04 02 os90314en51gla01 defining netact users exercise

OSS 5.1 CD1 Administration 1 OS9031EN51GLA00

Defining NetAct Users

Exercise Document

Issue 1.2

© Nokia Siemens Networks

1 (33)


2 (33) © Nokia Siemens Networks Issue 1.2

The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation. This documentation is intended for the use of Nokia Siemens Networks customers only for the purposes of the agreement under which the document is submitted, and no part of it may be used, reproduced, modified or transmitted in any form or means without the prior written permission of Nokia Siemens Networks. The documentation has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes customer comments as part of the process of continuous development and improvement of the documentation.

The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products are given “as is” and all liability arising in connection with such hardware or software products shall be defined conclusively and finally in a separate agreement between Nokia Siemens Networks and the customer. However, Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions contained in the document are adequate and free of material errors and omissions. Nokia Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which may not be covered by the document.

Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO EVENT WILL NOKIA SIEMENS NETWORKS BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT.

This documentation and the product it describes are considered protected by copyrights and other intellectual property rights according to the applicable laws. The wave logo is a trademark

of Nokia Siemens Networks Oy. Nokia is a registered trademark of Nokia Corporation. Siemens is a registered trademark of Siemens AG. Other product names mentioned in this

document may be trademarks of their respective owners, and they are mentioned for identification purposes only. Copyright © Nokia Siemens Networks 2012. All rights reserved.

Contents

Issue 1.2


3 (33)

Contents

1 List User Management Tools ................................................................5

2 Creating a New Netact User ..................................................................6 2.1 Overview ..................................................................................................6 2.2 Creating a new group...............................................................................7 2.3 Attaching a role to a group .......................................................................8 2.4 Adding a scope to the group-role combination.........................................9 2.5 Running an POSIX reconciliation...........................................................10 2.6 Creating a user.......................................................................................11 2.7 Viewing the completed requests ............................................................13 2.8 Changing the password..........................................................................14 2.9 Changing the user's primary group ........................................................15 2.10 Running a GUIS reconciliation ...............................................................16 2.11 Adding a user to a GUIS group ..............................................................18 2.12 Granting profiles and views to a group...................................................20 2.13 Adding a user to a secondary group ......................................................22 2.14 Making MML sessions available for a new user.....................................23 2.15 Creating a service user ..........................................................................24 2.16 Connecting a maintenance region service user to a POSIX

group ......................................................................................................25

3 Checking User Data in LDAP and in Active Directory ......................26

4 Deleting user and accounts ................................................................27

5 Running reports with NetAct Account Manager ...............................28

6 Managing orphan accounts.................................................................31 6.1 Searching for orphan accounts ..............................................................31

7 Basic Troubleshooting: Fail to Create a New User ...........................32



Summary of changes

IIssue 1.2 2011-Dec-16 Frank-Christian Schröder corrected title and metadata

Defining NetAct User

Issue 1.2


5 (33)

1 List User Management Tools

In this exercise you will need to list all Netact applications used in user management and mention the usage of every application.

1. Application name:

Function:


Function:


Function:


Function:

5. ….

6. ….



2

2.1

Creating a New Netact User

Overview

In this exercise you create a new user and a new group that has access only to the BSS elements. The TLUI will be visible on the NetAct Start.

The following list tells you the necessary steps to accomplish this and the tools used in each step.

Creating a new user

1. Create a group. (Permission Manager)

2. Attach a role to the group. (Permission Manager)

3. Add a scope to the group-role combination. (Permission Manager)

4. Run POSIX reconciliation. (Account Manager)

5. Create a user and a user account. (Account Manager)

6. Change the password (it must be identical in all clusters). (Account Manager)

7. Assign the POSIX primary group to the user. (Account Manager)

8. Run a GUIS reconciliation (Account Manager)

9. Assign the required GUIS groups to the user. (Account Manager)

10. Grant profiles and views to the group. (User Group Profiles)

11. If needed, add the user account to the groups other than the primary group. (Permission Manager)

12. Create a service user. (Service User Management)

13. Connect the MR service user to the group. (Service User Management)

See next pages for details steps.


Issue 1.2


7 (33)

2.2 Creating a new group A new group is created in the LDAP.

Figure 1. Creating a new group

Groups are created by administrators. When creating a NetAct group, you must define the group name. The group is then inserted into the data repository. The role 'Common NetAct' allows the users to launch the NetAct Account Manager application (for example, to change their own password).

Creating a new group

1. Open the Permission Manager if not opened already.

2. From the Operations menu, select New Group…

3. In the New Group dialog, enter the name of the group.

The name must be exactly six characters long.

4. Click Create.



2.3 Attaching a role to a group

This information is updated in the LDAP.

Attaching a group to a role


2. Click the Groups tab.

3. Select the group that you have created.

4. In the Roles, Permissions and Scopes view, click Attach/Detach Roles.

5. In the Available roles list box, select the role Network Administrator.

For more information on which permissions are granted to each role, see the NED.

6. To move the selected role to the Selected roles list box, click the right-arrow icon.

7. Click Save.


Issue 1.2


9 (33)

2.4 Adding a scope to the group-role combination This information is updated in the LDAP.

Adding a scope to the group-role combination


2. Select the group that you have created.

3. From the Roles, Permissions and Scopes view, select the role Network Administrator.

4. Click Edit Scope… button.

5. Select the Maintenance Region you want to manage and click the right-arrow icon, so that the Maintenance Region is visible in the right side of the window.

6. Click Save.



2.5 Running an POSIX reconciliation The POSIX reconciliation fetches account and group information from the LDAP to ITIM.

Running a POSIX reconciliation

1. Go to the NetAct Start at https://<linas-cluster-fqdn>/netact. From the Administration folder select NetAct Account Manager. You are prompted for your user name and password.

2. Log in as itim manager. The Account Manager user interface opens.

3. Click Provisioning.

4. Click POSIX.

5. Click Reconciliation.

6. Check the check box next to any of the scheduled reconciliation tasks and click Run.

7. Click Run. The Reconciliation Units List page opens.

On this page, you can add more reconciliation units, modify or run the existing ones, or delete them.

8. Check the progress and status of your request by clicking Home and either View Pending Requests or View Completed Requests in the task bar.

?

Question: What is the purpose of reconciliation?

Answer:

?

Question: In what kind of situation you should run reconciliation?

Answer:


Issue 1.2


11 (33)

2.6 Creating a user When creating a user, the NetAct Account Manager creates three accounts for the user: POSIX, GUIS and ITIM service.

The POSIX and ITIM service accounts are created in the Netscape Directory Server, and the GUIS account is created in the Windows Active Directory.

Creating a user

1. Open the NetAct Account Manager if not opened already.

2. In the Main Menu Navigation bar, click My Organisation.

3. Click Add.

4. Select Person from the Type of Person to Add drop-down menu and click Submit.

5. Fill in the desired personal and corporate information.

6. The required fields are marked with a red asterisk. On the My Organization main screen, the users are organized based on the Full Name field. If you fill in any information in the User ID field, it will be used to create the user name for the user. Otherwise, the user name is created based on the user's first and last name.

Figure 2. Creating a user



7. Click Submit. The Schedule date to add new person page opens.

8. To schedule the creation immediately, click Submit or select an effective time and date, and then click Submit.

The new user information is now stored in the Netscape Directory Server.

Figure 3: User accounts

? Question: What is the purpose of different accounts?

Answer:


Issue 1.2


13 (33)

2.7 Viewing the completed requests Click Home and either View Pending Requests or View Completed Requests in the task bar.

The information is fetched from the LDAP repository.

Figure 4: View Completed Request

? Question: What information do you get from View Completed Requests for your account creation? Answer:



2.8 Changing the password When creating the user the Account Manager does not give a password to the new user. Therefore this step is needed. Change the user's password in the LDAP and Active Directory with the following procedure.

Figure 5. Changing the password

Changing the password

1. Click the name of the user whose password you want to change.

2. Click Manage passwords.

3. Type the new password.

Note

Do not tick the Create password box.

4. Click Submit.


Issue 1.2


15 (33)

2.9 Changing the user's primary group This information is updated in the LDAP.

Before changing the user’s primary group check the Primary group and Groups settings in the Account Manager for the user that you have created. What are the group settings right after the user creation?

Changing the user's primary group

1. In the Account Manager, click My Organisation.

2. Click the name of the user whose account you want to modify.

A list of options appears.

3. Select Manage Accounts. The Account Management page opens.

4. Click the name of the POSIX account (that is, the service account created for the POSIX service). The Modify Account page opens.

5. Next to the Primary Group field, click Search.

6. Insert an asterisk (*) to the search field and click Search.

7. Select the group that you have created and click Add and Done.

8. Click Submit. The Modify Service page opens.

9. Select Schedule Immediately if it is not already selected, and click Submit.


To verify that the necessary configurations have been done, you should now see the following two links in the new user’s home directory:

lrwxrwxrwx 1 root root 35 Mar 13 14:57 conf -> /etc/opt/nokia/oss/conf/group/sysop

lrwxrwxrwx 1 root root 36 Mar 13 14:57 view -> /etc/opt/nokia/oss/custom/view/sysop



2.10 Running a GUIS reconciliation The purpose of the GUIS reconciliation is to synchronize the NetAct Account Manager with the Windows Active Directory information.

Running a GUIS reconciliation

1. Click Provisioning.

2. Click GUIS.

3. Click Reconciliation.

4. Check the check box next to any of the scheduled reconciliation tasks and click Run.


Figure 6. Running a GUIS reconciliation


Issue 1.2


17 (33)

Figure 7. The GUIS Menu



2.11 Adding a user to a GUIS group This procedure updates the group information in the Windows Active Directory.

We want the new user to be able to use the Top Level User Interface (TLUI) and other Motif-X applications. These applications are started from the GUIS.

Therefore, we have to add the user to the GUIS group that has a permission to use the TLUI. To find out which groups have this permission, see the document Managing Users, in NED.

Add a new user to the Monitoring Engineer GUIS group in the Account Manager.

? Question: Before that login to the NetAct Start as a user that you have just created. Try to open the Top Level User Interface. What happens? Answer:

Adding a user to a GUIS group

1. Open the NetAct Account Manager from NetAct Start page if not opened already.

2. Select My Organisation.

3. Select the user you have created.

4. Click Manage Account.

5. Click the User ID of the GUIS service.

6. From the Group information, click Search and select Monitoring Engineer. Click Add and Done.

7. Click Submit.

Check the progress and status of your request by clicking Home and either View Pending Requests or View Completed Requests in the task bar.


Issue 1.2


19 (33)

Figure 8. Adding a user to a GUIS group



2.12 Granting profiles and views to a group These changes are stored in the Oracle database.

Granting profiles and views to a group

1. Open the User Group Profiles application from the NetAct Start page.

2. Select the desired group from the list.

3. From the Action menu, select View/Profile Management.

Figure 9. Granting profiles and views to a group


Issue 1.2


21 (33)

Figure 10. View/Profile Management of a Group

4. Select guiman in the Applications window and other in the Profiles window. This way you allow the users in the other profile to be able to use the Top Level User Interface.

5. Repeat the same modifications for guiloc application.

6. To set views for a group, select the default view (Default.vie) from the Available list box and click the right-arrow icon.

The default view is now visible in the Selected list box.

7. Click Modify.

8. Exit the User Group Profiles application.



2.13 Adding a user to a secondary group The information on the user and the group is updated in the LDAP.

When users are added to groups, they automatically receive all the permissions of those groups.

1. Open the Permission Manager.

2. Click the Groups tab.

3. Select a group that is not the primary group of the user that you have created.

4. Click the Group users view, if it is not already active.

5. In the Available users list box, select the user you have created.

6. To move the selected user to the Selected Users list box, click the right-arrow icon.

7. Click Save.

8. In the Account Manager check what are the user’s Groups for the POSIX account. If only the primary group is listed, you need to run the POSIX reconciliation to refresh the information in the Account Manager.


Issue 1.2


23 (33)

2.14 Making MML sessions available for a new user

Making MML sessions available for a new user

1. Log into a Connectivity Server as the omc user.

2. Go to the directory $ETCROOT/copspf/conf

3. Take a backup of the cnxdcnmx.cf file by copying the file to the $NMSCUSTOMDIR directory:

[omc]$ cp -p cnxdcnmx.cf $NMSCUSTOMDIR/cnxdcnmx.cf.backup

4. Open the cnxdcnmx.cf file by entering the editcf command.

5. Add the new user group to the BSC node.

6. Save the changes and close the file.

7. Re-read the configuration file by entering $OMCROOT/bin/cnxreconfigmx.perl.

This script performs two functions. Firstly, it starts the cnxcheckdcnmx.pl script and ensures that the syntax of the cnxdcnmx.cf file is correct. If errors are found, re-reading is cancelled.

Secondly, it searches for the c4xcsxmx Connection Server process and displays a notice listing the process found and its process identifier (PID) An example is listed below.

Checking Connection Server’s DCN configuration file

File OK

Process c4xcsxmx was found. Pid is <12345>

Reconfiguration with current configuration file (Y/N)?

8. Type y and press ENTER. The process re-reads the configuration file and the new settings take effect



2.15 Creating a service user The service user information is stored in the Oracle database.

Creating a service user

1. Under the Administration task of the NetAct Start page, select Service User Management.

2. Login as an omc user.

3. Select File New.

4. Fill in the fields and click OK.

Figure 11. Creating a service user


Issue 1.2


25 (33)

2.16 Connecting a maintenance region service user to a POSIX group

Connecting a maintenance region service user to a group

1. In the Service User Management, select File Disconnect/Connect.

2. Select the group you have created in the Groups list. Then choose the maintenance region to which this group will have access.

3. Select the Service User you have just created from the available MR Service Users.

4. Click Connect.

5. Click Close.

6. Click Update to update the information in the network.

Figure 12. Connecting a maintenance region service user to a group



3 Checking User Data in LDAP and in Active Directory

Open Jxplorer from NetAct Start Administration category.

Check your newly created accounts with JXplorer.

1. What information is stored in LDAP directory for POSIX account?

Answer:

2. What information is stored in LDAP directory for ITIM Service account?

Answer:

3. What information is stored in Active Directory for GUIS account?

Answer:


Issue 1.2


27 (33)

4 Deleting user and accounts

Deleting the user and checking results

Delete the user you have created in these exercises.

Instructions can be found in NED.

Perform the search with keywords Deleting users.

1. Was deletion successful? See Completed Request in Account Manager.

Answer:

2. Check the user account information in LDAP. Were your user accounts (POSIX, ITIM Service) removed from LDAP?

Answer:

3. What is the difference in "Deleting user accounts" and "Deleting users"?

Answer:



5 Running reports with NetAct Account Manager

TASK: Run an Operation Report for your user account activities using NetAct Account Manager reporting functionality.

Figure 13: Account Manager Reports

Instructions can be found in Help of NetAct Account Manager.


Issue 1.2


29 (33)

Figure 14: Reports Help

Perform the search with keywords report types.

Scroll down in the help page and search help how to run an Operation Report.

Run an Operation Report using Account Add as an operation.

1. Was your report creation successful?

Answer:

2. What kind of information you can see in your report?

Answer:



An example of running report:

Figure 15: example of running report

An example report::

Figure 16: example of a report


Issue 1.2


31 (33)

6

6.1

Managing orphan accounts

Searching for orphan accounts

In this exercise, we will practise the searching for orphan accounts with NetAct Account Manager. We will also analyse which orphan accounts could be deleted and which not.

Note

Don’t delete any orphan account without asking from the trainer.

There are several orphan Oracle accounts which are necessary for NetAct. They should’t be deleted!

See instructions in NED. Use key words orphan account.

1. How can you check if there are orphan accounts in NetAct?

Answer:

2. What kind of orphan accounts you can see in NetAct?

Answer:

3. Which orphan accounts should not be deleted and why?

Answer:



7 Basic Troubleshooting: Fail to Create a New User

Please keep in mind that you access the system with very high privileges. So please be very careful when performing any action on the system. Always think about the implications of the action you are going to perform next. If you are not sure, please ask your trainer.

Thank you.

Overview

In this exercise, you create a new user account using NetAct Account Manager. Verify whether you’re able to create all new user accounts successfully. If not, you should be able to describe the problem, find the root of cause by analysing the log files and find the clues in NED, and solve the problem. You should be able to create a new user account successfully.

Please wait until your trainer asks you to proceed with the exercise. And also tell your trainer if you have found the solution.

1. Start the NetAct™ Account Manager and log in as user itim manager.

2. Create a new user with the User ID user<n>.

3. Check if the creation was successful.

4. If not, start the troubleshooting.


Issue 1.2


33 (33)

Description and symptoms of the problem:

Log files checked:

Information found in NED:

Cause of the problem:

Solution to the problem:

04 02 os90314en51gla01 defining netact users exercise

Documents

nokia siemens networks

contents issue

mentioned hardware

new netact user

customer comments

software products

product names

new group