5-6
Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2
78-19417-01
Chapter 5 Security
User Privileges and Policies
5.2.2.1 Superuser Privileges for Provisioning Users
Superusers can grant permission to Provisioning users to perform a set of tasks. The tasks include
retrieving an audit log, restoring a database, clearing performance monitoring (PM) parameters, and
activating and reverting software loads. These privileges, except the PM clearing privilege, can only be
granted using CTC network element (NE) defaults. See Appendix C, “Network Element Defaults” for
more information. To grant the PM clearing privilege using CTC, click the Provisioning > Security >
Access tabs. For more information about setting up Superuser privileges, refer to the “Change Node
Settings” chapter in the Cisco ONS 15310-MA SDH Procedure Guide.
5.2.2.2 Idle User Timeout
Each ONS 15310-MA SDH CTC or TL1 user can be idle during his or her login session for a specified
amount of time before the CTC window is locked. A lockout prevents unauthorized users from making
changes. Higher-level users have shorter default idle periods and lower-level users have longer or
unlimited default idle periods, as shown in Table 5-3. The user idle period can be modified by a
Superuser; refer to the “Change Node Settings” chapter in the Cisco ONS 15310-MA SDH Procedure
Guide for instructions.
5.2.2.3 User Password, Login, and Access Policies
Superusers can view real-time lists of users who are logged in via CTC or TL1 for each node. Superusers
can also provision the following password, login, and node access policies:
• Password length, expiration and reuse—Superusers can configure the password length using NE
defaults. The password length, by default, is set to a minimum of six and a maximum of 20
characters. You can configure the default values in CTC node view using the Provisioning > NE
Defaults > Node > security > password Complexity tabs. The minimum length can be set to eight,
ten, or twelve characters, and the maximum length to 80 characters. The password must be a
combination of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two
characters are nonalphabetic and at least one character is a special character. Superusers can specify
when users must change their passwords and how frequently passwords can be reused.
• Login attempts and locking out users—Superusers can specify the maximum number of times that
a user can unsuccessfully attempt to log in before being locked out of CTC. Superusers can also
provision the length of time before the lockout is removed.
• Disabling users—Superusers can provision the length of time before inactive user IDs are disabled.
• Node access and user sessions—Superusers can limit the number of CTC sessions one user can have,
and they can prohibit access to the ONS 15310-MA SDH using the LAN connection.
Table 5-3 Default User Idle Times
Security Level Idle Time
Superuser 15 minutes
Provisioning 30 minutes
Maintenance 60 minutes
Retrieve Unlimited
