03-11-2015 06:42 AM - edited 03-10-2019 10:32 PM
I have a client with an existing ACS 4.2 install base. In their configuration they have several ACS administrators configured so that they are only allowed to add / edit users in a particular group. The control is defined under Administration Control -> [user] -> Administrator Privileges -> Add/Edit users in these groups.
Then, you select which groups they have rights to.
I've been unable to figure out how to duplicate this restriction in ACS 5.x. The problem is that if I add an admin user to ACS 5.6 and assign them the role of UserAdmin they can assign users to any group they please - including a group that has access to the network device. In effect, they can circumvent the security and add themselves to a group that has control over the network devices, etc.
Is there some way to restrict their access to only being able to add/edit users in a particular group in a similar fashion to ACS 4.2?
Thanks in advance!
03-11-2015 07:08 PM
Hi Brad,
ACS 5.x has pre-defined roles and that cannot be changed. You can create policies under administrative access control but still the roles available for you to select for pre-defined and you can chose according to your requirement.
Role | Privileges |
---|---|
ChangeAdminPassword | This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators. |
ChangeUserPassword | This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users. |
NetworkDeviceAdmin | This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:
|
PolicyAdmin | This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:
|
ReadOnlyAdmin | This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface. This role has read-only access to all resources |
ReportAdmin | This role is intended for administrators who need access to the ACS Monitoring and Report Viewer to generate and view reports or monitoring data only. This role has read-only access on logs. |
SecurityAdmin | This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:
|
SuperAdmin | The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account. This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources. |
SystemAdmin | This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:
|
UserAdmin | This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:
|
For more details please have a look at the link below:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/admin_admin.html#pgfId-1068650
Regards,
Kanwal
Note: Please mark answers if they are helpful.
03-11-2015 08:08 PM
Kanwai -
Thank you for the response. Unfortunately, I am already aware of the pre-defined roles and was hoping that I might be missing something as the pre-defined roles are entirely too generic and do not allow the same types of restrictions that my client's previous version offered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide