Idle User Timeout; Superuser Password And Login Privileges - Cisco ONS 15600 Reference Manual

5.2.2 Security Policies

5.2.2.2 Idle User Timeout

Each ONS 15600 CTC or TL1 user has a specified amount of time to leave the system idle before the
CTC window locks. CTC lockouts prevent unauthorized users from making changes. Higher-level users
have shorter idle times and lower-level users have longer or unlimited default idle periods, as shown in
Table
Table 5-3
Security Level
Superuser
Provisioning
Maintenance
Retrieve

5.2.2.3 Superuser Password and Login Privileges

A Superuser can perform ONS 15600 user creation and management tasks from the network or node
(default login) view. In network view, a Superuser can add, edit, or delete users from multiple nodes at
one time. In node view, a Superuser can only add, edit, or delete users from that node.
Superuser password and login privilege criteria include:
•
•
•
•
•
•
Cisco ONS 15600 Reference Manual, R8.0
5-6
5-3. Superusers can change user idle times on the Provisioning > Security > Policy tabs.
ONS 15600 User Idle Times
Default Idle Time
15 minutes
30 minutes
60 minutes
Unlimited
Privilege level—A Superuser can change the privilege level (such as Maintenance or Provisioning)
of a user ID while the user is logged in. The change will become effective the next time the user logs
in and will apply to all nodes within the network.
Login visibility—Superusers can view real-time lists of users who are logged into a node (both CTC
and TL1 logins) by retrieving a list of logins by node. A Superuser can also log out an active user.
Password length, expiration and reuse—Using NE defaults, Superusers can configure the password
length. The password length, by default, is set to a minimum of six and a maximum of 20 characters.
You can configure the default values in node view with the Provisioning > NE Defaults > Node >
security > password Complexity tabs. The minimum length can be set to eight, ten, or twelve
characters, and the maximum length can be set to 80 characters. The password must be a
combination of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two
characters are nonalphabetic and at least one character is a special character. Superusers provision
password reuse periods (the number of days before a user can reuse a password) and reuse intervals
(the number of passwords a user must generate before reusing a password).
User lockout settings—A Superuser can manually lock out or unlock a user ID.
Invalid login attempts—A Superuser sets the number of invalid login attempts a user can make
before the user ID is locked out. Additionally, the Superuser sets the time interval the user ID is
locked out after the user reaches the login attempt limit.
Single Session Per User—If the Superuser provisions a user ID to be active for a single occurrence
only, concurrent logins with that user ID are not allowed.
Chapter 5 Security