16-4
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter16 Managing System Ad ministrators
Understanding Roles
Dynamic Role assignment—Roles are assigned based on the rules in the AAC authorization policy.

Assigning Static Roles

ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account. This
is applicable only for the internal administrator accounts. If you choose this static option, then you must
select the administrator roles for each internal administrator account manually. When an administrator
is trying to access the account, if that administrator is configured in an administrator internal identity
store with a static role assignment, only the identity policy is executed for authentication. The
authorization policy is skipped. After successful execution of the identity policy, the administrator is
assigned with the selected role for the administrator account.

Assigning Dynamic Roles

ACS 5.4 allows you to assign the administrator roles statically to an internal administrator account.
If the administrator account is configured in an external or internal identity store and has a dynamic role
assignment, ACS evaluates the authorization policy and gets a list of administrator ro les and use it
dynamically or Deny Access as the result. If the super admin assigns a dynamic role for a n administrator
and does not configure the authorization policy, then authorization of that administrator account uses the
default value “deny access”. As a result, the authorization for this administrator account is denied. But,
if you assign a static role for an administrator, then the authorization policy does not have any impact on
authorizing that administrator.
Based on the selected role, ACS authenticates and manages the administrator access restrictions and
authentications. If Deny Access is the result of the evaluation, then ACS denies access to the
administrator and logs the reason for failure in the customer logs.
Note The ACS web interface displays only the functions for which you have privileges. For example, if your
role is Network Device Admin, the System Administration drawer does not appear because you do not
have permissions for the functions in that drawer.
Permissions
A permission is an access right that applies to a specific administrative task. Permissions consist of:
A Resource – The list of ACS components that an administrator can access, such as network
resources, or policy elements.
Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some
privileges cannot apply to a given resource. For example, the user resource cannot be executed.
A resource given to an administrator without any privileges means that the administrator has no access
to resources. In addition, the permissions are discrete. If the privileges create, upd ate, and delete apply
to a resource, the read privilege is not available.
If no permission is defined for an object, the administrator cann ot access this object, not even for
reading.
Note You cannot make permission changes.