topic Re: ACE 4710 Domain Roles Users access & WWW discrepancy... in Application Networking

ACE 4710 Domain Roles Users access & WWW discrepancy...

will — Fri, 08 May 2009 17:17:55 GMT

I am working with Ace A1.7 image. I am attempting to setup users in a context for limited access. Here is config snippet:

domain DOM_APP

add-object serverfarm SF1

add-object probe PROBE2

add-object probe PROBE3

username appmonitor role Network-Monitor domain DOM_APP

Once setup, I _can_ login with the user above using CLI. I â€œcan and cannotâ€ do a show on the certain objects that are â€œin and not inâ€ the Domain objects list. This all works fine. I get an error if I try to do a show on non-included SF's and Probes for example. However, what is concerning:

1) I can do a "show run" while logged in as this monitor user. And I can view the entire context config! Is this normal? How do I prevent this?

2) I cannot web browse into this context with this user or any other user, even and Admin. How do you configure a limited-roles user to web browse?

TIA,

Re: ACE 4710 Domain Roles Users access & WWW discrepancy...

sachinga.hcl — Wed, 13 May 2009 10:39:34 GMT

Hi Will,

One of the most challenging problems in managing large networks is the complexity of security administration.

The ACE appliance allows you to determine the commands and resources available to each user through RBAC. In RBAC, users are associated with domains and roles.

A domain is a collection of physical and virtual network resources such as real servers and virtual servers.

User roles determine a user's privileges, such as the commands that the user can enter and the actions the user can perform in a particular context.

The ACE provides a number of predefined roles. In addition, administrators in any context can define new roles.

The ACE provides the following predefined roles, which you cannot delete or modify:

• Admin—If created in the Admin context, has complete access to, and control over, all contexts, domains, roles, users, resources, and objects in the entire ACE. If created in a user context, gives a user complete access to and control over all policies, roles, domains, server farms, real servers, and other objects in that context.

• Network Admin—Has complete access to and control over the following features:

– Interfaces

– Routing

– Connection parameters

– Network Address Translation (NAT)

– VIPs

– Copy configurations

– changeto command

• Network-Monitor—Has access to all show commands and to the changeto command. If you do not explicitly assign a role to a user with the username command, this is the default role.

• Security-Admin—Has complete access to and control over the following security-related features within a context:

– ACLs

– Application inspection

– Connection parameters

– Interfaces

– Authentication, authorization, and accounting (AAA)

– NAT

– Copy configurations

– changeto command

• Server-Appln-Maintenance—Has complete access to and control over the following features:

– Real servers

– Server farms

– Load balancing

– Copy configurations

– changeto command

• Server-Maintenance—Can perform real server maintenance, monitoring, and debugging for the following features:

– Real servers—Modify permission

– Server farms—Debug permission

– VIPs—Debug permission

– Probes—Debug permission

– Load balancing—Debug permission

– changeto command—Create permission

• SLB-Admin—Has complete access to and control over the following ACE features within a context:

– Real servers

– Server farms

– VIPs

– Probes

– Load balancing (Layer 3/4 and Layer 7)

– NAT

– Interfaces

– Copy configurations

– changeto command

• SSL-Admin—Can administer all SSL features:

– SSL—Create permission

– PKI—Create permission

– Interfaces—Modify permission

– Copy configurations—Create permission

– changeto command—Create permission

.....contd page 2

Re: ACE 4710 Domain Roles Users access & WWW discrepancy...

sachinga.hcl — Wed, 13 May 2009 10:40:20 GMT

page 2....

You can create a user and assign them privileges through RBAC as follows:

________________________________________

Step 1 Create a domain and choose network resources for the domain.

Step 2 Create a user and associate the user with the following:

• A role (predefined or custom)

• A domain

Configure RBAC using the CLI by following these steps:

________________________________________

Step 1 Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context.

host1/Admin# changeto VC_web

host1/VC_web#

Step 2 Enter configuration mode.

host1/VC_web# Config

host1/VC_web(config)#

Step 3 Create a domain for the context.

host1/VC_web(config)# domain Domain1

host1/VC_web(config-domain)#

Step 4 Allocate all objects in the VC_web context to the domain.

host1/VC_web(config-domain)# add-object all

host1/VC_web(config-domain)# exit

host1/VC_web(config)#

Step 5 Configure new user user1, and assign the predefined role TECHNICIAN and the domain Domain1 to the user.

host1/VC_web(config)# username user1 password 5 MYPASSWORD role

TECHNICIAN domain Domain1

(Have you done step 4 and 5)

________________________________________

Note The parameter 5 for password is for an MD5-hashed strong encryption password. Use 0 for a clear text password.

________________________________________

host1/VC_web(config)# exit

Step 6 Display the user and domain configurations.

host1/VC_web# show running-config role

host1/VC_web# show running-config domain

Please revert if want to discuss further as limit of 4000 chars can be posted at a time.

Kindly rate to let me access to more people if you find this of any use to you.

Sachin garg

Re: ACE 4710 Domain Roles Users access & WWW discrepancy...

sachinga.hcl — Wed, 13 May 2009 11:25:20 GMT

.....contd page 3

The following objects are user-configurable items:

•Access lists

•Defined interfaces

•Policy maps

•Health probes

•Real servers

•Server farms

•Scripts

•Sticky groups

The objects that you create are specific to the context that you are in while creating the object. If the context is partitioned into multiple domains, you allocate objects within each domain.

Kindly find the config for database roles in detail here as follows:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/ovrview.html

Re: ACE 4710 Domain Roles Users access & WWW discrepancy...

sachinga.hcl — Mon, 01 Jun 2009 17:42:29 GMT

Did you find this information of any use to you.

Kindly tell.

Sachin garg