01-03 Managing the Authority of the GGSN9811

7/25/2019 01-03 Managing the Authority of the GGSN9811

1/18

3Managing the Authority of the GGSN9811About This Chapter

The GGSN9811 offers a wide rage of operation and maintenance commands. The commands

are categorized into different command groups in terms of functions and influence on the device,

which facilitates the management. Meanwhile, the users are divided into groups with different

authorities. The command groups are specific to different users. This is to facilitate the operation

and management and improve the system security.

3.1 Basic Concepts

This part describes the basic concepts of the office, user type, user name, and password regarding

the authority management.

3.2 ManagingOperators of the GGSN9811

The operator's account can be managed only by the admin user, administrator, and custom user

with relevant authority.

3.3 ManagingCommand Groups

The command groups can be managed only by the admin user, administrator, and custom user


3.4 Managing User Passwords

This part describes how to manage the passwords by setting and querying the password policy

or modifying the password.

HUAWEI GGSN9811 Gateway GPRS Support Node

Operation Guide 3 Managing the Authority of the GGSN9811

Issue 03 (2008-04-10) Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd

3-1


2/18

3.1 Basic ConceptsThis part describes the basic concepts of the office, user type, user name, and password regarding

the authority management.

3.1.1 User Types

The local maintenance terminal (LMT) allows only two types of users to log in to the network

element (NE), that is, domain users and local users.

3.1.2 Operator Authority

The operator authority contains five levels, that is, guest, user, operator, administrator, and

custom user.

3.1.3 User Names and Passwords

This part describes the restrictions to the user name and password, as well as the default operator.

3.1.4 Operation Time Limit

The admin user, administrator, and custom user with related authority can enable that the

operator can operate the local maintenance terminal (LMT) only within a certain period. This

period is called time limit.

3.1.5 Command Groups

A command group is a set of commands. The commands are categorized into command groups,

and then the command groups are assigned to users with different authorities. In this case, the

authority of the operator can be managed. One command can belong to different command

groups.

3.1.1 User Types

The local maintenance terminal (LMT) allows only two types of users to log in to the network

element (NE), that is, domain users and local users.

The local users are managed by the NE; however, the domain users are managed by network

management system (NMS) and can log in to the NE. Table 3-1lists the difference.

Table 3-1Difference between the domain user and the local user

Operation Target Domain User Local User

Information such as user login and

authentication

Saved in the M2000. Saved in the NE.

Adding, modifying, deleting, or

querying the user

Realized on the

M2000.

Realized on the NE.

Procedure for user login and password

modification

The request is sent to

the M2000. After

receiving the request,

the M2000 sends

back the

authentication result

(success or failure) to

the NE.

Realized on the NE.

3 Managing the Authority of the GGSN9811


Operation Guide

3-2 Huawei Proprietary and Confidential


Issue 03 (2008-04-10)


3/18

3.1.2 Operator Authority

The operator authority contains five levels, that is, guest, user, operator, administrator, and

custom user.

Table 3-2Operator authority levels

AuthorityLevel

Data Query SystemMaintenance

DataConfiguration

Administration

Guest

User

Operator

Administrat

or

Custom When a user name is added, the authority for adding any combination of

command groups is available.

The commands for the guest, user, operator, and administrator are predefined in the system and

cannot be modified. The symbol indicates the available authority. The data query command,

system maintenance command, data configuration command, and operator management

command correspond to the authorities mentioned in the preceding table.

The authority of the custom user is defined by determining the command groups that can be used

by the custom user. The name of the command group and the commands in the command group

can be set based on the actual needs. Thus, the authority of the operator can be set in a flexible

way.

The custom user can add the authorities such as management, data query, system maintenance,

and data configuration.

3.1.3 User Names and Passwords

This part describes the restrictions to the user name and password, as well as the default operator.

The user name can contain up to 32 characters made up of letters and digits. The user name is

not case sensitive and must start with a letter.

The password is composed of 6 to 32 characters containing only alphabets, digits, and special

characters. The password is case sensitive.





3-3


4/18

NOTE

The special characters include: ~, !, @, #, $, %, ^, &, *, (, ),_, +, -, {, }, |, [, ], \, :, , ?, ., /, and space.

The following characters are prohibited: ,, ;, =, ", and '.

The following combinations are prohibited:

l Two or more %

l Two or more space

l Start identifiers of MML packets +++

l End identifiers of MML packets ---

By default, the user name is adminand the initial password is admin. The admin user enjoys

the highest authority and can run all the commands. The admin user can add the other users and

cannot be deleted. The password of the admin user can be changed only by this user.

NOTE

l All the operators can modify their own passwords.

l The admin user can modify the passwords of all users.

l The administrator and the custom user with related authority can change the passwords of the users

except the admin user.

3.1.4 Operation Time Limit

The admin user, administrator, and custom user with related authority can enable that the

operator can operate the local maintenance terminal (LMT) only within a certain period. This

period is called time limit.

The operation period is determined by the date, week, and time.

Table 3-3lists the examples of the operation time limit.

Table 3-3Examples of the operation time limit

Index Date Week Time Period

Exampl

e 1

2006-08-01 to

2007-08-01

Monday to

Friday

8:00:00 to

18:00:00

From 8:00:00 to 18:00:00;

Monday to Friday;

2006-08-01 to 2007-08-01

Exampl

e 2

Saturday and

Sunday

Saturday and Sunday

Exampl

e 3

No time limit

3.1.5 Command Groups

A command group is a set of commands. The commands are categorized into command groups,

and then the command groups are assigned to users with different authorities. In this case, the

authority of the operator can be managed. One command can belong to different command

groups.

The system defines 32 command groups. Here:



Operation Guide



Issue 03 (2008-04-10)


5/18

l G_0 to G_10: default command groups. The command in the command group cannot be

added or deleted.

l G_11 to G_31: customized command groups

Table 3-4lists the command groups.

Table 3-4Description of command groups

Command Group Authority Description

G_0 Guest group Predefined MML

command groups.

The commands in the

group cannot be

modified; however,

they can be queried.

G_1 Alarm management

G_2 Performance query

G_3 Performance management

G_4 Trace query

G_5 Trace management

G_6 Configuration query

G_7 Configuration management

G_8 Device query

G_9 System group

G_10 Alarm query

G_11 to G_31 User-difined command groups The commands in

these groups can be

queried and

modified.

3.2 Managing Operators of the GGSN9811

The operator's account can be managed only by the admin user, administrator, and custom user


3.2.1 Adding the Account of an Operator

This part describes how to add the account of an operator and how to set the password, definition,

command groups (only for custom user), and operation time limit.

3.2.2 Querying the Information of an Operator

This part describes how to query the information of a specified operator or all operators.

3.2.3 Modifying the Information of an Operator

This part describes how to modify the information of an operator, including the description,

password, definition, authority, and operation time limit. All the information rather than the

password takes effect after being modified.

3.2.4 Deleting the Account of an Operator





3-5


6/18

This part describes how to delete the account of an operator. The admin account cannot be

deleted.

3.2.5 Disconnecting the LMT Client

This part describes how to disconnect the local maintenance terminal (LMT) client. The LMT

client refers to the LMT programs, including the operation & maintenance system, trace viewer,alarm system.

3.2.6 Setting the Locking/Unlocking Function

This part describes how to lock and unlock the local accounts excluding the admin account.

3.2.7 Querying Locking/Unlocking Status

This part describes how to query the status of local non-default accounts.

3.2.8 Unlocking User Accounts Manually

This part describes how to manually unlock the local user accounts.

3.2.1 Adding the Account of an OperatorThis part describes how to add the account of an operator and how to set the password, definition,

command groups (only for custom user), and operation time limit.

Prerequisite

l The local maintenance terminal (LMT) is started.

l The user logs in to the GGSN9811 as an operator with the operation authority.

Context

This operation is valid only for local users.

NOTE

The operator's account can be added only by the admin, administrator, and custom operator with relevant

authority.

You can add the user name of an operator in the following ways.

Procedure

l Through the menu

1. Choose Authority > Account> Add...on the LMT. The Operator Management

dialog box is displayed. Refer to Figure 3-1.



Operation Guide



Issue 03 (2008-04-10)


7/18

Figure 3-1Operator Managementdialog box

2. Enter the user name and password and set the definition in the dialog box. If

Customis selected, specify the command groups to set Authority Limit.3. Set the operation time limit according to the actual needs.

4. Click OK. If the adding succeeds, a Confirmprompt is displayed, asking you whether

to add more?

5. Click Yesto add the account of the operator. Click Noto cancel the addition.

l Through the MML command

1. Run ADD OPto add the account of the operator.

WARNING

The account to be added must be different from the existing ones.

----End

3.2.2 Querying the Information of an Operator

This part describes how to query the information of a specified operator or all operators.

Prerequisite






3-7


8/18


Context

This operation is valid only for local users.l If the account of the operator is not specified, the system displays the names and status

information of all operators. In addition, the currently used IP addresses, service, and login

time of the online operators are also displayed.

l If the account of the operator is specified, the system displays the name, description,

password, operation time limit, status, and command groups.

Procedure

Run LST OPto list the information of the operator.

----End

3.2.3 Modifying the Information of an Operator

This part describes how to modify the information of an operator, including the description,

password, definition, authority, and operation time limit. All the information rather than the

password takes effect after being modified.

Prerequisite



Context


NOTE

The operator's account can be modified only by the admin user, administrator, and custom user with relevant

authority.

You can modify the information of an operator in the following ways.

Procedure

l Through the menu

1. Choose Authority > Account > Modify...on the LMT.

The Modify Operatordialog box is displayed. Refer to Figure 3-2.



Operation Guide



Issue 03 (2008-04-10)


9/18

Figure 3-2Modify Operatordialog box

2. Select the account of an operator, and click Modify.

The Operator Managementdialog box is displayed. The dialog box displays the

information of the operator to be modified. Refer to Figure 3-3.

Figure 3-3Operator Managementdialog box

3. Modify the information of the operator, and then click OK. The Modification

succeeded.prompt is displayed.





3-9


10/18

4. Click OK.


1. Run MOD OPto modify the information of the operator.

----End

3.2.4 Deleting the Account of an Operator

This part describes how to delete the account of an operator. The admin account cannot be

deleted.

Prerequisite



Context

This operation is valid only for local users. The admin account cannot be deleted.

NOTE

The operator's account can be deleted only by the admin user, administrator, and custom user with relevant

authority.

You can delete the account of an operator in the following ways.

Procedure

l Through the menu1. Choose Authority> Account> Delete...on the LMT. The Delete Operatordialog

box is displayed. Refer to Figure 3-4.

Figure 3-4Delete Operatordialog box

2. Select the account of an operator to be deleted, and then click Delete. TheConfirmationprompt is displayed.



Operation Guide



Issue 03 (2008-04-10)


11/18

3. Click Yesto delete the account. The Delete Operatordialog box is displayed.

4. Repeat Step 2if you need to delete other accounts. Otherwise, click Close.


1. Run RMV OPto delete the account of the operator.

----End

3.2.5 Disconnecting the LMT Client

This part describes how to disconnect the local maintenance terminal (LMT) client. The LMT

client refers to the LMT programs, including the operation & maintenance system, trace viewer,

alarm system.

Prerequisite

l The LMT is started.


Context

NOTE

Running this command can disconnect the specified network element (NE) from the LMT client. Thus,

run this command with caution.

Procedure

Step 1 Run DSP LNKto display the information of the current client.

Step 2 Run RMV LNKto disconnect the client.

----End

3.2.6 Setting the Locking/Unlocking Function

This part describes how to lock and unlock the local accounts excluding the admin account.

Prerequisite


l The admin logs in to the GGSN9811.

Context

Lock or unlock the local non-default accounts. The administrator can lock all the local non-

default accounts, and then disable the function of managing the local users.

CAUTION

The local non-default accounts can be locked or unlocked only by the admin user.

If a non-default account is locked, the locked user cannot log in to the network element (NE)

through the LMT.





3-11


12/18

Procedure

Run SET OPLOCKto lock or unlock the local non-default accounts.

----End

3.2.7 Querying Locking/Unlocking Status

This part describes how to query the status of local non-default accounts.

Prerequisite


l The user logs in to the GGSN9811.

ContextAll users can query the status of all local accounts rather than the admin user.

Procedure

Run LST OPLOCKto query the locking or unlocking status of local non-default accounts.

----End

3.2.8 Unlocking User Accounts Manually

This part describes how to manually unlock the local user accounts.

Prerequisite


l The administrator logs in to the GGSN9811.

Context

Running ULK USRcan unlock only the account of the user who enters the wrong passwords

continually. That is, some local non-default accounts cannot be unlocked by using ULK USR.

The times of entering the wrong password are cleared when you unlock the user that is not locked

by using ULK USR.

NOTE

The local accounts can be unlocked only by the administrator.

Procedure

Run ULK USRto unlock the local user accounts.

----End



Operation Guide



Issue 03 (2008-04-10)


13/18

3.3 Managing Command Groups

The command groups can be managed only by the admin user, administrator, and custom user


3.3.1 Querying Information of Command Groups

The system provides 32 command groups ranging from G_0 to G_31.

3.3.2 Setting the Name of a Command Group

The names of default command groups G_0 to G_10 cannot be modified. The command groups

G_11 to G_31 are customized, and thus you can modify the names of these command groups.

3.3.3 Modifying Commands in Command Groups

The command groups G_0 to G_10 are default, and thus the commands in these command groups

cannot be added or deleted. The command groups G_11 to G_31 are customized, and thus you

can modify the commands in these command groups.

3.3.1 Querying Information of Command Groups

The system provides 32 command groups ranging from G_0 to G_31.

Prerequisite



Context


NOTE


authority.

Procedure

Run LST CCGto list the commands in the command group.

----End

3.3.2 Setting the Name of a Command GroupThe names of default command groups G_0 to G_10 cannot be modified. The command groups

G_11 to G_31 are customized, and thus you can modify the names of these command groups.

Prerequisite


l The userlogs in to the GGSN9811 as an operator with the operation authority.

Context






3-13


14/18

NOTE


authority.

You can set the names of the command groups in the following ways.

Procedure

l Through the menu

1. Choose Authority> Command Group> Set Command Group Name...on the

LMT. The Set Command Group Namedialog box is displayed. Refer to Figure

3-5.

Figure 3-5Set Command Group Namedialog box

2. Select a command group in Command Groupand enter a name of a command group

in Command Group Name.3. Click Set. If the operation succeeds, the Operation succeeded.prompt is

displayed.

4. Click OK. Then, the Set Command Group Namedialog box disappears.


1. Run LST CCGNto list the name of the command group.

NOTE

You can run LST CCGNto list the names of command groups G_0 to G_31 or those of

specified command groups.

2. Run SET CCGNto set the name of the command group.

----End

3.3.3 Modifying Commands in Command Groups

The command groups G_0 to G_10 are default, and thus the commands in these command groups

cannot be added or deleted. The command groups G_11 to G_31 are customized, and thus you

can modify the commands in these command groups.

Prerequisite





Operation Guide



Issue 03 (2008-04-10)


15/18

Context


NOTE


authority.

You can modify the commands in the command groups in the following ways.

Procedure

l Through the menu

1. Choose Authority> Command Group> Modify Command Group...on the LMT.

The Modify Command Groupdialog box is displayed. Refer to Figure 3-6.

Figure 3-6Modify Command Groupdialog box

2. Select a command group among G_11 to G_31, such as G_11.

3. Select the commands to be added to the command group or deselect the commands

to be deleted in the check box. Set the name of the command group according to the

actual needs.

4. Click OK. Then, the Modify Command Groupdialog box disappears.


1. Run LST CCGto list the commands in the command group.

2. Run ADD CCGto add a command to the command group.

3. Run RMV CCGto remove a command from the command group.

----End

3.4 Managing User PasswordsThis part describes how to manage the passwords by setting and querying the password policy

or modifying the password.

3.4.1 Setting the Password Policy





3-15


16/18

The administrator can set the minimum length of the password, password complexity, maximum

times for allowing wrong passwords, and automatic unlocking period.

3.4.2 Querying the Password Policy

This part describes how to query the password policy that the user must comply with for login.

3.4.3 Changing the Password

This part describes how to change the password. All the operators can modify their own

passwords.

3.4.1 Setting the Password Policy

The administrator can set the minimum length of the password, password complexity, maximum

times for allowing wrong passwords, and automatic unlocking period.

Prerequisite

l

The local maintenance terminal (LMT) is started.l The user logs in to the GGSN9811 as an operator with the operation authority.

Context

You can set the password policy in two ways.

Procedure

l Through the menu

1. Choose Authority > Password Policy Setting...on the LMT. The Password Policy

Settingdialog box is displayed. Refer to Figure 3-7.

Figure 3-7Password Policy Settingdialog box

2. Set the minimum length of the password. The value ranges from 6 to 32.

3. Select the characters for password complexity, including lowercase letters, uppercase

letters, digits, and special characters.



Operation Guide



Issue 03 (2008-04-10)


17/18

NOTE

The special characters include the following: ~, !, @, #, $, %, ^, &, *, (, ),_, +, -, {, }, |, [, ],

\, :, , ?, ., /, and space.

The following characters are prohibited: ,, ;, =, ", and '.

The following combinations are prohibited:

l Two or more %

l Two or more Space

l Start identifiers of MML packets +++

l End identifiers of MML packets ---

4. Click OK. Then, the Password Policy Settingdialog box disappears.


1. Run SET PWDPOLICYto set the password policy for local users.

----End

3.4.2 Querying the Password Policy

This part describes how to query the password policy that the user must comply with for login.

Prerequisite



Context

For details on the password policy, see 3.4.1 Setting the Password Policy.

Procedure

Run LST PWDPOLICYto query the password policy.

----End

3.4.3 Changing the Password

This part describes how to change the password. All the operators can modify their own

passwords.

Prerequisite


l The user logs in to the GGSN9811.





3-17


18/18

Context

CAUTION

The admin user must be cautious when changing the password. The admin user cannot log in to

the LMT if the password is forgotten. The only way to log in to the LMT if the password is

forgotten is to re-install the LMT.

Procedure

Step 1 Choose Authority> Change Password...on the LMT. The Change Passworddialog box isdisplayed. Refer to Figure 3-8.

Figure 3-8Change Passworddialog box

Step 2 Enter the old password for authentication, and then enter a new password to confirm.

Step 3 Click OK. Then, the Change Passworddialog box disappears.

----End



Operation Guide



Issue 03 (2008-04-10)

Documents

01-03 Managing the Authority of the GGSN9811