How to restrict the changeuserpassword role in ACS? (5.8)

slizarraga · ‎08-25-2016

I have many users in the ACS that are used by a site-to-site VPNs, they are VPNs from different customers. I would like my customers to be able to change their users passwords by themselves. I am able to create the changeuserpassword role in the ACS, but it has access to change any users password. Is there a way that I can restrict the administrator so it can only change (and see), the passwords of SOME of the users?

thanks!!

Gagandeep Singh · ‎08-26-2016

Hi,

In ACS you have option to allow conditions to check prior to assign the requisite role. Conditions can be AD external group, Administration client IP, etc.

System Administration > Administrators > Administrative Access Control > Authorization.

However, there is no such option where user can have access to some user for changing their password by administrator.

Also there is a feature called UCP.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/introd.html

The UCP web service allows you to authenticate an internal user and change the internal user password. You can use this web service interface to integrate ACS with your in-house portals and allow users in your organization to change their own passwords.

The UCP web service allows only the users in your organization to change their passwords. They can do so on the primary or secondary ACS servers.

Let me know if you have any queries.

Regards

Gagan

Gagandeep Singh · ‎09-08-2016

Hi,

Any queries!!!

Regards

Gagan

PS: please rate if it helps