4 Security Manager

With administrator privileges, Security Manager allows you to do the following:

• Create and manage user groups.
• Configure security authorization levels, policies and privileges for user groups.
• Provide specific access controls for individual user groups, views, and operations.
• Limit access to specific features and functionality for specific users.
• Configure audit log parameters.

Configure User Groups

A user group is a logical construct that the Oracle® Session Delivery Management Cloud ( Oracle SDM Cloud) uses to specify the authorization privileges that users assigned to certain groups inherit. Oracle SDM Cloud automatically adds the roles directly to the user roles on the Identity and Access Management (IAM) portal.

The Oracle SDM Cloud provides three default User Groups.

• Administrators
• Provisioners
• Monitors
  While you cannot modify the default User Groups, you can add and modify customized User Groups to create your own authorization policies. When you add a new User Group, Oracle SDM Cloud automatically adds the group to your IAM.

  Note:

  Do not add a new role to your Oracle SDM Cloud application through IAM. If you require a new role on the Oracle SDM Cloud application, add a new group using Security Manager in Oracle SDM Cloud.

Add a User Group

Once you've added a new user group in the Oracle® Session Delivery Management Cloud (Oracle SDM Cloud), which will appear as a new role in Identity and Access Management (IAM) and Access Management (IAM). Once you have assigned a user to a role, that user will inherit the group-based privileges.

1. Expand the Security Manager slider and select User management, Groups.
2. On the User Groups page, click Add.
3. On the Add Group screen, complete the following fields:

   Group name field

   The user group name. Use the following guidelines for naming this group: Use a minimum of three characters and maximum of 50. The name must start with an alphabetical character. You are allowed to use alphanumeric characters, hyphens, and underscores. The user group name is case insensitive. The user group must be unique. This name cannot contain spaces.

   Group permissions copy from drop-down list

   Copy existing privileges by choosing from the following default user groups. By selecting a user group from this drop-down, the privileges from the selected group are copied to the newly created group. By default, if no value is selected, the group is created with all privileges set to None. None—Manually configure privileges for this user group. administrators—This super user group is privileged to perform all operations. provisioners—This group is privileged to configure Oracle SDM Cloud and save and apply the configuration. monitors—This group is privileged to view configuration data and other types of data only. This group cannot configure Oracle SDM Cloud, and has the fewest privileges. Note: This value creates a copy of privileges to be applied to the new group. However, once a group is created, you can go back and customize those privileges at any time.

4. Click Apply.
   You are returned to the User Groups table where the new user group has been added. If you navigate to your IAM portal, you will see a new user role for that security group has already been added.

Delete a User Group

1. Expand the Security Manager slider and select User management, Groups.
2. On the Groups page, choose the (non-default) user group that you want to delete from the User Groups table and click Delete.
3. In the Delete confirmation dialog box, click Yes to delete this user group.
   The user group is removed from the User Groups table.
4. In the success dialog box, click OK.

Apply or Change User Group Privileges

You can apply privileges to user groups that you add to allow or deny all users within this user group the ability to perform certain operations. This includes items intended for use with separate Oracle SDM Cloud managers. For the default administrators, provisioners, and monitor user groups, only device group privileges can be changed.

User group privileges that are assigned to the administrators user groups inherit most of the same access privileges.

All user group privileges that are available through Oracle SDM Cloud are described in the following sections.

Apply User Group Privileges for Configuration

1. Expand the Security Manager slider and select User management, Groups.
2. In the User Groups pane, select the group you want to modify from the User Groups table and click Edit.
3. In the expanded group pane, click the Configuration tab and click the folder and subfolder sliders to expand the item operations list.
4. Select the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.
5. In the Privileges drop-down list, select the following user group privilege options for folders or items in the Configuration tab table described below:
   • Full—Allowed to perform administrative operations.
   • None—Not allowed to perform administrative operations.
   • View—Allowed to monitor only.

   Note:

   The fields described below appear if all features are enabled.

   Configuration folder	Set privilege levels for all configuration operations.
   Device configuration folder	Set privilege levels for all of the following user management operations accessible on the Configuration Manager slider.
   Configure services item	Set privilege levels for host-in-path (HIP) firewall functions that are allowed to pass administrative traffic to the host.
   Configure interfaces item	Set privilege levels for FTP, ICMP, SNMP, Telnet, and SSH interfaces.
   Configure NM controls item	Set privilege levels for network management controls performance group pane.
   Configure security item	Set privilege levels for the Security Manager features.
   Configure system item	Set privilege levels for the configuration of system usage parameters.
   Offline Configuration item	Set privilege levels for offline configuration functionality.
   Load device item	Set privilege levels for loading a device.
   Override lock item	Set privilege levels for overriding a lock on a device.
   Transfer configuration view item	Set privilege to transfer user device configuration modifications from one user to another.
   Update to device folder	Set privilege levels for the following device configuration operation items in this folder.
   Save configuration item	Set privilege levels for saving the configuration of a device.
   Activate configuration item	Set privilege levels for activating the configuration of a device.
   Save and activate configuration item	Set privilege levels for saving and activating the configuration of a device.
   Configuration archive folder	Set privilege levels for all of the following configuration archive operations.
   Back up configurations item	Set privilege levels for backing up configurations in the configuration archive.
   Restore configurations item	Set privilege levels for restoring configurations in the configuration archive.
   Delete archived configuration item	Set privilege levels for deleting configurations in the configuration archive.

6. Click Apply.

Apply User Group Privileges for Device Maintenance

1. Expand the Security Manager slider and select User management, Groups.
2. In the User Groups pane, select the group you want to modify from the User Groups table and click Edit.
3. Select the Device Maintenance tab to modify user group privileges and click on the folder and subfolder sliders to expand the item operations list.
4. Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.
5. In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Device Maintenance tab table described below:
   • Full—The user group is allowed to reboot a device.
   • None—The user group is not allowed to reboot a device.
   • View—The user is allowed to view reboot device work orders.

   Reboot	Reboot the device.
   Override Lock On Device	Override the lock on a device.
   Software Upgrade	Create, delete, or modify software upgrade work orders.

6. Click Apply.

Apply User Group Privileges for the Administrative Operations

1. Expand the Security Manager slider and select User management, Groups.
2. In the User Groups pane, choose the group you want to modify from the User Groups table and click Edit.
3. In the expanded group pane, click the Administrative operations tab and click the folder and subfolder sliders to expand the item operations list.
4. Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.
5. In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Administrative operations tab table described below:
   • Full—(Default) Allowed to perform administrative operations.
   • None—Not allowed to perform administrative operations.

   Administrative operations folder	Set privilege levels for all of the following administrative operations.
   Security administration folder	Set privilege levels for all of the following user management operations accessible on the Security Manager slider.
   Group operations folder	Set privilege levels for all user groups.
   Add group item	Set privilege levels to add a new user group.
   Update group item	Modify user groups.
   Delete group item	Delete existing user groups from Security Manager.
   Device group folder	Assign privilege for all functions pertaining to a device group within the Device Manager (see below).
   Add device group item	Set privilege levels to add a new network function containing a device group for a device(s).
   Delete device group item	Delete a device group.
   Move device group item	Move a device group.
   Rename device group item	Rename a device group.
   Device folder	Assign privilege to all of the following device operations accessible through the Device Manager and Configuration Manager sliders.
   Add device item	Add a new device.
   Remove device item	Remove an existing device.
   Move device item	Move a device.
   View all audit logs item	View all audit logs.
   View own audit log item	View only personal audit log.
   Change audit log auto purge interval item	Configure the number of days of audit logs to keep.
   Export audit logs item	Export all of an audit log to a file.
   Manual audit log purge item	Manually purge audit logs.
   Site item	Create and manage Sites.

6. Click Apply.

Apply User Group Privileges for Fault Management Operations

1. Expand the Security Manager slider and select User management, Groups.
2. In the User Groups pane, choose the group you want to modify from the User Groups table and click Edit.
3. Click the Fault management tab and click the folder and subfolder sliders to expand the item operations list.
4. Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.
5. In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Fault management tab table described below:
   • Full—Allowed to perform event or alarm operations.
   • None—Not allowed to perform event or alarm operations.

   Fault management folder	If the None privilege is chosen, the Fault Manager slider does not appear in the Oracle SDM Cloud GUI.
   Events and Alarms folder	Assign the privileges for all of the following event and alarm operations accessible on the Fault Manager slider.
   Alarms folder	Assign the privileges for all of the following alarm operations accessible on the Fault Manager slider.
   Delete alarm item	Delete alarms.
   Remap severities item	Edit the alarm severity levels.
   Events folder	Assign the privileges for all of the following event operations accessible on the Fault Manager slider.
   Delete events item	Delete events.

6. Click Apply.

Apply User Group Privileges for Device Groups

Use this task to apply user-group privileges for device groups that appear on the Device Manager slider.

1. Expand the Security Manager slider and select User management, Groups.
2. In the User Groups pane, select the group you want to modify from the User Groups table and click Edit.
3. Click the Device groups tab.
4. In the Device groups box table, complete the following fields:

   Include children check box	(Optional) Check the check box to select all children of the device group. Next select either Set all to None or Set all to Full have no privileges or full privileges respectively for the children of the device group.
   Set all to None button	Set all Device groups to have no privileges.
   Set all to Full button	Set all Device groups to have full privileges.

   The Preview box displays the device group based on the privileges that are assigned (Full, View, None).
5. Repeat the previous step for other device groups (if there are any).
6. Click Apply.

Audit Logs

You can use the audit log (containing audit trails) generated by Oracle SDM Cloud to view performed operations information, which includes the time these operations were performed, whether they were successful, and who performed them when they were logged into the system.

Note:

Audit logs contain different information depending on the feature functionality.

Audit trails include the following information:

• The user who performed the operation.
• What operation was performed by the user.
• When the operation was performed by the user.
• Whether the operation performed by the user was successful or failed.

View and Save an Audit Log

The audit log tracks user-initiated events. The following list describes some examples of user events that are audit logged in Oracle SDM Cloud:

• User logins and logouts.
• Managed devices are added.
• Device groups are added.
• Oracle Communications Session Delivery products are loaded.
• An element is added, deleted, or modified.
• A device is rebooted.
• Configurations are saved or activated.

1. Expand the Security Manager slider and select Audit log, View.
2. In the Audit log pane, click Set Columns to select all columns you want to view in the Audit Log table. The following table lists and describes all columns available view:

   Username field	The name of the user who performed the operation.
   Time field	The time stamp for when the operation was performed by the user.
   Category field	The category of operation performed by the user. For example, Authentication.
   Operation field	The specific operation performed by the user.
   Status field	The status of the operation performed by the user, whether it was successful or failed.
   Device field	The name of the device that the user performed an operation upon.
   Network function field	The NF name.
   Description field	The description of the operation performed.
   Sequence number field	The audit log reference number.

3. Click OK to accept your selections or Reset to close the Set Columns dialog box and ignore any changes.
4. To see details for a specific user entry, select an entry row in the table and click Details or double-click the row.
   In the Audit log details dialog box, the information described in the table above is displayed for the specified user entry.
5. Click OK.
6. Click Save to file to open the audit log file or save it to a file.

   Note:

   The downloaded CSV file is limited to 250 entries.

Search the Audit Log

1. Expand the Security Manager slider and select Audit log, View.
2. In the Audit log pane, click Search.
3. In the Audit Log Search dialog box, complete some or all of the following fields to search the audit log:

   Username field	Choose the name of the user who performed the operation.
   Category drop-down list	Choose the category of operation performed by the user. For example, Authentication.
   Operation box	Chose the specific operation performed by the user.
   Device	The name of the device that the user performed an operation upon.
   Status	The status of the operation performed by the user, whether it was successful or failed.
   Start Time	Choose a start time from the calendar.
   End Time	Choose an end time from the calendar.

4. Click OK.

Schedule Audit Log Files to be Purged Automatically

1. Expand the Security Manager slider and select Audit log, Purge.
2. In the Purge audit logs pane, specify the number of days of audit logs that are kept in the Interval in days field. The minimum configurable value is 2 days.
3. Click Apply.

IAM

The Identity Access Management page provides unique IDs needed to connect the Oracle® Session Delivery Management Cloud (Oracle SDM Cloud) to the Identity and Access Management (IAM). The IDs provided include the following:

• Oracle SDM Cloud FQDN
• Oracle SDM Cloud Tenant ID
• IDCS FQDN
• IDCS Tenant ID
• Management Cloud Engine (MCE) IDCS client ID
• MCE IDCS client secret

  This information is required as input when installing and setting up the MCE on-premises. For more information, see the Oracle SDM Cloud Installation Guide.