04-25-2006 07:54 AM
does works support user defined groups on which i am able to define a view for certain users. i have some locations and every location has it's on network admin, every network admin should only see his devices but not the whole network
regards, guenter
04-25-2006 08:09 AM
If you integrate it with ACS, then yes. The authorization would be done on the ACS.
04-26-2006 02:29 AM
Really? Lets make this explicit.
So then the local admin will
only see his devices ?
or
only be authorized to connect to his devices?
Is this for all applications in LMS? How does this work? Will it somehow get the groups from the ACS?
I will have to do this one of these days, but I have serious doubts about some differences between what the customer thinks he will get, and what he actually will get.
Problem is they will blame it on me.
Michel
04-26-2006 10:20 AM
When you integrate CiscoWorks LMS 2.5 with CiscoSecure ACS (4.0 preferably) it works this way...
User account name in LMS matches a user account name in ACS. User's password in ACS is used to authenticate user in LMS.
User's ACS profile define what ACS User Group they are in.
ACS User Group can define which Network device groups (NDGs) the user/user-group has access to. So if the user (on LMS) tries to access devices that aren't permitted to his ACS user group (no NDG access), then he won't see the devices.
Another method for control is the use of ACS Shared Profile Components whereby you can develop custom user roles for CW-LMS that go beyond the 5 standard LMS roles. For each application in LMS you'll see that ACS Shared Profile Components would allow you to assign permissions (or remove them, as desired). This custom role is associated to a user group, etc, etc.
04-26-2006 10:52 PM
Thank you Jason,
I can see how ACS will allow/disallow access to devices, what I don't see is how this will appear in ciscoworks.
Will it mean he will see everything and just get a popup on everything hes not allowed to do or see or will simply see everything he's allowed to see.
I hope the difference is clear.
The later would appear to the user as a normal ciscoworks with just his devices in.
Regards,
Michel
04-27-2006 05:38 AM
For devices the user doesn't have access to, the Common Services Device Credential Repository (DCR) device picker won't show those devices.
For devices they do have access to (from an ACS perspective), they will see them in the device picker.
Conversely, if you extend the model to using custom user roles between LMS and ACS, if the ACS system has a shared profile component setting for RME that says "no access to NetConfig" then the user won't see NetConfig in the CiscoWorks LMS launch framework.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide