Idle User Timeout; Superuser Password And Login Privileges; Table 5-3 Ons 15600 Sdh User Idle Times - Cisco ONS 15600 Reference Manual

5.2.2 Security Policies

5.2.2.2 Idle User Timeout

Each ONS 15600 SDH CTC or TL1 user has a specified amount of time to leave the system idle before
the CTC window locks. CTC lockouts prevent unauthorized users from making changes. Higher-level
users have shorter idle times and lower-level users have longer or unlimited default idle periods, as
shown in
Table 5-3
Security Level
Superuser
Provisioning
Maintenance
Retrieve

5.2.2.3 Superuser Password and Login Privileges

A Superuser can perform ONS 15600 SDH user creation and management tasks from the network or
node (default login) view. In network view, a Superuser can add, edit, or delete users from multiple nodes
at one time. In node view, a Superuser can only add, edit, or delete users from that node.
Superuser password and login privilege criteria include:
•
•
•
•
•
•
Cisco ONS 15600 SDH Reference Manual, Release 9.0
5-6
Table 5-3. Superusers can change user idle times on the Provisioning > Security > Policy tab.
ONS 15600 SDH User Idle Times
Default Idle Time
15 minutes
30 minutes
60 minutes
Unlimited
Privilege level—A Superuser can change the privilege level (such as Maintenance or Provisioning)
of a user ID while the user is logged in. The change will become effective the next time the user logs
in and will apply to all nodes within the network.
Login visibility—Superusers can view real-time lists of users who are logged into a node (both CTC
and TL1 logins) by retrieving a list of logins by node. A Superuser can also log out an active user.
Password length, expiration and reuse—Superusers can configure the password length through NE
defaults. The password length, by default, is set to a minimum of six and a maximum of 20. You can
configure the default values in node view through Provisioning > Defaults > Node > security >
passwordComplexity default selector. The minimum length can be set to eight, ten or twelve
characters, and the maximum length to 80 characters. The password must be a combination of
alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are
nonalphabetic and at least one character is a special character. Superusers provision password reuse
periods (the number of days before a user can reuse a password) and reuse intervals (the number of
passwords a user must generate before reusing a password).
User lockout settings—A Superuser can manually lock out or unlock a user ID.
Invalid login attempts—A Superuser sets the number of invalid login attempts a user can make
before the user ID is locked out. Additionally, the Superuser sets the time interval the user ID is
locked out after the user reaches the login attempt limit.
Single Session Per User—If the Superuser provisions a user ID to be active for a single occurrence
only, concurrent logins with that user ID are not allowed.
Chapter 5 Security
78-18400-01