Login
20-H3C EIA Permission Control for User Groups and Service Groups Configuration Examples-book.pdf(3.26 MB)
- Released At: 09-12-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EIA Permission Control for User Groups and Service Groups
Configuration Examples
Product Version: EIA (E6606)
Document version: 5W103-20240226
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring permission control for user groups
Assigning permissions to resource groups
Assigning permissions to roles
Example: Configuring permission control for service groups
Assigning permissions to resource groups
Assigning permissions to roles
Introduction
Hierarchical management is an effective way to ensure secure and reliable system running. The main idea behind hierarchical management is to let specific services be managed by specific operators. The following provides an example of configuring permission control over user groups and service groups in EIA.
· User group: The administrator can assign users that have the same attributes (such as the same grade or the same access service) to a group for efficient management.
· Service group: The administrator can assign service data (such as access services and security policies) in the system to different groups as needed. Only administrators and operators associated with the groups can operate the service data in the corresponding groups.
Feature usage guidelines
Application scenarios
Hierarchical management in this system is implemented by classifying service data (such as access services and access policies) into different service groups, and user data (such as access users) into different user groups. Only the administrators and operators associated with these groups are capable of operating the corresponding service and user data within these groups.
Prerequisites
Navigate to Automation > User > Service Parameters > Access Parameters > System Settings > System Parameters > User Data Management Parameters, and enable the UAM Service Group feature.
Restrictions and guidelines
· The administrator is associated with all service groups and user groups by default and can configure service data and user data of all groups. This document takes a custom operator associated with a specific group as an example.
· Any operator is associated with ungrouped service data and user data. The following provides an example of customized user groups and service groups.
Configuration examples
|
|
IMPORTANT: To facilitate the use of the permission control feature of user groups and service groups, perform the configuration in the order of the chapters. |
Example: Configuring permission control for user groups
Adding a user group
The administrator can assign users that have the same attributes (such as the same grade or the same access service) to a group for efficient management. To add a user group named User Group A:
1. On the top navigation bar, click Automation. From the left navigation pane, select User > Access User. On the page that opens, click User Group in the upper right corner of the page, as shown in Figure 1.
2. Click Add. On the page that opens, configure basic information, input a group name, and select a resource group as needed. The configuration is completed as shown in Figure 2.
3. Click Confirm. In the dialog box that opens, click OK, as shown in Figure 3.
Figure 3 Dialog box for adding a user group
4. View the added user group in the user group list, as shown in Figure 4.
|
|
IMPORTANT: If no resource group is selected for the user group, the added user group might not be displayed in the user group list. |
Figure 4 Viewing the added user group
Adding an access user
An access user defines the credentials used by the user to access network resources, including the account name, password, and used service. To add an access user:
1. On the top network navigation bar, click Automation. From the navigation pane, select User > Access User.
2. Click Add. On the page that opens, configure the access user parameters, as shown in Figure 6.
Figure 6 Access user configuration page
For more information about the parameters, see Table 1. Use the default settings for parameters that are not mentioned in the table.
Table 1 Access user parameters
|
Parameter |
Description |
|
User Name |
Name of the user. |
|
Identity Number |
Identity number of the access user. |
|
User Group |
Group to which the access user belongs. Select the user group previously added as needed. |
|
Account Name |
The name that uniquely identifies the user account. The user applies for and uses services using this name. The name cannot be the same as any existing names. |
|
Password/Password Confirm |
The password is used for identity verification. It is a string of up to 32 characters that cannot be empty. |
|
Access Service |
An access service is collection of predefined network usage features. Select an existing access service as required. To add an access service, see Adding an access user. |
3. Click Confirm. View the added user in the access user list, as shown in Figure 7.
Figure 7 Viewing the added access user
Adding a resource group
The operator can create resource groups as needed and assign resources to these groups for management. To organize and display the relationship between resource groups, an operator can specify a parent group for each resource group. Configured with parent groups, all resource groups can be organized into a tree with the top group as the root node. You can separately configure management permissions for each resource group. Resources in a child resource group also belong to its parent group. To add a resource group named Resource Group A:
1. On the top network navigation bar, click System. From the navigation pane, select System Settings > Resource Groups.
2. Click Add. On the page that opens, enter the name of the group and select a parent group as needed.
a. Click Select from Parent Group to add resources to the group.
b. Click All Available Resources to add the resources you want to manage into the group.
|
|
IMPORTANT: You can select a parent group as required. This chapter adopts the All Available Resources method to add resources to the group. |
The configuration is completed as shown in Figure 9.
Figure 9 Adding a resource group
For the parameter description, see Table 2.
Table 2 Resource group parameters
|
Parameter |
Description |
|
Group Name |
Name of the resource group. The value is a string of 1 to 128 characters that can contain Chinese characters, letters, digits, spaces, left parentheses ((), right parentheses ()), left brackets ([), right brackets (]), underscores (_), hyphens (-), dots (.), and backslashes (\). |
|
Group Description |
Description of the resource group. The value is a string of up to 128 characters that can contain only Chinese characters, letters, digits, spaces, left parentheses ((), right parentheses ()), left brackets ([), right brackets (]), underscores (_), hyphens (-), dots (.), and backslashes (\). |
|
Parent Group |
(Optional.) Parent group of the resource group. |
|
Resources |
Resources that can be managed by this resource group. · Parent Group—If you select this option, you can add the resources in the parent group to the group. · All Available Resources—Add resources to this group as required. |
3. Click OK.
Assigning permissions to resource groups
The administrator can assign management permissions of resource groups to operators and separately set the management permissions and manageable resources for each resource group. To assign permissions to a resource group named Resource Group A:
1. On the top network navigation bar, click System. From the navigation pane, select System Settings > Resource Groups.
2. Select a resource group, and click Assign Permissions. On the page that opens, select actions as required, as shown in Figure 11.
3. Set the permission name prefix. The permission name is displayed in the prefix-resource type name format, as shown in Figure 12.
Figure 12 Configuring the permission name prefix
4. Select the permission group to which the permission belongs from the dropdown list. View the permission in the corresponding group in the permission list, as shown in Figure 13.
Figure 13 Selecting a permission group
5. Select to add a new role, and enter the role name. The configuration is completed as shown in Figure 14.
6. Click Confirm.
Assigning permissions to roles
A role is a collection of permissions. The system uses role-based access control, allowing assignment of permissions to roles. Permissions for resource groups and user groups are required. Both this section and Assigning permissions to resource groups support the assignment of permissions for resource groups and user groups. To assign permissions to a role named Role A:
1. On the top network navigation bar, click System. From the navigation pane, select Role Management > Roles.
2. To select a configuration mode for a role, click the edit icon in the Actions column for that role. To configure a role in classis mode, see Configuring a role in classic mode. To configure a role in quick mode, see Configuring a role in quick mode.
Configuring a role in classic mode
1. Click Classic, as shown in Figure 15.
Figure 15 Role selecting page in classic mode
2. Click Select. In the window that opens, enter Access User in the search bar, and click the search icon. Select the permissions you want to assign in the search results, as shown in Figure 16.
Figure 16 Assigning permissions
3. Click OK. After returning to the previous page, you can view the effective permissions, as shown in Figure 17.
Figure 17 Effective permissions of the role
4. Click OK.
Configuring a role in quick mode
1. Click Quick, as shown in Figure 18.
Figure 18 Role selecting page in quick mode
2. To assign permissions to resource groups, expand the System item next to the Permissions field, and select all permissions under the Resource Group field, as shown in Figure 19.
Figure 19 Assigning permissions to resource groups
3. To assign permissions to user groups, expand the Access Management item, and select the permissions under the User Group field, as shown in Figure 20.
Figure 20 Assigning permissions to user groups
4. To assign other permissions to users, expand the Access Management tab, and select related permissions under the Access User and Endpoint Management field, as shown in Figure 21 and Figure 22.
Figure 21 Assigning other permissions to users (1)
Figure 22 Assigning other permissions to users (2)
5. Click Select in the Select Scope area, and click Select Resource Group. In the window that opens, add the newly added resource group to the list, as shown in Figure 23.
6. Click OK.
Adding a role group
The administrator can assign users that have the same attributes to a group for efficient management. To add a user group named User Group A:
1. On the top network navigation bar, click System. From the navigation pane, select Role Management > Role Groups.
Figure 24 Role group list page
2. Click Add to display the configuration page, as shown in Figure 25.
3. Configure the basic information of the role group. Select the available roles and move them to the selected role list, as shown in Figure 26.
Figure 26 Configuring the basic information of the role group
4. Click OK.
Adding an operator
After the administrator assigns group-related permissions to an operator (including adding, deleting, editing, and viewing group data permissions), the operator can associate with the group and manage it. To add a new operator named Operator-A:
1. On the top network navigation bar, click System. From the navigation pane, select Role Management > Role Groups.
Figure 27 Role group list page
2. Click the Add Operator icon. In the dialog box that opens, configure the basic information of the operator. The configuration is completed as shown in Figure 28.
3. Click OK.
Operator login
After logging in, Operator-A can only perform relevant operations on ungrouped users and users in Group A.
Example: Configuring permission control for service groups
Adding a service group
The administrator can assign service data (such as access services and security policies) in the system to different groups as needed. Only administrators and operators associated with the groups can operate the service data in the corresponding groups. To add a service group named Service Group A:
1. On the top network navigation bar, click Automation. From the navigation pane, select User > Service Parameters > Access Parameters. On the page that opens, click Service Group.
2. Click Add. On the page that opens, configure basic information, input a group name, and select a resource group as needed. The configuration is completed as shown in Figure 30.
Figure 30 Adding a service group
3. Click Confirm. In the dialog box that opens, click OK.
Figure 31 Adding a service group
4. View the added service group in the service group list. If no resource group is selected for the service group, the added service group might not be displayed in the service group list.
Figure 32 Viewing the added service group
Adding an access service
Service is a way for users to use the network. The service consists of a predefined set of network usage characteristics, including basic information and access policy information. The service provides users with a complete access strategy. After users apply for a specific service, they can access the network according to the attributes set by the service. To add an access service:
1. On the top network navigation bar, click Automation. From the navigation pane, select User > Access Service.
2. Click Add. On the page that opens, configure the access service parameters, as shown in Figure 34.
Figure 34 Configuring the access service parameters
For more information about the parameters, see Table 3. Use the default settings for parameters that are not mentioned in the table.
Table 3 Access service parameters
|
Parameter |
Description |
|
Service Name |
Uniquely identifies of a service in the access services. |
|
Default Access Policy |
If the access condition of the user does not match the access condition of the service, the user is controlled by the default access policy. |
|
Default Proprietary Attribute Assignment Policy |
If a user using the service does not match an access device group when the user accesses the network, the system deploys proprietary attributes to the access device according to the configuration of the default proprietary attribute assignment policy. |
|
Default Max. Devices for Single Account |
Maximum number of endpoints that can be bound to the access user when the user's access scenario matches none of the access scenarios in the service assigned to the user. This parameter appears only when the EIP component is deployed. |
|
Default Max. Number of Online Endpoints |
Maximum number of endpoints that can be simultaneously used for network access by the access user when the user's access scenario matches none of the access scenarios in the service assigned to the user. |
|
Daily Max. Online Duration |
Duration for which an account can access the network through the service per day, an integer in the range of 0 to 1440 minutes. When the specified duration is reached, the account is forced offline and cannot access the network again on that day. If an account has multiple endpoints, the maximum online duration of the account equals the total online duration of those endpoints. To not limit the online duration, set the value to 0. |
|
Service Group |
Group to which the access service belongs. Select the previously added service group as needed. |
|
Access Scenario List |
If the access condition of the user completely matches the access condition on the access policy list, the user determines the security policy, proprietary attribute assignment policy, and access policy used according to the access policy configuration during the authentication. Otherwise, the user uses the default security policy, the default proprietary attribute assignment policy, and the default access policy in the service. The Security Policy appears only after the EAD security policy component is installed. |
3. Click Confirm to complete the operation of adding an access service, and return to the access service page. View the added access service in the access service list, as shown in Figure 35.
Figure 35 Viewing the newly added access service
Adding a resource group
For more information about how to add resource groups, see Adding a resource group. The configuration is completed as shown in Figure 36.
Figure 36 Newly added resource group
Assigning permissions to resource groups
For more information about how to assign permissions to resource groups, see Assigning permissions to resource groups. The configuration is completed as shown in Figure 37.
Figure 37 Newly added resource group
Assigning permissions to roles
The allocation of resource group and service group permissions is mandatory, which is supported both in this section and in Assigning permissions to resource groups. To assign permissions to a role named Role B:
1. On the top network navigation bar, click System. From the navigation pane, select Role Management > Roles.
2. To select a configuration mode for a role, click the edit icon in the Actions column for that role. click the edit icon to select the Classic or Quick mode for configuration. To configure a role in classis mode, see Configuring a role in classic mode. To configure a role in quick mode, see Configuring a role in quick mode.
Configuring a role in classic mode
1. Click Classic, as shown in Figure 38.
2. Click Select. In the window that opens, enter Access Service in the search bar, and click the search icon. Select the permissions you want to assign in the search results,.
Figure 39 Role selecting page in classic mode
3. Click OK. After returning to the previous page, you can view the effective permissions, as shown in Figure 40.
Figure 40 Effective permissions of the role
4. Click OK.
Configuring a role in quick mode
1. Click Quick,
Figure 41 Role selecting page in quick mode
2. To assign permissions to access service management, expand the Access Management item next to the Permissions field, and select all permissions under the Access Service Management field, as shown in Figure 42.
Figure 42 Assigning permissions to resource groups
3. To assign permissions to service groups, expand the Access Management item, and select the permissions under the Service Group field, as shown in Figure 43.
Figure 43 Assigning permissions to service groups
4. Click Select in the Select Scope area, and click Select Resource Group. In the window that opens, add the newly added resource group to the list, as shown in Figure 44.
5. Click OK.
Adding a role group
For more information about how to add a role group, see Adding a role group. The configuration is completed as shown in Figure 36.
Figure 45 Newly added role group
Adding an operator
For more information about how to add an operator, see Adding an operator. The configuration is completed as shown in Figure 36.
Figure 46 Newly added operator
Operator login
After logging in, Operator-B can only perform related operations on ungrouped services and services in Group A.
