07 mn1783eu11mn 0001 security management

7/28/2019 07 Mn1783eu11mn 0001 Security Management

1/44

Security management Siemens

MN1783EU11MN_0001 2002 Siemens AG

1

Contents

1 Introduction 32 Profile Management 92.1 Sub-Profiles 102.2 Authorization Profiles 132.3 User Profile 153 Preferences 174 Interworking of RC and LMT 235 Exercise 276 Solution 35

Security management


2/44

Siemens Security management

MN1783EU11MN_0001

2002 Siemens AG

2


3/44



3

1 Introduction


4/44


MN1783EU11MN_0001

2002 Siemens AG

4

The security administration includes tasks, such as:

Authorization profiles handling:

The Radio Commander offers several default authorization profiles to defineaccess rights for a specific user. There are 36 default authorization profiles for theRC; furthermore the user with the appropriate security rights, e.g. withauthorization profile RCSysAdmin, can define additional authorization profiles.

Subprofiles handling:

Authorization profiles consist of sub-profiles related to BSS, NodeB, RNC and/orRC including rights for the database access. A subprofile specifies a set of allowedcommands. The Radio Commander offers 73 default subprofiles; furthermore theuser with the appropriate security rights, e.g. with the authorization profileRCSysAdmin assigned, can define additional subprofiles.

User profiles handling:The RC offers a user profile for each user. As well as user names etc., this profilespecifies the authorization profile assigned to the user. User profiles may becreated, modified and deleted by a user with the appropriate security rights, e.g.with the authorization profile RCSysAdmin assigned.

Depending on the authorization profile assigned to a user the not allowedcommands are grayed out and cannot be selected via the GUI. Via the CLI thecommand will be launched, but returns with an error message.

The users can enable themselves to execute scheduling jobs. Therefore theirUNIX crontab_file must be modified.

Security settings:Security settings are information like password expiration time, limits for passwordlength or screen lock behavior. The user with the appropriate security rights (e.g.RCSysAdmin) manages all global settings for all users.

Password dictionary handling:

There is one password dictionary available in the database, which holds allforbidden user passwords. It is not possible to delete a specific password. You canonly delete the whole dictionary.

If a password dictionary is imported, the content of this dictionary will be read intothe database of the OMP. Thereby only the new passwords will be read into thedatabase all others will be omitted.

You can also export these passwords into a specified ASCII file.

Before a RC operator can use the system, he/she has to authenticate to the system.This is done by entering a login name and a password on the UNIX level, and - if thepasswords are different - a second time at the RC application. Related to the loginname is a certain operator profile.

Profiles are defined to distinguish permissions of different RC operators. Comparedto the OMC-B, the RC allows much more detailed profiles.

Every user can define preferences to customize the RC application panels to hispersonal like.


5/44



5

The Radio Commander provides since BR8.0/UMR4.0 the common platform tomanage both technologies on one Radio Commander. Since most of the customerswill be using the RC to manage homogenous single technology networks (GSM only,

or UMTS only) authorization profiles are defined to separate the technologies. Theconsequence of the using default authorization profiles is to disable (grey out)commands that are not used in the specific technology. There are also defaultauthorization profiles, which allows commands for both technologies.

There are two kinds of authorization profiles:

1. One kind providing a sequence of profiles with increasing rights:RCMonitorUser*, RCReadUser*, RCConfUser* and RCSysAdmin*, whereRCMonitorUser* has the fewest rights, RCSysAdmin* has the most rights

* means: _umr, _gsm, or nothing, i.e. in the case of RCMonitorUser, you have :

RCMonitorUser_umr, allowing only UMTS related commands (pure UMTScommands and common commands)

RCMonitorUser_gsm, allowing only GSM related commands (pure GSMcommands and common commands)

RCMonitorUser, allowing GSM related commands and UMTS related commands(including the common commands)

2. the other kind is related to the management function and to the technology:RCConfMgmnt*, RCFaultMgmnt*, RCLogMgmnt*, RCSecurityMgmnt*,RCPerfMgmnt*, RCSoftwareMgmnt*, RCTestMgmnt*, RCStateMgmnt* (_umr,

_gsm, nothing for both technologies)

Default authori-zation profiles

Permissions

RCSysAdmin can execute all commands on the RC and the PLMN, includingthe security tasks, e.g. create user profile.

RCConfUser can execute all RC and PLMN configuration commands,excepting security tasks:

BSS configuration management

Performance management

Fault management

Test management

State management

Software management

The user profile includes the user rights of the RCReadUser.


6/44


MN1783EU11MN_0001

2002 Siemens AG

6

Default authori-zation profiles

Permissions

RCReadUser can execute all Get commands from the PLMN:

BSS configuration management

Performance management

Fault management

Test management

State management

Software management

The RCReadUser has also writing access to the Performancemanagement. The user profile includes the user rights of theRCMonitorUser.

RCMonitorUser can just monitor the PLMN:

alarm monitoring

status monitoring

test management

The RCMonitorUser is the RC standard user.

RCConfMgmnt allows to execute all RC and PLMN configuration commands

RCFaultMgmnt allows to access the fault management commands for the RCand PLMN.

RCLogMgmnt allows access to the logging management for RC and PLMN.

RCPerfMgmnt. allows to execute all commands for performance management.

RCSecurityMgmnt allows execution of all security commands.

RCSoftwareMgmnt allows access to the software management commands.

RCTestMgmnt allows execution of the test management commands


7/44



7

Fig. 1 Example for a user with authorization profile RCSysAdmin_gsm

Fig. 2 Example for a user with authorization profile RCSysAdmin_umr


8/44


MN1783EU11MN_0001

2002 Siemens AG

8


9/44



9

2 Profile Management


10/44


MN1783EU11MN_0001

2002 Siemens AG

10

2.1 Sub-Profiles

The RC system administrator can define his own sub-profiles from the RadioCommander Applications panel.

Fig. 3


11/44



11

Fig. 4

Fig. 5


12/44


MN1783EU11MN_0001

2002 Siemens AG

12

Fig. 6


13/44



13

2.2 Authorization Profiles

Authorization profiles can be managed in a similar way. They depend on sub-profiles:

Fig. 7

Fig. 8


14/44


MN1783EU11MN_0001

2002 Siemens AG

14

Fig. 9


15/44



15

2.3 User Profile

A user profile is defined based on an authorization profile.

Fig. 10

Fig. 11


16/44


MN1783EU11MN_0001

2002 Siemens AG

16

Fig. 12

Fig. 13


17/44



17

3 Preferences


18/44


MN1783EU11MN_0001

2002 Siemens AG

18

Preference settings are done from the RC Applications panel.

Four sub-panels exist for the definition of

General settings

Dialog settings

Panel settings

Alarm settings

In the sub-panel forGeneral settings selections can be made to determine whether

sound is used,

whether the information of session ID and RC Region is displayed or not, and

the editor which is used in the system.

The Dialog settings offer:

Action Dialog Defaults:

Defines whether default values (Operator defaults) are automatically loaded inAction dialogs or not. The setting is applied to newly opened dialogs. (Defaultvalue: No default values)

Set Dialog Defaults:

Defines whether default values (Current values, System defaults orOperatordefaults) are automatically loaded in Setdialogs or not. The setting is applied tonewly opened dialogs. (Default value: No default values)

Create Dialog Defaults:

Defines whether default values (System defaults orOperator defaults) areautomatically loaded in Create dialogs or not. The setting is applied to newlyopened dialogs. (Default value: No default values)

Representation of Service Menu:

Enables to select between two different context menu presentation styles: Area orActions. The setting is also applied to the context menu of open panels and lists

as well as theAdministration menu in the RC Applications window.

When you select the Area option, the commands are grouped by 'applicationareas' like Fault Management, Configuration Management, Logging Managementor Security Management. The area-specific commands are shown in submenus.

When you select the Actions option, all commands are listed in Create, Delete,Get, Set and Action submenus without further grouping.

Sort Order in Comboboxes:

Defines the sort order of the entries in drop-down lists (AlphabeticorPredefined).The setting is applied to newly opened dialogs. (Default value:Alphabetic)


19/44



19

Sort In Groups:

Defines the parameter sort order within a parameter group, i.e. within a tab of aninput dialog (AlphabeticorPredefined). The setting is applied to newly opened

dialogs. (Default value:Alphabetic)

Fig. 14

Fig. 15


20/44


MN1783EU11MN_0001

2002 Siemens AG

20

The Panel settings contain choice boxes for

Help View Activation (Yes activates the textual indication of the state),

Fit Mode (Yes adapts the panel size dynamically to the optimum)Auto Save operator specific Panel Data to define whether the operator specific

panel properties are automatically stored when the panel is closed or not.

Play Sound on state Change

Finally, the Alarm Settings panel defines the behavior of the system (e.g. the alarmlist) in case of new alarm messages:

Display iconified Alarm List as Popup (when a new alarm message is received),

Change Color of Alarm List icon (when a new alarm message is received),

Popup Open Alarm List to Workspace (when a new alarm message is received),

Acoustic Signal (when a new alarm message is received),

Blinked new Alarm (when a new alarm message is received).


21/44



21

Fig. 16

Fig. 17


22/44


MN1783EU11MN_0001

2002 Siemens AG

22


23/44



23

4 Interworking of RC and LMT


24/44


MN1783EU11MN_0001

2002 Siemens AG

24

The priorities of access for RC and LMT are defined in the same way as in OBR5.5:

At the BSC, the RC has the higher priority and can block a connected LMT,

at BTSE and TRAU the LMT has the higher priority

If an LMT is active at the BSC, the RC operator cannot enter all the commands butwill receive a message about the LMT.


25/44



25

Fig. 18

Fig. 19


26/44


MN1783EU11MN_0001

2002 Siemens AG

26


27/44



27

5 Exercise


28/44


MN1783EU11MN_0001

2002 Siemens AG

28


29/44



29

Exercise 1

Title: Creation of profilesPre-requisite: login at RC as RCSysadm

Task

Create a new authorization profile!

Then create a sub-profile based on this authorization profile!

Finally create a user!


30/44


MN1783EU11MN_0001

2002 Siemens AG

30


31/44



31

Exercise 2

Title: Setting of preferencesTask

Set your own preferences!


32/44


MN1783EU11MN_0001

2002 Siemens AG

32


33/44



33

Exercise 3

Title: RC-LMT interworkingPre-requisite: LMT active at BTSE or TRAU and at BSC

Task

Try handling of the RC with a LMT active at BTSE and TRAU!

Try handling of the RC with a LMT active at the BSC! Block and unblock the LMT!


34/44


MN1783EU11MN_0001

2002 Siemens AG

34


35/44



35

6 Solution


36/44


MN1783EU11MN_0001

2002 Siemens AG

36


37/44



37

Solution 1

Title: Creation of profiles

Pre-requisite: login at RC as RCSysadm

Task

Create a new authorization profile!

Fig. 20


38/44


MN1783EU11MN_0001

2002 Siemens AG

38

Then create a sub-profile based on this authorization profile!

Fig. 21


39/44



39

Finally create a user!

Fig. 22


40/44


MN1783EU11MN_0001

2002 Siemens AG

40


41/44



41

Solution 2

Title: Setting of preferences

Task

Set your own preferences!

Fig. 23


42/44


43/44



43

Solution 3

Title: RC-LMT interworking

Pre-requisite: LMT active at BTSE or TRAU and at BSC

Task

Try handling of the RC with a LMT active at BTSE and TRAU!

Try handling of the RC with a LMT active at the BSC!

Block and unblock the LMT!

Fig. 24


44/44


07 mn1783eu11mn 0001 security management

Documents