Showing results for 
Search instead for 
Did you mean: 

CiscoWorks LMS 3.2 user role per device


Is it possible to assign some device roles on some user when using integrated authentication (non-acs).

I explain, we want to allow some users (or group of users) to be able to deploy netconfig jobs only on some devices (or device groups).

So we first try to assign netconfig job to users, but it is only possible to do this for one user at the same time (which can be long when we have many users) and we cannot limit the netconfig job to some device groups.

Is there a way to do this with this mechanism or is this another way to do it ?

Many thanks,


Nael Mohammad

Not without ACS in LMS 3.2 but in LMS 4.0 you can use the Network Device Group option.

Assigning Roles on NDG Basis

You can choose to assign any number of role and device group  combinations for a selected user or user group to operate on Network  Device Groups.

You should note the following to assign roles on a NDG basis:

• If  you have assigned a Network Device Group to your AAA client (CiscoWorks  Server and network devices), you must assign that device group to a  role.

You cannot have role and device group combinations assigned to a user  without assigning the Network Device Group to your AAA client.

• You can assign only one role to a user, to operate on an NDG.

• If  a user requires privileges other than those associated with the current  role, to operate on an NDG, a custom role should be created. All  necessary privileges to enable the user to operate on the NDG should be  given to this role.

For example, if a user needs to have Approver and Network Operator  privileges to operate on NDG1, you can create a new custom role with  Network Operator and Approver privileges, and assign the role to the  user to operate on NDG1.

• You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen.

To assign the proper role, the network access server (NAS) should be added to device groups other than DEFAULT.


That's what I was afraid of. We don't have any AAA authentication.

So as you say in your answer, it will not be possible.

Thanks for your reply,