LMS RME Jobs & ACS - Rights Escalation

Answered Question
Jun 5th, 2008
User Badges:

Hi,


We have integrated LMS 3.01 with Cisco Secure ACS 4.1.


We want to stop users deleting jobs so that we can maintain job history (see post in AAA forum as to why).


Within ACS Shared Profile Components with have removed:


Inventory - Delete Job

CDA - Delete Job

Config Editor - Delete Job

Software Management Jobs - Delete


This works fine (delete button greyed out) if the user browses to the specific Job Management screen, e.g.


RME > Config Management > Config Editor > Config Editor Jobs


However if we allow the user the "RME Jobs" right within ACS they can still delete jobs from:


RME > Job Management


Is this a bug? Why should you be allowed to delete jobs from RME Job management if you don't have the permissions to delete jobs within the individual components?


Thanks

Michael

Correct Answer by Joe Clarke about 9 years 1 month ago

RME Jobs is a separate task designed for uber administrators. When it is authorized, it doesn't check the underlying job type delete task. It just assumes that if you have access to this interface, you are a full administrator. Do not grant access to this interface to those that should not be deleting jobs.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe Clarke Thu, 06/05/2008 - 08:48
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

RME Jobs is a separate task designed for uber administrators. When it is authorized, it doesn't check the underlying job type delete task. It just assumes that if you have access to this interface, you are a full administrator. Do not grant access to this interface to those that should not be deleting jobs.

Actions

This Discussion