Overview of Configuring Subscribers and Subscriptions
This section gives an overview of configuring subscribers and subscriptions for the SRC software.
LDAP Model for Subscribers
The Subscriber model provides a set of relationships between subscribers and managed services. You can view subscriber objects in the directory at o=Users, o=umc (o=Users, o=umc is the location for a default installation of the SRC software). If you install the sample data, you can see examples of subscriber configurations with SDX Admin.
For detailed information about the SRC LDAP schema, see the documentation in the SRC software distribution in the folder /SDK/doc/ldap or on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx
Subscriber objects have the following classes:
- Residential subscribers—A residential subscriber has the object class umcUser, a subclass of inetOrgPerson. The object class netOrgPerson is derived from the X.500 classes organizationalPerson and person.
- Enterprise subscribers—Enterprise subscribers have the object class umcEnterprise. An enterprise subscriber can contain site subscribers that have the object class umcSite. Enterprises and sites contain access subscribers. Accesses have the object class umcAccessServiceProfile.
- Router subscribers—Router subscribers have the object class umcRouterSubscriber.
- Subscriber folders—A subscriber folder has the object class organizationalUnit. The object immediately subordinate to a retailer must be a subscriber folder. Subscriber folders can also be subordinate to enterprises, accesses, and sites.
- Retailers—Retailer objects have the object class umcRetailer.
- Auxiliary classes—The SRC software attaches the auxiliary class umcSubscriber to residential and enterprise subscribers to identify these objects as subscribers. The auxiliary class is created when the subscriber is added to the directory; this class holds general information about the subscriber, such as contact and billing information.
Subscriptions
A subscription is an object in the directory that represents an enrollment to a service. Each subscription provides access to a particular service for that subscriber. A subscriber can have multiple subscriptions to a service. Table 24 shows the type of subscriptions you can configure for each type of subscriber.
If the service provider uses the SRC directory to hold all their subscriber data, residential subscribers must subscribe to primary services—such as Broadband Remote Access Server (B-RAS) through Point-to-Point protocol (PPP) or B-RAS through Dynamic Host Configuration Protocol (DHCP)—before subscribing to a value-added service.
Enterprise subscribers must subscribe to an access service (that is, a leased line), either directly or in a site or subscriber folder that is subordinate to the enterprise Without an access subscription, a service session cannot run in the network.
Retailers can subscribe to outsourced services if a service provider sources the access out through tunneling (Layer 2 Tunneling Protocol [L2TP] or PPP Terminated Aggregation [PTA]).
Specifying the Activation Order for Subscriptions
Service providers and customers can specify the order in which the SAE activates subscriptions that are set up to activate on login for a particular subscriber. To specify the order, you define a numerical precedence for the activation of each subscription. The SAE activates services in ascending order of precedence; if multiple services have the same precedence, the SAE activates them in an unspecified order.
You can configure the activation order with SDX Admin (see Value-Added Subscription Fields) or the Enterprise Manager Portal.
LDAP Model for Subscriptions
The subscriber and service models provide a set of relationships between the subscribers and the managed services, including subscriptions.
When a residential or enterprise subscriber subscribes to a service, which could be either a primary service or a value-added service, a general service profile with subscriber-specific service information is assigned to the subscriber.
For example, when a residential subscriber subscribes to a primary service such as B-RAS, a RADIUS profile (umcRadiusPerson) is created and assigned to the subscriber. Value-added service profiles (sspServiceProfile) are created in case the subscriber also subscribes to a value-added service.
You can create service profiles (umcRadiusPerson, umcAccessServiceProfile, sspServiceProfile, and umcOutsourceServiceProfile) with a directory client, such as SDX Admin.
An access subscription is the same object as an access subscriber. An access has two roles:
- A subscription to an access service. (The subscription to an access service makes it possible to trigger workflows for the service.)
- A subscriber to value-added services.
For detailed information about the SRC LDAP schema and graphics of the object models, see the documentation in the SRC software distribution in the folder /SDK/doc/ldap or on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx
Operators
This section describes operators for subscribers and subscriptions. You can also configure operators for various SRC components. For information about setting up a multilayered access control scheme for operators, see SRC-PE Integration Guide, Chapter 10, Access Control Scheme.
In relation to subscribers and subscriptions, an operator is an object in the directory that represents an IT manager in an organization. Retailers, subscriber folders, enterprises, sites, and accesses can support one or more operators.
When you add an enterprise with SDX Admin, the software creates a default operator for that enterprise. You can add additional operators for enterprises and create operators for retailers, subscriber folders, sites, and accesses.
You can also add an operator that has control over all retailers. See Operators That Control All Retailers.
Read Privileges
Operators have privileges to read:
- The objects they control
- Parent subscribers, up to the retailer
- Subscriptions of parent subscribers, up to the retailer
- All objects that represent services, service scopes, policies, and global variables that are defined for the subscriber to which the operator is added
Management Privileges
You can specify one or more management privileges for operators. If you do not specify privileges for an operator, the operator has only read privileges. The default operator that SDX Admin adds to an enterprise has the highest privilege level, called administrator. Table 25 shows the privilege levels and the privileges associated with the levels.
Add, delete, and modify substitutions in subscribers and subscriptions
An operator has management privileges for its associated subscriber and for that subscriber's subordinate objects. For example, operators in an enterprise have control over the enterprise and all sites and accesses in the enterprise. Similarly, operators in a site have control over the site and all accesses it contains. Operators in an access have control over only that access.
For example, in the directory shown in Figure 27, the operator substitutionMgr:
- Can manage substitutions of the site called Ottawa and its subordinate objects.
- Has read access to all services, service scopes, policies, and global variables that are defined for the site called Ottawa.
- Has read access to the site called Ottawa and its subordinate objects.
- Has read access to the parent subscribers: the enterprise ABCInc, the subscriber folder local, and the retailer default.
- Has read access to the subscriptions of the parent subscribers.
![]()
Operators That Control All Retailers
You can add operators that have control over all retailers and their subordinate enterprises. You add this type of operator in o=Operators, o=umc. The directory controls the operator's access to other objects in the directory.
LDAP Model for Operators
The Operator model provides a set of relationships between operators and the managed services and subscriptions. Operators have the object class umcOperator, a subclass of the object class person.
For detailed information about the SRC LDAP schema, see the documentation in the SRC software distribution in the folder /SDK/doc/ldap or on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx
Tools for Adding Subscribers and Subscriptions
The way you add and manage subscribers depends on your SRC configuration. If you have a large base of subscribers, you will probably manage subscribers through your own database and map it to the SRC LDAP schema with a data integrator (see SRC-PE Integration Guide, Chapter 9, Integrating Data with the LDAP Directory) or another metadirectory technique. However, if you are working with a small number of subscribers, you can use SDX Admin to add subscribers to the SRC directory. In practice, you can use SDX Admin to configure subscriber bases when you are:
- Demonstrating or testing an SRC configuration with a small number of subscribers.
- Working with retailers to whom you supply Internet services, because the number of retailers will probably be fairly small, and the retailers will manage their own subscribers.
- Working with residential subscribers that you categorize by services purchased into a small number of groups. You add these groups of subscribers, rather than the individual subscribers, to the SRC directory.
Inheritance of Properties and Subscriptions
Subordinate subscribers inherit properties and value-added subscriptions from their parent subscribers, unless you specify a different value for the subordinate. Properties that a subscriber can inherit include the maximum number of concurrent logins and the session timeout. For example, if you configure a subscription to a video service for an enterprise and configure a different subscription to the same video service for a site within that enterprise, the site uses its own subscription rather than the inherited subscription. RADIUS and access subscriptions are not inherited.
Encryption Methods for Passwords
You can encrypt passwords for some types of subscribers and subscriptions. You must use an encryption method that your directory supports. Table 26 shows the encryption methods that different directories support.