LMS / ACS NetConfig/NetShow Rights assignment

Answered Question
Jun 18th, 2008
User Badges:

Sorry for yet another question.


As I've discussed before we are implementing LMS 3.01 integrated with ACS 4.1.4 in a secure environment with strict security rules.


We've hit another security related issue.


Within ACS we've setup custom roles for LMS functions to provide a secure role based separation model (e.g. each roles has rights to perform their role and nothing more).


NetConfig and NetShow have the ability to assign tasks to others, which breaks this model.


e.g. someone with access to NetConfig can assign a task to someone who shouldn't be allowed to make changes on the network!


Hence within ACS we removed the rights:


RME, Config Management, NetConfig, NetConfig Assign Tasks

RME, Tools, Network Show Commands, Assign Netshow command Sets to Users


Disabling these seem to render both NetConfig and NetShow useless (no command sets to choose from, hence no ability to use the tool).


How do we deal with this? Are we doing something wrong?


Surely we don't have to give people the ability to assign rights to other people who shouldn't be allowed them to make the tools work?


Thanks

Michael

Correct Answer by Joe Clarke about 8 years 10 months ago

Sorry, this has to be done in LMS as these Netconfig templates are only known to LMS.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Wed, 06/18/2008 - 19:50
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The ability to assign tasks to users is typically reserved for administrators. It is not required to be able to use the application. If you have assigned your users the tasks Netconfig Jobs, Netconfig Create Jobs, and Netconfig User Defined Tasks, those users should be able to see tasks and create jobs in Netconfig. Please post a screenshot showing what roles you've assigned, and what you're seeing (or not seeing) in RME.

Joe Clarke Thu, 07/03/2008 - 10:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Okay, I understand now. What you need to do as an administrator is assign the tasks each user will need under RME > Config Mgmt > Netconfig > Assigning Tasks. Once you do that, they will be able to see their assigned tasks without needing the Assign Tasks privilege.

Mike Bailey Thu, 07/03/2008 - 11:06
User Badges:

Ahh that makes more sense.


Is there any way of doing this in ACS?


Currently all permissions are assigned to user groups ACS (potentially 100+ users) so would rather not have to manually assign rights within LMS for each user as staff turnover in NMC/Service Desk teams is high!

Correct Answer
Joe Clarke Thu, 07/03/2008 - 11:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Sorry, this has to be done in LMS as these Netconfig templates are only known to LMS.

Mike Bailey Thu, 07/03/2008 - 11:44
User Badges:

Shame - maybe a suggestion to product development to integrate these things to ACS as per command authorisation sets - would make large enterprise management much easier!

Actions

This Discussion