Security Manager

4 Security Manager

With administrator privileges, Security Manager allows you to do the following:

Create and manage user groups.
Configure security authorization levels, policies and privileges for user groups.
Provide specific access controls for individual user groups, views, and operations.
Limit access to specific features and functionality for specific users.
Configure audit log parameters.

Configure User Groups

A user group is a logical construct that the Oracle® Session Delivery Management Cloud ( Oracle SDM Cloud) uses to specify the authorization privileges that users assigned to certain groups inherit. Oracle SDM Cloud automatically adds the roles directly to the user roles on the Identity and Access Management (IAM) portal.

The Oracle SDM Cloud provides three default User Groups.

Administrators
Provisioners
Monitors
While you cannot modify the default User Groups, you can add and modify customized User Groups to create your own authorization policies. When you add a new User Group, Oracle SDM Cloud automatically adds the group to your IAM.

Note:
Do not add a new role to your Oracle SDM Cloud application through IAM. If you require a new role on the Oracle SDM Cloud application, add a new group using Security Manager in Oracle SDM Cloud.

Add a User Group

Once you've added a new user group in the Oracle® Session Delivery Management Cloud (Oracle SDM Cloud), which will appear as a new role in Identity and Access Management (IAM) and Access Management (IAM). Once you have assigned a user to a role, that user will inherit the group-based privileges.

Expand the Security Manager slider and select User management, Groups.
On the User Groups page, click Add.

On the Add Group screen, complete the following fields:

Group name field

The user group name. Use the following guidelines for naming this group:

Use a minimum of three characters and maximum of 50.
The name must start with an alphabetical character.
You are allowed to use alphanumeric characters, hyphens, and underscores.
The user group name is case insensitive.
The user group must be unique.
This name cannot contain spaces.

Group permissions copy from drop-down list

Copy existing privileges by choosing from the following default user groups. By selecting a user group from this drop-down, the privileges from the selected group are copied to the newly created group. By default, if no value is selected, the group is created with all privileges set to None.

None—Manually configure privileges for this user group.
administrators—This super user group is privileged to perform all operations.
provisioners—This group is privileged to configure Oracle SDM Cloud and save and apply the configuration.
monitors—This group is privileged to view configuration data and other types of data only. This group cannot configure Oracle SDM Cloud, and has the fewest privileges.

Note:

This value creates a copy of privileges to be applied to the new group. However, once a group is created, you can go back and customize those privileges at any time.

Click Apply.
You are returned to the User Groups table where the new user group has been added. If you navigate to your IAM portal, you will see a new user role for that security group has already been added.

Delete a User Group

Expand the Security Manager slider and select User management, Groups.
On the Groups page, choose the (non-default) user group that you want to delete from the User Groups table and click Delete.
In the Delete confirmation dialog box, click Yes to delete this user group.
The user group is removed from the User Groups table.
In the success dialog box, click OK.

Apply or Change User Group Privileges

You can apply privileges to user groups that you add to allow or deny all users within this user group the ability to perform certain operations. This includes items intended for use with separate Oracle SDM Cloud managers. For the default administrators, provisioners, and monitor user groups, only device group privileges can be changed.

User group privileges that are assigned to the administrators user groups inherit most of the same access privileges.

All user group privileges that are available through Oracle SDM Cloud are described in the following sections.

Apply User Group Privileges for Configuration

Expand the Security Manager slider and select User management, Groups.
In the User Groups pane, select the group you want to modify from the User Groups table and click Edit.
In the expanded group pane, click the Configuration tab and click the folder and subfolder sliders to expand the item operations list.
Select the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.

In the Privileges drop-down list, select the following user group privilege options for folders or items in the Configuration tab table described below:

Full—Allowed to perform administrative operations.
None—Not allowed to perform administrative operations.
View—Allowed to monitor only.

Note:

The fields described below appear if all features are enabled.

Configuration folder

Set privilege levels for all configuration operations.

Device configuration folder

Set privilege levels for all of the following user management operations accessible on the Configuration Manager slider.

Configure services item

Set privilege levels for host-in-path (HIP) firewall functions that are allowed to pass administrative traffic to the host.

Configure interfaces item

Set privilege levels for FTP, ICMP, SNMP, Telnet, and SSH interfaces.

Configure NM controls item

Set privilege levels for network management controls performance group pane.

Configure security item

Set privilege levels for the Security Manager features.

Configure system item

Set privilege levels for the configuration of system usage parameters.

Offline Configuration item

Set privilege levels for offline configuration functionality.

Load device item

Set privilege levels for loading a device.

Override lock item

Set privilege levels for overriding a lock on a device.

Transfer configuration view item

Set privilege to transfer user device configuration modifications from one user to another.

Update to device item

Set privilege levels for saving and activating the configuration of a device.

Configuration archive item

Set privilege levels for backing up configurations, restoring configurations, and deleting archived configurations in the configuration archive.

Click Apply.

Apply User Group Privileges for Device Maintenance

Expand the Security Manager slider and select User management, Groups.
In the User Groups pane, select the group you want to modify from the User Groups table and click Edit.
Select the Device Maintenance tab to modify user group privileges and click on the folder and subfolder sliders to expand the item operations list.
Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.

In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Device Maintenance tab table described below:

Full—The user group is allowed to reboot a device.
None—The user group is not allowed to reboot a device.
View—The user is allowed to view reboot device work orders.

Reboot

Reboot the device.

Override Lock On Device

Override the lock on a device.

Software Upgrade

Create, delete, or modify software upgrade work orders.

Click Apply.

Apply User Group Privileges for the Administrative Operations

Expand the Security Manager slider and select User management, Groups.
In the User Groups pane, choose the group you want to modify from the User Groups table and click Edit.
In the expanded group pane, click the Administrative operations tab and click the folder and subfolder sliders to expand the item operations list.
Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.

In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Administrative operations tab table described below:

Full—(Default) Allowed to perform administrative operations.
None—Not allowed to perform administrative operations.
View—Allowed to monitor only.

Administrative operations folder

Set privilege levels for all of the following administrative operations.

Security administration folder

Set privilege levels for all of the following user management operations accessible on the Security Manager slider.

Group operations item

Set privilege levels to add a new user group and to modify and delete existing user groups from Security Manager.

Device group item

Set privileges for all functions pertaining to a device group within the Device Manager, including adding, deleting, moving, and renaming device groups.

Device item

Set privileges for functions pertaining to a device within the Device Manager and Configuration Manager, including adding a new device and moving and deleting an existing device.

View all audit logs item

View all audit logs.

View own audit log item

View only personal audit log.

Change audit log auto purge interval item

Configure the number of days of audit logs to keep.

Export audit logs item

Export all of an audit log to a file.

Manual audit log purge item

Manually purge audit logs.

Site item

Create and manage Sites.

Click Apply.

Apply User Group Privileges for Fault Management Operations

Expand the Security Manager slider and select User management, Groups.
In the User Groups pane, choose the group you want to modify from the User Groups table and click Edit.
Click the Fault management tab and click the folder and subfolder sliders to expand the item operations list.
Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.

In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Fault management tab table described below:

Full—Allowed to perform event or alarm operations.
None—Not allowed to perform event or alarm operations.
View—Allowed to monitor only.

Fault management folder

If the None privilege is chosen, the Fault Manager slider does not appear in the Oracle SDM Cloud GUI.

Events and Alarms folder

Assign the privileges for all of the following event and alarm operations accessible on the Fault Manager slider.

Alarms item

Assign the privileges for the alarm operations, including deleting alarms and editing the alarm severity levels under the Alarms and Trap Event Settings tabs.

Events item

Assign the privileges for the event operations, including deleting events, under the Events tab.

Click Apply.

Apply User Group Privileges for Device Groups

Use this task to apply user-group privileges for device groups that appear on the Device Manager slider.

Expand the Security Manager slider and select User management, Groups.
In the User Groups pane, select the group you want to modify from the User Groups table and click Edit.
Click the Device groups tab.

In the Device groups box table, complete the following fields:

Include children check box

(Optional) Check the check box to select all children of the device group. Next select either Set all to None or Set all to Full have no privileges or full privileges respectively for the children of the device group.

Set all to None button

Set all Device groups to have no privileges.

Set all to Full button

Set all Device groups to have full privileges.

The Preview box displays the device group based on the privileges that are assigned (Full, View, None).

Repeat the previous step for other device groups (if there are any).
Click Apply.

Apply User Group Privileges for Application Management Operations

Expand the Security Manager slider and select User management, Groups.
In the User Groups pane, choose the group you want to modify from the User Groups table and click Edit.
Click the Applications tab and click the folder and subfolder sliders to expand the item operations list.
Choose the item row in the operation category table that you want to modify and click the Privileges column to activate the drop-down list.

In the Privileges drop-down list, choose the following user group privilege options for folders or items in the Applications table described below:

Full—Allowed to perform application management options.
None—Not allowed to perform application management operations.
View—Allowed to monitor only.

Applications folder

Allows access to Dashboard Manager, Monitoring Manager, and Route Manager options.

Dashboard Manager folder

Set the privileges for all the dashboard and portlet customization operations on the Dashboard Manager slider.

Dashboard Customization item

Allows access to the dashboard designer and portlet designer for custom dashboards and portles.

Monitoring Manager folder

Assign privileges for all of the operations related to monitoring an OCSM.

Calls item

Set privileges for the add, edit, copy, and apply filters used to filter the Recent Calls table, accessible on the Monitoring Manager slider.

Note:

Users with View permissions only are able to view and apply filters.

Admin folder

Set the privilege for the Admin permissions. If None is selected, the does not appear under Monitoring Manager.

ME Recent Call Access item

Allows the user to disable the ME and to set the time range to fetch the recent calls from OCSM.

Route Manager folder

Assign the privileges for all the operations related to managing routes.

Route set item

Sets privileges to manage routes and route sets, manage templates, and manage device associations.

Audit Logs

You can use the audit log (containing audit trails) generated by Oracle SDM Cloud to view performed operations information, which includes the time these operations were performed, whether they were successful, and who performed them when they were logged into the system.

Note:

Audit logs contain different information depending on the feature functionality.

Audit trails include the following information:

The user who performed the operation.
What operation was performed by the user.
When the operation was performed by the user.
Whether the operation performed by the user was successful or failed.

View and Save an Audit Log

The audit log tracks user-initiated events. The following list describes some examples of user events that are audit logged in Oracle SDM Cloud:

User logins and logouts.
Managed devices are added.
Device groups are added.
Oracle Communications Session Delivery products are loaded.
An element is added, deleted, or modified.
A device is rebooted.
Configurations are saved or activated.

Expand the Security Manager slider and select Audit log, View.

In the Audit log pane, click Set Columns to select all columns you want to view in the Audit Log table. The following table lists and describes all columns available view:

Username field

The name of the user who performed the operation.

Time field

The time stamp for when the operation was performed by the user.

Category field

The category of operation performed by the user. For example, Authentication.

Operation field

The specific operation performed by the user.

Status field

The status of the operation performed by the user, whether it was successful or failed.

Device field

The name of the device that the user performed an operation upon.

Network function field

The NF name.

Description field

The description of the operation performed.

Sequence number field

The audit log reference number.

Click OK to accept your selections or Reset to close the Set Columns dialog box and ignore any changes.
To see details for a specific user entry, select an entry row in the table and click Details or double-click the row.
In the Audit log details dialog box, the information described in the table above is displayed for the specified user entry.
Click OK.
Click Save to file to open the audit log file or save it to a file.

Note:
The downloaded CSV file is limited to 250 entries.

Search the Audit Log

Expand the Security Manager slider and select Audit log, View.
In the Audit log pane, click Search.

In the Audit Log Search dialog box, complete some or all of the following fields to search the audit log:

Username field

Choose the name of the user who performed the operation.

Category drop-down list

Choose the category of operation performed by the user. For example, Authentication.

Operation box

Chose the specific operation performed by the user.

Device

The name of the device that the user performed an operation upon.

Status

The status of the operation performed by the user, whether it was successful or failed.

Start Time

Choose a start time from the calendar.

End Time

Choose an end time from the calendar.

Click OK.

Schedule Audit Log Files to be Purged Automatically

Expand the Security Manager slider and select Audit log, Purge.
In the Purge audit logs pane, specify the number of days of audit logs that are kept in the Interval in days field. The minimum configurable value is 2 days.
Click Apply.

IAM

The Identity Access Management page provides unique IDs needed to connect the Oracle® Session Delivery Management Cloud (Oracle SDM Cloud) to the Identity and Access Management (IAM). The IDs provided include the following:

Oracle SDM Cloud FQDN
Oracle SDM Cloud Tenant ID
IDCS FQDN
IDCS Tenant ID
Management Cloud Engine (MCE) IDCS client ID
MCE IDCS client secret
This information is required as input when installing and setting up the MCE on-premises. For more information, see the Oracle SDM Cloud Installation Guide.