Expert Reference Series of White Papers
Role-Based Access
Control in Avaya Aura
Role-Based Access Control in Avaya
Aura System Manager 6.2
Jose Gaona, Global Knowledge Principal Instructor
Introduction
Before describing the process of creating a role and how to assign this new role to a user, let’s pause for a minute and review the concepts and functionality of Avaya Aura System Manager. Avaya Aura System Manager provides centralized administration for multiple instances of Avaya Aura Session Manager and Avaya Aura Com-munication Manager. It is also designed to manage all Avaya Aura components – present and future – and all Third-Party Supported Applications and Services.
Avaya Aura System Manager
Avaya Aura System Manager centralizes provisioning, maintenance, and troubleshooting to simplify and reduce management complexity and solution servicing, and it delivers a set of management services that you can ac-cess using the System Manager common console.
Upon Initial Installation, Avaya Aura System Manager requires a first-time login using the admin account. The default password for accessing the System Manager common console is admin123. The account name remains the same, but the password must be changed on the initial login. The admin account is already created within System Manager and is already associated by default with the System Administrator Role, which is one of the “out-of-the box” default roles and gives the “admin” total access to any user, application/element, or Network Service available via the System Manager main screen, also referred to as the Dash Board.
A customer may choose to continue to use this account and password to subsequently administer any and all Elements and Network Services available via the System Manager Dash Board. However, this may not necessar-ily be the best practice due to the level of access given to this account.
Typically a small customer with one or two administrators may use the admin account; but, as the company grows, the number of users, applications, and services grow along with it. It may be necessary to create addi-tional users with different levels of access and permissions. To accomplish this, we assign the user to one of the existing default roles that provides the level of access and permissions needed, or we can create a new custom role with the specific settings for the user.
When you login using the admin account you already have, among other privileges, the ability to create Roles. You do not have to create a custom role for every new administrator. It is possible to assign the same role to multiple users.
It is also possible to assign multiple roles to the same user which provides you with a great level of flexibility. Let’s say, for example, that you have a “right hand” person with a high degree of responsibilities, but he also has a large number of subordinates. Instead of creating a powerful role for this user, you could create several roles, assign all roles to this user and then reassign one or several of these roles to his subordinates without giv-ing them the same level of access as your “right hand” person.
Now that you have an understanding of Avaya Aura System Manager and its relation to other products on the network, let’s explore the steps required for the creation of a new role.
Creating a New Role
Creating a new role can be summarized in the next 5 steps. Keep in mind we will discuss these steps in more detail later.
1. Give the new role a name and a description. The name should be in accordance with the
re-sources and/or network services accessible via its permissions (e.g., CM administrator, User Administra-tion etc.).
2. Add mapping. Mapping relates to the inclusion of Elements and Network services accessible via the
role. There is no limit on what Elements and Network Services can be mapped to a role. However, you can’t access an Element if the Element is not being managed by System Manager. For example, if an instance of Communication Manager is present on your Enterprise, but it is not a Managed Element of System Manager.
3. Assign actions. Actions define what a role can perform to an attributes. Examples of actions are:
view, edit, delete, etc.
4. Define attributes. Attributes are fields of data associated with an Element or Network Service. For
example, a role is mapped to users as a resource; the action is only to edit, and the attribute is first name. As a result, an administrator assigned to this role would be able to access all users, but only be able to edit the user’s first name and nothing else.
5. Commit the new role. Once committed, the new role will appear on the list of roles, but it has not
The degree of detail assigned to a role depends on the customer’s criteria regarding the level of access and permissions.
1. To initiate the role creation process, you must first login using the admin account. If this is the first time using the admin account, you must change the default password.
© 2012 Avaya, Inc. All rights reserved, Page 7
Warning.
You must change password before logging in for the first time!
Login – Change Password First
admin admin123
After successful login, the System Manager Dash Board will appear.
© 2012 Avaya, Inc. All rights reserved, Page 11
System Manager Navigation: The SMGR Home Page
● Current log on info
● Context sensitive help
Task oriented panels
Go to the Users-oriented panel/Groups and Roles/Roles. The role screen will display a list of all the “out-of-the-box” roles and any customized roles previously created.
© 2012 Avaya, Inc. All rights reserved, Page 26
SMGR Roles: Out-of-the-Box Roles
The System Administrator role is an out-of-the-box role.
It has permission (keys) to almost all SMGR resources, operations and groups
Select New, and then Add and provide a name and a description appropriate with the permissions associated with the role.
© 2012 Avaya, Inc. All rights reserved, Page 27
SMGR Roles: Custom Roles
We can create custom roles that provide permissions to specific resources, operations and groups.
2. Click on Add Mapping to determine Elements and Network Services accessible via this Role
© 2012 Avaya, Inc. All rights reserved, Page 36
Elements and Network Services
The Elements / Services Categories are organised in to 4 subsets:
●All Elements by Type
●Individual Element by name
●Network Services
●Individual Resource by name
Here is another example of the mapping screen.
3. Select Actions. Now that the Elements and Network Services that will be accessible via this role have
been defined by mapping, the next step is to determine what can be done with the attributes.
© 2012 Avaya, Inc. All rights reserved, Page 63
Permissions to Take Action and Change Attributes
● An Attribute maps directly to a field of data
– EG. A user’s Last Name
● An Action determines what can be done with the Attribute – i.e. permissions to…
– View – Edit – Delete, – etc
Selecting ALL has the effect of permitting the selected Actions on all attributes.
4. Select Attributes. Attributes allow you to define the capabilities of a role even further by selecting
the exact attributes (fields of data) the role can access. Not all resource types have attributes (e.g., operations). Attributes are selected on the same screen as actions.
© 2012 Avaya, Inc. All rights reserved, Page 63
Permissions to Take Action and Change Attributes
● An Attribute maps directly to a field of data
– EG. A user’s Last Name
● An Action determines what can be done with the Attribute – i.e. permissions to…
– View – Edit – Delete, – etc
Selecting ALL has the effect of permitting the selected Actions on all attributes.
5. Commit. Once the name, resource mapping, actions, and attributes have been configured, the last step is to
commit. This will automatically add the new role to the list of existing roles, but it is not assigned to a user yet.
Note: It is also possible to copy an existing role and then modify the copy. This will simplify the creation of new
© 2012 Avaya, Inc. All rights reserved, Page 26
SMGR Roles: Out-of-the-Box Roles
The System Administrator role is an out-of-the-box role.
It has permission (keys) to almost all SMGR resources, operations and groups
Assign a Role to a User
To assign a role to a user you must login to System Manager, navigate to User Management > Manage, select the user you wish to assign the role, select Tab Membership and assign the role. The last step is to
Commit the new role.
© 2012 Avaya, Inc. All rights reserved, Page 22
Users: Roles & Groups – Membership Tab
Mostly for Administration:
● Roles determine which SMGR resources a user can access (typically an administrator user)
● Groups are for organising resources (including users) into subset groups. ● Need to understand ‘Resources’ and ‘Operations’ in order to understand Roles – coming next System Administrator End User Roles Groups
Now logout from the admin account and proceed to login with the new account. You will notice, based upon the permissions, some of the links may appear in a gray color. This indicates those areas of the System Manager dash board you do not have access to via this particular new Role.
© 2012 Avaya, Inc. All rights reserved, Page 11
System Manager Navigation: The SMGR Home Page
● Current log on info
● Context sensitive help
Task oriented panels
User tasks element tasksNetwork servicesGeneral
With the ability to successfully login to System Manager, you have access to the following.
System Manager Tools
• Common Console. A browser-based console that provides a central access point for accessing all
management needs: user administration, network routing policy, monitoring, security, etc.
• User Administration. Provides a single interface for provisioning users on Avaya Aura Session
Manager, Avaya Aura Communication Manager, and Avaya Modular Messaging currently, and Presence Services and other Avaya Aura components in the future.
• Dial Plan Administration. Central administration of enterprise-wide dial plans across multi-vendor
PBX environments. Phone number adaptations can be uniquely created for each location or PBX sup-porting up to 24 digits.
• Network Routing. Create system-wide dialing rules to cost-effectively route calls using the
enter-prise’s on-net IP network including: - Enterprise-wide least cost routing - Enterprise-wide time of day routing - Tail end hop off
- Toll avoidance
• Network Routing Verification Tool. In support of network routing, Avaya Aura System Manager
• Event and Fault Management:. A platform for centralized logs and alarms, helping ensure that all
the supported entities in the network can contribute to a single, central repository for viewing items for the enterprise.
System Manager Benefits
• Single Point of Management. End-to-end view, single unified console with workflow-based management.
• Less Complexity. Reduces complexity of operations for distributed multi-site networks with multiple control points.
• Better Data Consistency. Integrated provisioning to reduce configuration errors. • Faster Deployment. Accelerate application integration with standards-based interfaces.
• Lower Total Cost of Ownership (TCO). Reduces TCO and service support costs through automa-tion of time-consuming, error-prone tasks.
• Less Training. Better skill set re-use and increased productivity through easy-to-use tools.
• More Value. Increases the value of convergence through tight integration with the enterprise IT infra-structure (identity, security, directory, single sign on).
Conclusion
Now that we have explored the steps necessary to create new roles and how to assign them to users, you should understand the benefits and flexibility of Avaya Aura System Manager coupled with the level of security it provides. System Manager Role Based Access Control (RBAC) offers an extensive level of granularity that allows you to configure as many as 250 administrators, 50 of which can login simultaneously allowing for ef-ficient and controlled administration of all Elements and Network Services within your Enterprise.
Learn More
To learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge, Global Knowledge suggests the following courses:
System Manager Administration (R6.1) (5U00080)
Session Manager and System Manager Administration Boot Camp (R6.1) (5U00082) Session Manager Administration (R6.1) (5U00081)
Avaya Aura® System Manager Implementation, Administration, Maintenance, and Troubleshooting (R6.2) (5U00095)
Avaya Aura® Session Manager Implementation, Administration, Maintenance, and Troubleshooting (R6.2) (5U00096)
Avaya Aura® Session and System Manager Implementation, Administration, Maintenance, and Trouble-shooting (R6.2) (5U00097)
Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor.
About the Author
Jose Gaona has been in Telecommunications for 32 years. He has been a Principal Technical Instructor for Global Knowledge since 1989. He has held positions as Field Engineer and Marketing Manager for the Latin America and Caribbean regions. His trajectory dates back to the days of TDM Telephony and his experience has evolved with new Technologies such as VOIP and ancillary Applications such as Voice Messaging, PSTN gateways and many other applications. Jose is certified on the products associated with the courses he teaches.
