35-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 35 Getting Started with IPS Configuration
Managing User Accounts and Password Requirements
Viewer—Users can view the device configuration and events, but they cannot modify any
configuration data except their user passwords.
Operator—Users can view everything and they can modify the following options:
Signature tuning (priority, disable or enable).
Virtual sensor definition.
Managed routers.
Their user passwords.
Administrator—Users can view everything and they can modify all options that Operators can
modify in addition to the following:
Sensor addressing configuration.
List of hosts allowed to connect as configuration or viewing agents.
Assignment of physical sensing interfaces.
Enable or disable control of physical interfaces.
Add and delete users and passwords.
Generate new SSH host keys and server certificates.
Service—Only one user with service privileges can exist on a sensor. The service user cannot log in
to IDM or IME. The service user logs in to a bash shell rather than the CLI. The service role is a
special role that allows you to bypass the CLI if needed.
Note The purpose of the Service account is to provide Cisco Technical Support access to
troubleshoot unique and unusual problems. It is not needed for normal system configuration
and troubleshooting. You should carefully consider whether you want to create a service
account. The service account provides shell access to the system, which makes the system
vulnerable. However, you can use the service account to create a password if the
administrator password is lost. Analyze your situation to decide if you want a service
account existing on the system.
Understanding Managed and Unmanaged IPS Passwords
Every IPS local user account has a password, which allows secure user login to the device. These user
passwords are encrypted on the IPS device. Thus, when you add an IPS device to the Security Manager
inventory, Security Manager cannot read the actual user passwords.
Because Security Manager cannot read the password, it is unable to deploy newly-discovered user
account passwords to the device. To avoid putting user accounts into a state where the passwords are
unknown and unusable, Security Manager marks discovered user account passwords as unmanaged.
The status of a password is indicated in the Is Password Managed? column of the Platform > Device
Admin > Device Access > User Accounts policy:
If No is indicated, the password for this account is not configured in Security Manager. When you
deploy this policy, Security Manager will not attempt to configure the password for this user
account.
If Yes is indicated, the password for this account was configured or updated in Security Manager.
When you deploy this policy, Security Manager reconfigures the passwords for all managed
accounts, not just the passwords that changed since the last deployment.