Chapter 16 Managing System Administrators

Understanding Roles

Table 16-1

Predefined Role Descriptions (continued)

 

 

 

Role

 

Privileges

 

 

 

SecurityAdmin

 

This role is required in order to create, update, or delete ACS administrator accounts, to assign

 

 

administrative roles, and to change the ACS password policy. This role has the following

 

 

permissions:

 

 

Read and write permissions on internal protocol users and administrator password policies

 

 

Read and write permissions on administrator account settings

 

 

Read and write permissions on administrator access settings

 

 

 

SuperAdmin

 

The Super Admin role has complete access to every ACS administrative function. If you do not

 

 

need granular access control, this role is most convenient, and this is the role assigned to the

 

 

predefined ACSAdmin account.

 

 

This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.

 

 

 

SystemAdmin

 

This role is intended for administrators responsible for ACS system configuration and operations.

 

 

This role has the following permissions:

 

 

Read and write permissions on all system administration activities except for account

 

 

definition

 

 

Read and write permissions on ACS instances

 

 

 

UserAdmin

 

This role is intended for administrators who are responsible for adding, updating, or deleting

 

 

entries in the internal ACS identity stores, which includes internal users and internal hosts. This

 

 

role has the following permissions:

 

 

Read and write permissions on users and hosts

 

 

Read permission on IDGs

 

 

 

Note At first login, only the Super Admin is assigned to a specific administrator.

Related Topics

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Changing Role Associations

By design, all roles in ACS are predefined and cannot be changed. ACS allows you to only change role associations. Owing to the potential ramifications on the system’s entire authorization status, the ACS Super Admin and SecurityAdmin roles alone have the privilege to change role associations.

Changes in role associations take effect only after the affected administrators log out and log in again. At the new login, ACS reads and applies the role association changes.

Note You must be careful in assigning the ACS Super Admin and SecurityAdmin roles because of the global ramifications of role association changes.

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

16-5

 

 

 

 

 

Page 481
Image 481
Cisco Systems OL-24201-01 manual Changing Role Associations, 16-5