Managers in the Enterprise

When the service provider deploys the EASP, the enterprise IT manager can give lower-level IT managers control over specific parts of the enterprise (known as the manager's scope or sphere of control). A sphere of control can include the entire enterprise, a whole site, or an individual access line.

Only the service provider can define sites and access lines. The EASP enables managers to be assigned at each level of the organization.

An enterprise IT manager has the greatest control—over the whole enterprise, including all subordinate sites and access lines—and decides whether to delegate control, and how much, to lower-level IT managers. An EASP can support more than one enterprise IT manager per enterprise. An enterprise IT manager uses the EASP to subscribe to and customize services. The enterprise IT manager can also make changes that affect only the lowest level in the organization.

The enterprise IT manager can define zero or more site managers, who in turn can control access to services both within one or more designated sites and for access lines contained within the hierarchy of these sites.

Enterprise IT managers and site managers (if they are granted this privilege) can define access line managers. Access line managers have control only over individual access lines; they can manage activation and deactivation of subscription offerings already established by a higher-level manager and, if granted the privilege, subscribe to services and customize service parameters.

Management Privileges

The set of privileges granted to managers defines the actions the managers can perform. Privileges apply to the manager, not the area of control. Granted a set of privileges, the manager can exercise them throughout the sphere of control. The service provider grants the initial set of privileges to the primary enterprise IT manager. For the more advanced enterprise customers, the primary enterprise IT manager typically has complete privileges. For less advanced customers, the service provider can grant a reduced set of privileges.

Managers can see only in their EASP those sites and access lines that are defined to be within their sphere of control. Throughout the enterprise hierarchy, a higher-level manager assigns one or more of the following privileges to subordinate managers:

• Service subscription - the manager can subscribe to services.
• Parameter substitution - the manager can modify variable substitutions to affect the values that are used when a service is active.
• Subscription activation and deactivation - the manager can activate and deactivate services.
• Management of other managers - the manager can create and delete subordinate managers within their sphere of control, define the subordinate managers' sphere of control, change their passwords, and establish the privileges of subordinate managers. The manager can similarly create and delete managers with the same sphere of control.
• Read-only - the manager can view the EASP but can perform no actions. Read-only access is accomplished simply by granting the manager none of the privileges described above.

Auditing IT Manager Actions

The EASP IT manager audit plug-in can track actions taken by IT managers. When IT managers complete certain critical operations, such as subscribing to a service or changing the parameter substitutions on a subscription, the plug-in receives and reports these events. The report includes the type of operation, the identity of the IT manager, and important attributes about the operation. You can also write your own audit plug-in event listeners to receive and process IT manager events.

Substituting Values for Policy Parameters

The value substitution feature of the EASP gives the enterprise IT manager the ability to customize subscribed services in his sphere of control. The enterprise IT manager can be required to provide a set of substitutions that define the values for the parameters of the underlying service policies everywhere the policies are applied. Sample parameter types that might require value substitution include:

• Network - address/prefix length pairs that denote networks
• Interface - router interface specifications
• Protocol - eight-bit unsigned integers enumerating protocols such as IP, TCP, and UDP
• Rate - 32-bit unsigned integers used for rate limit and burst size calculations

For example, the service provider could offer a service to the enterprise that applies a firewall policy. The firewall policy could screen ingress traffic from a source network and redirect the screened traffic to a specific destination. The enterprise IT manager might want to specify at the time of subscription or subscription activation which source networks are involved. The service provider establishes a general policy template, in this case configuring the destination. The enterprise IT manager modifies the template via value substitution for the particular needs of the enterprise, such as providing a range of IP addresses for one or more source networks.

A different service might have an egress rate limit policy with policy rules to screen egress traffic from the source network, by protocol, or according to a traffic rate limit. Value substitution for the parameters defined in the generic policy template enables the manager to define the policy to match the needs of the enterprise.

Note that parameter names provided to one customer can be renamed by the service provider to suit the needs of another customer. For example, one customer might prefer a parameter named "department" to one named "network" because that name better fits the enterprise hierarchy.

The service provider can specify whether all parameters or only certain ones can be modified in the EASP by the enterprise IT manager via value substitution. Likewise, an IT manager can determine whether subordinate managers have the ability to modify a given service parameter. Parameters for which values cannot be substituted at a given level are said to be fixed at some higher level. For example, in the demo portal, the EASP populates drop-down lists from which the manager at that level can select values to substitute. If a parameter substitution is fixed at a higher management level, lower-level managers will not see options for substituting for that parameter in the drop-down lists on their instance of the EASP. See Parameters in SDX Objects Guide for more information.