Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
2
Replies

ACS 5.x Add / Edit Users in specific groups only

bradwilliams
Level 1
Level 1

‎03-11-2015 06:42 AM - edited ‎03-10-2019 10:32 PM

I have a client with an existing ACS 4.2 install base. In their configuration they have several ACS administrators configured so that they are only allowed to add / edit users in a particular group. The control is defined under Administration Control -> [user] -> Administrator Privileges -> Add/Edit users in these groups.

 

Then, you select which groups they have rights to.

 

I've been unable to figure out how to duplicate this restriction in ACS 5.x. The problem is that if I add an admin user to ACS 5.6 and assign them the role of UserAdmin they can assign users to any group they please - including a group that has access to the network device. In effect, they can circumvent the security and add themselves to a group that has control over the network devices, etc.

 

Is there some way to restrict their access to only being able to add/edit users in a particular group in a similar fashion to ACS 4.2?

 

Thanks in advance!

 

Labels:
0 Helpful
2 Replies 2

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-11-2015 07:08 PM

Hi Brad,

ACS 5.x has pre-defined roles and that cannot be changed. You can create policies under administrative access control but still the roles available for you to select for pre-defined and you can chose according to your requirement.

Predefined Role Descriptions

Role
Privileges

ChangeAdminPassword

This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators.

ChangeUserPassword

This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users.

NetworkDeviceAdmin

This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:

  • Read and write permissions on network devices
  • Read and write permissions on NDGs and all object types in the Network Resources drawer

PolicyAdmin

This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:

  • Read and write permissions on all the elements used in policies, such as authorization profile, NDGs, IDGs, conditions, and so on
  • Read and write permissions on services policy

ReadOnlyAdmin

This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface.

This role has read-only access to all resources

ReportAdmin

This role is intended for administrators who need access to the ACS Monitoring and Report Viewer to generate and view reports or monitoring data only.

This role has read-only access on logs.

SecurityAdmin

This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:

  • Read and write permissions on internal protocol users and administrator password policies
  • Read and write permissions on administrator account settings
  • Read and write permissions on administrator access settings

SuperAdmin

The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account.

This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.

SystemAdmin

This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:

  • Read and write permissions on all system administration activities except for account definition
  • Read and write permissions on ACS instances

UserAdmin

This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:

  • Read and write permissions on users and hosts
  • Read permission on IDGs

 

For more details please have a look at the link below:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/admin_admin.html#pgfId-1068650

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

bradwilliams
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-11-2015 08:08 PM

Kanwai - 

 

Thank you for the response. Unfortunately, I am already aware of the pre-defined roles and was hoping that I might be missing something as the pre-defined roles are entirely too generic and do not allow the same types of restrictions that my client's previous version offered.

0 Helpful
Customers Also Viewed These Support Documents