cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1160
Views
20
Helpful
8
Replies

Help Desk privilaged ONLY user in the latest version of RME

getwithrob
Level 3
Level 3

LMS 2.6 with the latest version of RME installed ?

I created a user called testuser, left the privileges at the default level of help desk, logged in as that user and am WAY surprised at what all that user can see. For example: The user can go to Common Services> Server> Report> and see the server Process Status and log file status! They as a general user have NO business seeing that kind of information.

#1 - The server process status which is the same as a pdshow is and has been tough to read all along. For example: running normally, No mgmt messages received. What the hec is that supposed to mean anyways?

I just have a feeling users are gonna start looking around and start asking questions on some of these items I don't even think their screen w/ help desk privileges should allow them to see. In RME 3.5 when a user was setup with help desk privileges, the screen was limited to what they could see.

Another BIG ONE I see is under RME then the Home button and right there, a user can see the Collection Status and see how many devices where successfully backed up and how many devices FAILED backup! RME 3.5 was not that way and I can see right now where that will cause issues in this environment. With 14,000 devices on a network, there will almost always be a device or 2 or 3 that will fail the archive backup for many reasons each night and now I will have to explain these failures to the customer where not all of them are very technical. They don't understand that even the smallest outage somewhere in the network can prevent a device from being backed up during the scheduled time. I know all that is required to correct this is to sync the archive at a later when the device is up and reachable to get a successful backup but I can see it already where the customer will be all over me and want explanations on every single backup failure.

1 Accepted Solution

Accepted Solutions

We strongly caution against running ACS on CiscoWorks for resource and security reasons. Besides memory, the biggest resource contender is TCP ports. LMS uses a lot of TCP ports by itself, and integration uses a lot of ports on the ACS side. Additionally, co-locating your security software with your management software can open your network up to all kinds of attacks (if either application is compromised).

On top of all that, for ACS integration to be effective, all devices must be managed by the same ACS server with which LMS is integrated. The devices do not need to authenticate to this ACS server, but they must be listed as TACACS+ clients. This would add a level of complexity that many do not want.

Without ACS integration, there is no way to customize roles or change security parameters.

View solution in original post

8 Replies 8

getwithrob
Level 3
Level 3

The Recently Completed Jobs Window next to the Collection Status Window says:

"You are not authorized to view the details"

It's my opinion that every window on this page should read the same to a help desk or even a network administrator privilaged user.

Can this be changed?

Get this! The testuser can also go into CiscoView Administration and change the following parameters on a device:

SNMP Timeout:

SNMP Retry Count

Chassis Polling Frequency:

Show MIB Label as Descriptor or Alias

Default Refresh Rate for Monitor Dialogs

I can see some serious issues rolling this mess out.

This is on a per-user basis. They are not changing global parameters. Help Desk users will most likely be using CiscoView as a dashboard, so allowing them to adjust parameters may be necessary. This cannot be changed even with ACS. If a user has access to CiscoView, they can adjust these preferences.

This can be changed by integrating with ACS, and creating a custom role that gives your users exactly the access you want.

Joe Clarke
Cisco Employee
Cisco Employee

It shouldn't be too surprising as to what Help Desk users can do. Everything is clearly documented in the Permissions Report under Common Services > Server > Reports. Generally, Help Desk users have view access to status and report pages.

However, if you don't like the default set of tasks to which Help Desk users have access, you can integrate LMS with ACS, and create a custom role that only gives those users the access you want. Each task on the Permissions Report can be enabled or disabled for a custom role.

As for reading pdshow output, the most important field is State. The state should indicate the program is running, has been started, etc., and the Stop field should be Not applicable indicating the process has not stopped. Most processes should always be running. However, there are a few (e.g. DeviceDiscovery, UTMajorAcquisition, DataPurge) that are transient, and may naturally be in a shutdown or transient terminated state. In those cases, the Stop field should contain the time that the process last stopped.

The RC, Core, and Signo fields should always be 0 or Not applicable. If a process crashes, those fields will contain values. RC is the result code returned by an exiting process. A non-zero value indicates an error. Signo indicates the signal (e.g. SIGBUS, SIGSEGV, etc.) on which the process terminated. And Core indicates whether or not the process dumped a core file.

In general, you can ignore the Info field.

Gotcha. Thanks for the input.

The customer already has ACS setup but it's a bit of a mess as far as I can see. Is it possible to setup a seperate ACS on the CiscoWorks servers only?

If not, I'm afraid they will be able to modify different security parameters on the CiscoWorks application which is outsourced to us.

We strongly caution against running ACS on CiscoWorks for resource and security reasons. Besides memory, the biggest resource contender is TCP ports. LMS uses a lot of TCP ports by itself, and integration uses a lot of ports on the ACS side. Additionally, co-locating your security software with your management software can open your network up to all kinds of attacks (if either application is compromised).

On top of all that, for ACS integration to be effective, all devices must be managed by the same ACS server with which LMS is integrated. The devices do not need to authenticate to this ACS server, but they must be listed as TACACS+ clients. This would add a level of complexity that many do not want.

Without ACS integration, there is no way to customize roles or change security parameters.

Thanks for the input. 'Sounds like I need to leave ACS out of the picture and will have to put up with and try to explain the questions that will probably result with a help desk user being able to see failed device backups and such. I particularly didn't want them having any control of our Cisco device management system so leaving ACS out solves that problem.

Review Cisco Networking for a $25 gift card