Chapter 16 Managing System Administrators

Understanding Roles

Permissions

A permission is an access right that applies to a specific administrative task. Permissions consist of:

A Resource – The list of ACS components that an administrator can access, such as network resources, or policy elements.

Privileges – The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.

A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.

If no permission is defined for an object, the administrator cannot access this object, not even for reading.

Note You cannot make permission changes.

Predefined Roles

Table 16-1shows the predefined roles included in ACS:

Table 16-1 Predefined Role Descriptions

Role

Privileges

ChangeAdminPassword

This role is intended for ACS administrators who manage other administrator accounts. This role

 

entitles the administrator to change the password of other administrators.

 

 

ChangeUserPassword

This role is intended for ACS administrators who manage internal user accounts. This role

 

entitles the administrator to change the password of internal users.

 

 

NetworkDeviceAdmin

This role is intended for ACS administrators who need to manage the ACS network device

 

repository only, such as adding, updating, or deleting devices. This role has the following

 

permissions:

Read and write permissions on network devices

Read and write permissions on NDGs and all object types in the Network Resources drawer

PolicyAdmin

This role is intended for the ACS policy administrator responsible for creating and managing

 

ACS access services and access policy rules, and the policy elements referenced by the policy

 

rules. This role has the following permissions:

 

Read and write permissions on all the elements used in policies, such as authorization

 

profile, NDGs, IDGs, conditions, and so on

 

Read and write permissions on services policy

 

 

ReadOnlyAdmin

This role is intended for ACS administrators who need read-only access to all parts of the ACS

 

user interface.

 

This role has read-only access to all resources

 

 

ReportAdmin

This role is intended for administrators who need access to the ACS Monitoring & Report Viewer

 

to generate and view reports or monitoring data only.

 

This role has read-only access on logs.

 

User Guide for Cisco Secure Access Control System 5.3

16-4

OL-24201-01

Page 479 Page 481
Page 480
Image 480
Cisco Systems OL-24201-01 manual Permissions, Predefined Roles, Role Privileges, 16-4
Page 479 Page 481
Top Page Image Contents