Enter a descriptive name to give this grant.
Default: There is no default setting
Example: set name DeskPhoneEvent
pattern: Enter the regular expression pattern to use to define the attribute.
Default: There is no default setting.
Example: set pattern ”\+1\((\d{3})\)(\d{3})-(\d{4})”
resource-identity: Select the type of matching to use to identify a resource-type.
Default: The default setting is equals.
Values: equals <value>: The value that a user provides during an authorization request must be exactly the same as the resulting resource-identity. This is the default setting.
matches <expression>: The value that a user provides during an authorization request is matched against the resource-identity using a regular expression match.
any: Any value a user provides during an authorization request matches.
Example: set resource-identity any
regex-type: Advanced property. Specify the type of regular expression.
Default: The default setting is PCRE.
Values: custom: Custom Regular Expressions and Replacements
PCRE: Perl Compatible Regular Expressions and Replacements
Example: set regex-type custom
resource-type: Select the resource type that this extracted value represents.
Default: There is no default setting.
Values: call
call-recording
call-monitors
call-media-insertion
event-channel
registration
sip-request
file
Example: set resource-type sip-request
privileges: Select the CRUD privileges to allow for this resource-type.
Default: all
Values: create
retrieve
update
delete
Example: set privileges create+retrieve
Configures default grants, which apply to all the ME users matching the specified resource identity.
name: Enter a descriptive name to give this grant.
Default: There is no default setting.
Example: set name grant5
resource-identity: Select the type of matching to use to identify a resource-type.
Default: The default setting is equals.
Values: equals <value>: The value that a user provides during an authorization request must be exactly the same as the resulting resource-identity. This is the default setting.
matches <expression>: The value that a user provides during an authorization request is matched against the resource-identity using a regular expression match.
any: Any value a user provides during an authorization request matches.
Example: set resource-identity any
resource-type: Select the resource type that this extracted value represents.
Default: There is no default setting.
Values: call
call-recording
call-monitors
call-media-insertion
event-channel
registration
sip-request
file
Example: set resource-type call-recording
privileges: Select the CRUD privileges to allow for this resource-type.
Default: all
Values: create
retrieve
update
delete
Example: set privileges create+retrieve
Configures default and attribute grants for specific groups. Group grants apply to users belonging to these groups and matching the resource-identity.
name: Enter the name of the group for which you are configuring this grant.
Default: There is no default setting.
Example: set name engineering
default-grant: Configures a default grant for this group.
attribute-grant: Configures an attribute grant for this group.
application-accessible: Secondary property. Indicate whether or not to expose this group value externally.
Default: true
Values: true | false
Example: set application-accessible false