---

Setting Up Security Profiles

This chapter covers the following topics:

Understanding Security profiles

Configuring a Security profile

Activating a Security profile

Using the Full Access profile

Understanding Security profiles

Table 2-1. Security profile parameters

Parameter	Specifies	Possible values
Name	Name for the profile.	Text string of up to 16 characters. The default value is null.
Passwd	Password.	Text string of up to 20 characters. The default value is null.
Operations	Enable/disable read-only security.	Yes (the default) No
Edit Security	Level of privileges for editing Security profiles.	Yes (the default) No
Edit System	Level of privileges for editing the System profile and the Read Comm and R/W Comm parameters in the Ethernet profile.	Yes (the default) No
Edit Line	Operator can/cannot edit Line profiles.	Yes (the default) No
Edit All Ports	Operator can/cannot edit all Port profiles.	Yes (the default) No
Edit Own Port	Operator can/cannot edit his or her own Port profile.	Yes (the default) No Note: The No setting is ineffective unless you Edit All Ports=No.
Edit All Calls	Operator can/cannot edit all the parameters in all Call profiles and Connection profiles.	Yes (the default) No No specifies that an operator can edit only the Dial # and Base Ch Count parameters in the current Call profile.
Edit Com Call	Operator can/cannot edit Call profiles that are not specific to any serial host port (such profiles are known as common Call profiles.)	Yes (the default) No Note: The No setting is ineffective unless you also set Edit All Calls=No.
Edit Cur Call	Indicates whether an operator can/cannot edit all the parameters in the current Call profile.	Yes (the default) No No specifies that an operator can edit only the Dial # and Base Ch Count parameters in the current Call profile. To disable editing of the Dial # and Base Ch Count parameters, you must set Edit Cur Call=No and Edit All Calls=No.
Edit Own Call	Operator can/cannot edit the Call profile that defines the connection between his or her MAX and the MAX being remotely managed over an AIM channel.	Yes (the default) No Note: The No setting is ineffective unless you also set Edit All Calls=No.
Sys Diag	Indicates whether an operator can/cannot perform all system diagnostics.	Yes (the default) No
All Port Diag	Indicates whether an operator can/cannot perform all serial host port diagnostics.	Yes (the default) No
Own Port Diag	Indicates whether an operator can/cannot perform port diagnostics for his or her own serial host port.	Yes (the default) No To completely disable the operator's ability to perform diagnostics for his or her own port, you must set Own Port Diag=No and All Port Diag=No.
Download	Indicates whether an operator can/cannot download the configuration of the MAX using the Save Cfg command.	Yes (the default) No Note: Whether you choose Yes or No, a user cannot download passwords to another device.
Upload	Indicates whether an operator can/cannot upload the MAX configuration from another device using the Restore Cfg command.	Yes (the default) No Note: When you save a configuration to file, passwords are not included in the download, so restoring from file clears all passwords in the MAX.
Field Service	Level of privileges for performing field service operations, such as uploading new system software.	Yes (the default) No

Configuring a Security profile

1. Open the System > Security menu.

2. Open any Security profile.

3. Set Name to a descriptive designation for the profile.

   You can enter up to 16 characters. For example:

   Name=Calabasas
   

4. Specify a password value of up to 20 character for the Passwd parameter.

5. Set the Operations parameter to enable or disable read-only security.

   Yes allows a user to view MAX profiles and to change the value of any parameter. The default value is Yes.

   No permits a user to view MAX profiles, but not to change the value of any parameter. If you specify No, a user cannot access most DO commands. Only DO Esc, DO Close Telnet, and DO password are available.

6. Set the Edit Security parameter to grant or restrict privileges to edit Security profiles.

   Yes grants privileges. When you specify Yes, a user can edit Security profiles, and can access all other operations permitted in his or her active Security profile. In addition, all passwords in Security profiles are visible as text. This privilege is the most powerful one you can assign, because it allows users to change their own privileges. The default value is Yes.

   No restricts privileges. When Edit Security=No, all passwords are hidden by the string "*SECURE*."

   Note: Do not set the Edit Security parameter to No on all nine Security profiles. If you do, you cannot edit any of them.

7. Set the Edit System parameter to grant or restrict privileges to edit the System profile and the Ethernet profile.

   Yes allows an operator to edit the System profile, and to edit the Read Comm and R/W Comm parameters in the Ethernet profile. The default value is Yes.

   No restricts edit privileges.

8. Set the Edit System parameter to indicate whether an operator can edit Line profiles.

   Yes enables an operator to edit Line profiles. The default value is Yes.

   No prevents an operator from editing Line profiles.

9. Set the Edit All Ports parameter to indicate whether an operator can edit all Port profiles.

   Yes specifies that an operator can edit all Port profiles by local or remote management. The default value is Yes.

   No specifies that an operator cannot edit Port profiles.

10. Set the Edit Own Port parameter to indicate whether an operator can edit his or her own Port profile.

    Yes specifies that the operator can use remote management to edit the Port profile for the port that has been called. The default value is Yes.

    No specifies that an operator cannot edit his or her own Port profile. To keep an operator from editing his or her own Port profile, you must set Edit Own Port=No and Edit All Ports=No.

11. Set the Edit All Calls parameter to indicate whether an operator can edit all the parameters in all Call profiles and Connection profiles.

    Yes specifies that an operator can edit all the parameters in all Call profiles and Connection profiles through Telnet, through local management (the Control port), or through remote management. The default value is Yes.

    No specifies that an operator can edit only the Dial # and Base Ch Count parameters in the current Call profile. To disable editing of the Dial # and Base Ch Count parameter, you must set Edit All Calls=No and Edit Cur Call=No.

12. Set the Edit Com Call parameter to indicate whether an operator can edit Call profiles that are not specific to any serial host port.

    Call profiles not specific to any serial host port are known as common Call profiles. Numbers 201 through 216 denote port-specific Call profiles. Numbers 217 through 232 denote common Call profiles.

    Yes specifies that an operator can edit common Call profiles by local or remote management. The default value is Yes.

    No specifies that an operator cannot edit common Call profiles. To keep an operator from editing common Call profiles, you must set Edit Com Call=No and Edit All Calls=No.

13. Set the Edit Own Call parameter to indicate whether an operator can edit the Call profile that defines the connection between the user's MAX and the MAX being remotely managed over an AIM channel

    Yes specifies that the operator can edit the Call profile. The default value is Yes.

    No specifies that an operator cannot edit the Call profile. To keep an operator from editing the Call profile between a local and a remotely managed MAX, you must set Edit Own Call=No and Edit All Calls=No.

14. Set the Edit Cur Call parameter to indicate whether an operator can edit all the parameters in the current Call profile.

    Yes specifies that an operator can edit all the parameters in the current Call profile by local or remote management. Yes is the default.

    No specifies that an operator can edit only the Dial # and Base Ch Count parameters in the current Call profile. To disable editing of the Dial # and Base Ch Count parameters, you must set Edit Cur Call=No and Edit All Calls=No.

15. Set the Sys Diag parameter to indicate whether an operator can perform all system diagnostics.

    Yes specifies that an operator can use any of the options in the Sys Diag menu by local or remote management. The default value is Yes.

    No specifies that an operator cannot use any of the options in the Sys Diag menu.

16. Set the All Port Diag parameter to indicate whether an operator can perform all serial host port diagnostics.

    Yes specifies that an operator can perform all the tasks listed in the Port Diag menu. The default value is Yes.

    No specifies that an operator cannot perform any of the tasks listed in the Port Diag menu.

17. Set the Own Port Diag parameter to indicate whether an operator can perform port diagnostics for his or her own serial host port.

    Yes specifies that an operator can use remote management to perform any of the options in the Port Diag menu for the port that has been called. The default value is Yes.

    No specifies that the operator cannot perform port diagnostics for his or her own serial host port. To completely disable the operator's ability to perform diagnostics for his or her own port, you must set Own Port Diag=No and All Port Diag=No.

18. Set the Download parameter to indicate whether an operator can use the Save Cfg command to download the configuration of the MAX.

    Yes specifies that a user can download profiles and other configuration parameters to another device for backup. The default value is Yes.

    No specifies that an operator cannot download profiles and other configuration parameters.

    Note: Whether you choose Yes or No, you cannot download passwords to another device.

19. Set the Upload parameter to indicate whether an operator can use the Restore Cfg command to upload the MAX configuration from another device.

    Yes specifies that the user can upload profiles and other configuration parameters from another device to the MAX. You must set Upload=Yes in order to use the Restore Cfg command. The default value is Yes.

    No specifies that the user cannot upload profiles and other configuration parameters from another device to the MAX.

    Note: When you save a configuration to file, passwords are not included in the download, so restoring from file clears all passwords on the MAX.

20. Set the Field Service parameter to grant or restrict privileges to perform Ascend-provided field service operations, such as uploading new system software.

    Yes grants privileges. The default value is Yes.

    No restricts privileges. Selecting No does not disable access to any MAX operations. Field service operations are special diagnostic routines not available through MAX menus.

21. Close the new Security profile.

Activating a Security profile

To activate a profile, follow these steps:

1. Press Ctrl-D to open the DO menu

2. Press P, or select P=Password.

3. In the list of Security profiles that opens, select the profile you want to activate.

   The MAX prompts you for the password.

4. Specify the appropriate password, and press Enter.

   When you enter the correct password, the MAX displays the message Password accepted. Using new security level. If you enter an incorrect password, the MAX prompts you again for the password.

Using the Full Access profile

Following are the default settings for the Full Access profile:

Name=Full Access

Passwd=Ascend

Operations=Yes

Edit Security=Yes

Edit System=Yes

Edit Line=Yes

Edit All Ports=Yes 

Edit Own Port=N/A

Edit All Calls=Yes

Edit Com Call=N/A

Edit Own Call=N/A

Edit Cur Call=N/A

Sys Diag=Yes

All Port Diag=Yes 

Own Port Diag=N/A

Download=Yes

Upload=Yes

Field Service=Yes

---

Copyright © 1998, Ascend Communications, Inc. All rights reserved.