LMS access control with/without ACS integration

Unanswered Question
Aug 4th, 2008
User Badges:
  • Gold, 750 points or more

Would it be possible to take away a user's ability to modify/delete device configs in LMS/RME. What roles should be removed from the user's profile? I supposed it'd require taking away everything except Help Desk + Guest.


How will this profile change impact the user's ability to generate reports or schedule NetShow commands?


Are there any benefits (more granular access control, perhaps) by integrating with ACS? Can the ACS integration be used solely for LMS user access control, without having to keep ACS sync'ed with LMS DCR as well?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Joe Clarke Mon, 08/04/2008 - 07:53
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can use the Permissions Report at Common Services > Server > Reports to see what a user given only Help Desk access will be able to do. You might be able to grant Network Operator access depending on how much config visibility you want the user to have.


The benefit of ACS integration is definitely that you get to control LMS roles down to the task level. Additionally, you can control which users can perform which tasks on specific devices. Just because you integrated LMS with ACS does not mean the devices themselves have to use ACS for authentication/authorization. However, all of the devices managed by LMS MUST be clients of the same ACS server. This is the only way LMS will know it is authorized to manage the devices.

yjdabear Tue, 08/05/2008 - 16:46
User Badges:
  • Gold, 750 points or more

Network Operator can: ConfigDataExport and

ConfigEditor Edit Config. Can the changes made here be saved back by Network Operator?


It's exactly what I'm afraid of, that whatever devices ACS doesn't have LMS can't manage. That'd place the updatedness of LMS inventory at the mercy of ACS.

yjdabear Tue, 08/05/2008 - 17:34
User Badges:
  • Gold, 750 points or more

Also, if LMS has to depend on the ACS it integrates with, can LMS import ACS's device list automatically?

Joe Clarke Tue, 08/05/2008 - 18:09
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, LMS can import the device list from ACS. This is one of the external NMS options availabe for a DCR bulk import.

yjdabear Tue, 08/05/2008 - 18:15
User Badges:
  • Gold, 750 points or more

Can this import be automated/scheduled on the DCR side, or (export) automaticaly from the ACS end?

Joe Clarke Tue, 08/05/2008 - 18:20
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, it can be scheduled on the LMS side.

Joe Clarke Tue, 08/05/2008 - 18:09
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

No, Network Operator cannot create Config Editor deployment jobs.


Yes, your concern is valid. If a device is not a client of the ACS server, then LMS will not be able to manage it.

yjdabear Tue, 08/05/2008 - 18:18
User Badges:
  • Gold, 750 points or more

Actually, the desire is to take away the ability to modify/delete device configs stored on CiscoWorks itself (vis-a-vis eventually deploying to the actual devices). So it's not desirable the Network Operator can edit-then-save device config on LMS, regardless of the inability to deploy the change. That's what I'm not clear on.

Joe Clarke Tue, 08/05/2008 - 18:21
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Then you'd have to drop back to Help Desk, or use ACS.

Actions

This Discussion